Analysis
-
max time kernel
145s -
max time network
116s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/05/2025, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
-
Size
566KB
-
MD5
04790caa27d1509760e7198453a9e020
-
SHA1
c1ff34dcb140247a58ae426451ec4e756d5e028c
-
SHA256
765b9de605acc7bf32215d7f7a78f68fada8330839a9c4d89be685eb8e8c1f2e
-
SHA512
46a0a3a84df09ae86d22a5bee8ef11d6c9ff0f89ca08eba6bab60cde11476b496738d6aacde0b7ba761db41bbce9427912b9b54bc87983f5687443dc157af2f0
-
SSDEEP
12288:HMiJ2HX6uWbMmEZ/HGb4x5fvpG/sQ1XUwBI6aUVPM:K36ufb84x5pG/9zBZxM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 5 IoCs
pid Process 3400 rCoAEokY.exe 5880 kuUggYsc.exe 4948 mUUgMQIE.exe 3628 rCoAEokY.exe 5056 kuUggYsc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Run\rCoAEokY.exe = "C:\\Users\\Admin\\xOUgoYAs\\rCoAEokY.exe" rCoAEokY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kuUggYsc.exe = "C:\\ProgramData\\eGIUckQM\\kuUggYsc.exe" mUUgMQIE.exe Set value (str) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Run\rCoAEokY.exe = "C:\\Users\\Admin\\xOUgoYAs\\rCoAEokY.exe" rCoAEokY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kuUggYsc.exe = "C:\\ProgramData\\eGIUckQM\\kuUggYsc.exe" kuUggYsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1178639776-3244803473-3821071008-1000\Software\Microsoft\Windows\CurrentVersion\Run\rCoAEokY.exe = "C:\\Users\\Admin\\xOUgoYAs\\rCoAEokY.exe" JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kuUggYsc.exe = "C:\\ProgramData\\eGIUckQM\\kuUggYsc.exe" JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kuUggYsc.exe = "C:\\ProgramData\\eGIUckQM\\kuUggYsc.exe" kuUggYsc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\YIEu.exe kuUggYsc.exe File created C:\Windows\SysWOW64\Qsca.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\eMsI.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\mMkC.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\ysAe.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\aKcI.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\YIEu.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\YIwM.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\CAcE.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\sYEU.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\SMUU.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\Socw.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\sheUnregisterCompare.rar kuUggYsc.exe File created C:\Windows\SysWOW64\QoQk.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\CkAc.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\eAQE.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\yUQy.exe kuUggYsc.exe File created C:\Windows\SysWOW64\GoMK.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\asgU.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\MYkk.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\OaoU.ico kuUggYsc.exe File created C:\Windows\SysWOW64\csIA.exe kuUggYsc.exe File created C:\Windows\SysWOW64\skIG.exe kuUggYsc.exe File created C:\Windows\SysWOW64\mksQ.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\mksQ.exe kuUggYsc.exe File created C:\Windows\SysWOW64\GEUy.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\QwMM.ico kuUggYsc.exe File created C:\Windows\SysWOW64\Uscs.exe kuUggYsc.exe File created C:\Windows\SysWOW64\sYEU.exe kuUggYsc.exe File created C:\Windows\SysWOW64\AMgQ.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\gsQk.exe kuUggYsc.exe File created C:\Windows\SysWOW64\CAgk.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\Qkcm.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\xOUgoYAs\rCoAEokY mUUgMQIE.exe File opened for modification C:\Windows\SysWOW64\WQkW.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\oqQs.ico kuUggYsc.exe File created C:\Windows\SysWOW64\csgu.exe kuUggYsc.exe File created C:\Windows\SysWOW64\QAMI.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\EacA.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\SIQg.ico kuUggYsc.exe File created C:\Windows\SysWOW64\cgAU.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\GEUy.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\GoMK.exe kuUggYsc.exe File created C:\Windows\SysWOW64\WQkW.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\sGso.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\GcME.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\uAIs.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\yock.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\iQwU.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\MuII.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\SYck.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\MIAs.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\wysk.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\KYEQ.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\eyUA.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\uAkc.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\Msse.exe kuUggYsc.exe File created C:\Windows\SysWOW64\aUgg.exe kuUggYsc.exe File created C:\Windows\SysWOW64\aAEm.exe kuUggYsc.exe File created C:\Windows\SysWOW64\KgAu.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\KcYK.exe kuUggYsc.exe File created C:\Windows\SysWOW64\yoYW.exe kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\WWss.ico kuUggYsc.exe File opened for modification C:\Windows\SysWOW64\McMA.ico kuUggYsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rCoAEokY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kuUggYsc.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3356 reg.exe 2336 reg.exe 5820 reg.exe 3308 reg.exe 1748 reg.exe 3712 reg.exe 3416 reg.exe 6120 reg.exe 3884 reg.exe 5500 reg.exe 5376 reg.exe 1880 reg.exe 2540 reg.exe 1748 reg.exe 3608 reg.exe 1444 reg.exe 5644 reg.exe 660 reg.exe 3128 reg.exe 6096 reg.exe 6040 reg.exe 2952 reg.exe 6080 reg.exe 5796 reg.exe 3144 reg.exe 5568 reg.exe 5752 reg.exe 3052 reg.exe 2432 reg.exe 3956 reg.exe 4176 reg.exe 3828 reg.exe 2404 reg.exe 5728 reg.exe 2248 reg.exe 4072 reg.exe 1016 reg.exe 4824 reg.exe 4428 reg.exe 4472 reg.exe 1604 reg.exe 780 reg.exe 6060 reg.exe 3428 reg.exe 660 reg.exe 2456 reg.exe 4352 reg.exe 2584 reg.exe 5812 reg.exe 2936 reg.exe 4836 reg.exe 1740 reg.exe 2296 reg.exe 3880 reg.exe 3568 reg.exe 5008 reg.exe 3096 reg.exe 660 reg.exe 4544 reg.exe 3500 reg.exe 2224 reg.exe 3472 reg.exe 3904 reg.exe 788 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 896 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 896 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 896 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 896 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1016 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1016 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1016 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1016 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2144 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2144 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2144 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2144 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2008 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2008 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2008 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2008 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5636 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5636 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5636 