nanocore | 33359ddd082b23c721c6ceb77db5e5534b2bf6d33167abffca2c705439fc666c

Analysis

max time kernel
90s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Size

853KB
MD5

001841be7c47d683d72ff03ecc3b1781
SHA1

db8c8eb540075fd068136b351d466190308fe2dd
SHA256

33359ddd082b23c721c6ceb77db5e5534b2bf6d33167abffca2c705439fc666c
SHA512

109a006bee8af521a2936d17ef48699ca7916fc07b438d981855e1ce8802f2a5575af1ef2e6dbd4ec95f69435dea89aaa34f3669c67462b6bf77310afb6c615a
SSDEEP

24576:PC+arTXZjaNJWEEi/iznKRpdUfrK/gMc81S7IEFUcfP8:PypV0/iznKRPUfm/gQin

Score

10^/10

nanocore agilenet evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

meeti.ddns.net:1144

173.254.223.125:1144

Mutex

4aacaf0b-2d1e-4f63-86bc-f3a10404b945

Attributes

activate_away_mode
true
backup_connection_host
173.254.223.125
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-06-15T00:11:27.949979336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1144
default_group
AAAAAAAA
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4aacaf0b-2d1e-4f63-86bc-f3a10404b945
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
meeti.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 2 IoCs

Processes:

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2956-4-0x0000000000790000-0x000000000083E000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

description	pid	process	target process
PID 2956 set thread context of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 set thread context of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 set thread context of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 set thread context of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 set thread context of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2756 set thread context of 1804	2756	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2148 set thread context of 1508	2148	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1300 set thread context of 2864	1300	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2260 set thread context of 2460	2260	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1840 set thread context of 1048	1840	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1576 set thread context of 952	1576	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 760 set thread context of 2152	760	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1792 set thread context of 2008	1792	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2124 set thread context of 2548	2124	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3000 set thread context of 1668	3000	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2444 set thread context of 2248	2444	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2488 set thread context of 2420	2488	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1696 set thread context of 2300	1696	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2600 set thread context of 2528	2600	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 808 set thread context of 1652	808	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2792 set thread context of 1384	2792	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1608 set thread context of 1028	1608	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2256 set thread context of 1504	2256	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2704 set thread context of 2816	2704	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2092 set thread context of 1492	2092	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2492 set thread context of 3044	2492	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1420 set thread context of 1780	1420	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1552 set thread context of 2532	1552	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2912 set thread context of 2568	2912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2636 set thread context of 536	2636	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2472 set thread context of 2024	2472	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1316 set thread context of 2372	1316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 904 set thread context of 684	904	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1508 set thread context of 3016	1508	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2032 set thread context of 700	2032	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2724 set thread context of 3056	2724	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2020 set thread context of 3028	2020	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2352 set thread context of 2616	2352	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2760 set thread context of 2444	2760	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2972 set thread context of 2808	2972	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 872 set thread context of 1552	872	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 840 set thread context of 1948	840	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 296 set thread context of 1604	296	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2772 set thread context of 1996	2772	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1316 set thread context of 1576	1316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1564 set thread context of 1692	1564	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2568 set thread context of 2168	2568	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1652 set thread context of 2956	1652	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2984 set thread context of 1980	2984	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2036 set thread context of 2492	2036	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1420 set thread context of 2092	1420	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 772 set thread context of 1572	772	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2912 set thread context of 1192	2912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3056 set thread context of 3028	3056	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 876 set thread context of 2748	876	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 628 set thread context of 1048	628	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 1804 set thread context of 2988	1804	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 868 set thread context of 2832	868	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1640 set thread context of 1644	1640	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1532 set thread context of 1720	1532	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2032 set thread context of 2916	2032	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2676 set thread context of 996	2676	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2164 set thread context of 2692	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 1480 set thread context of 308	1480	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Host\isshost.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\ISS Host\isshost.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

pid	process