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5636 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3572 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3572 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3572 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3572 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5132 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5132 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5132 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5132 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4312 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4312 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4312 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4312 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1796 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1796 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1796 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1796 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1856 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1856 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1856 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1856 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2344 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2344 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2344 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2344 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5668 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5668 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5668 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 5668 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2092 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2092 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2092 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2092 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe 5056 kuUggYsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3364 wrote to memory of 3400 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 81 PID 3364 wrote to memory of 3400 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 81 PID 3364 wrote to memory of 3400 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 81 PID 3364 wrote to memory of 5880 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 84 PID 3364 wrote to memory of 5880 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 84 PID 3364 wrote to memory of 5880 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 84 PID 4460 wrote to memory of 3628 4460 cmd.exe 88 PID 4460 wrote to memory of 3628 4460 cmd.exe 88 PID 4460 wrote to memory of 3628 4460 cmd.exe 88 PID 3552 wrote to memory of 5056 3552 cmd.exe 89 PID 3552 wrote to memory of 5056 3552 cmd.exe 89 PID 3552 wrote to memory of 5056 3552 cmd.exe 89 PID 3364 wrote to memory of 5008 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 90 PID 3364 wrote to memory of 5008 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 90 PID 3364 wrote to memory of 5008 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 90 PID 5008 wrote to memory of 2436 5008 cmd.exe 92 PID 5008 wrote to memory of 2436 5008 cmd.exe 92 PID 5008 wrote to memory of 2436 5008 cmd.exe 92 PID 3364 wrote to memory of 4804 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 93 PID 3364 wrote to memory of 4804 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 93 PID 3364 wrote to memory of 4804 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 93 PID 3364 wrote to memory of 2456 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 94 PID 3364 wrote to memory of 2456 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 94 PID 3364 wrote to memory of 2456 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 94 PID 3364 wrote to memory of 2224 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 95 PID 3364 wrote to memory of 2224 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 95 PID 3364 wrote to memory of 2224 3364 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 95 PID 2436 wrote to memory of 2460 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 99 PID 2436 wrote to memory of 2460 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 99 PID 2436 wrote to memory of 2460 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 99 PID 2436 wrote to memory of 5500 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 101 PID 2436 wrote to memory of 5500 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 101 PID 2436 wrote to memory of 5500 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 101 PID 2436 wrote to memory of 5660 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 102 PID 2436 wrote to memory of 5660 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 102 PID 2436 wrote to memory of 5660 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 102 PID 2436 wrote to memory of 5960 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 103 PID 2436 wrote to memory of 5960 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 103 PID 2436 wrote to memory of 5960 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 103 PID 2436 wrote to memory of 5528 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 104 PID 2436 wrote to memory of 5528 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 104 PID 2436 wrote to memory of 5528 2436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 104 PID 2460 wrote to memory of 1436 2460 cmd.exe 109 PID 2460 wrote to memory of 1436 2460 cmd.exe 109 PID 2460 wrote to memory of 1436 2460 cmd.exe 109 PID 5528 wrote to memory of 1700 5528 cmd.exe 110 PID 5528 wrote to memory of 1700 5528 cmd.exe 110 PID 5528 wrote to memory of 1700 5528 cmd.exe 110 PID 1436 wrote to memory of 3688 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 112 PID 1436 wrote to memory of 3688 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 112 PID 1436 wrote to memory of 3688 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 112 PID 3688 wrote to memory of 896 3688 cmd.exe 114 PID 3688 wrote to memory of 896 3688 cmd.exe 114 PID 3688 wrote to memory of 896 3688 cmd.exe 114 PID 1436 wrote to memory of 1164 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 115 PID 1436 wrote to memory of 1164 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 115 PID 1436 wrote to memory of 1164 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 115 PID 1436 wrote to memory of 3096 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 116 PID 1436 wrote to memory of 3096 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 116 PID 1436 wrote to memory of 3096 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 116 PID 1436 wrote to memory of 3904 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 117 PID 1436 wrote to memory of 3904 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 117 PID 1436 wrote to memory of 3904 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 117 PID 1436 wrote to memory of 5304 1436 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\xOUgoYAs\rCoAEokY.exe"C:\Users\Admin\xOUgoYAs\rCoAEokY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3400
-
-
C:\ProgramData\eGIUckQM\kuUggYsc.exe"C:\ProgramData\eGIUckQM\kuUggYsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"2⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e0203⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"4⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e0205⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"6⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e0207⤵
- Suspicious behavior: EnumeratesProcesses
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"8⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e0209⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"10⤵
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02011⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"12⤵
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02013⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"14⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02015⤵
- Suspicious behavior: EnumeratesProcesses
PID:5636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"16⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02017⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"18⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02019⤵
- Suspicious behavior: EnumeratesProcesses
PID:5132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"20⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02021⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"22⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02023⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"24⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02025⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"26⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02027⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"28⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02029⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"30⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02031⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"32⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02033⤵PID:3564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"34⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02035⤵PID:5884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"36⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02037⤵PID:3560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"38⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02039⤵
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"40⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02041⤵
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"42⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02043⤵PID:2984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"44⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02045⤵PID:908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"46⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02047⤵PID:6004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"48⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02049⤵PID:1068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"50⤵PID:4564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02051⤵PID:1444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"52⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02053⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"54⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02055⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"56⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02057⤵PID:2120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"58⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02059⤵PID:448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"60⤵PID:5144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02061⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"62⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02063⤵PID:5572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"64⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02065⤵PID:5912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"66⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02067⤵PID:3136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"68⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02069⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"70⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02071⤵PID:4044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"72⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02073⤵PID:3108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"74⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02075⤵PID:6068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"76⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02077⤵PID:1332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"78⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02079⤵PID:248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"80⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02081⤵PID:3284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"82⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02083⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"84⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02085⤵PID:5812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"86⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02087⤵PID:5460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"88⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02089⤵PID:4312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"90⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02091⤵PID:5844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"92⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02093⤵PID:5884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"94⤵PID:4180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02095⤵PID:5516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"96⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02097⤵PID:5912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"98⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02099⤵PID:4512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"100⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020101⤵PID:5128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"102⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020103⤵PID:1040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"104⤵PID:5460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020105⤵PID:5952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"106⤵PID:2776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:672
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020107⤵PID:5916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"108⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020109⤵PID:1228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"110⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020111⤵PID:5632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"112⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020113⤵PID:5464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"114⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020115⤵PID:72
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"116⤵PID:6084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020117⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"118⤵PID:5668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020119⤵PID:5004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"120⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020121⤵PID:2764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"122⤵PID:6004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-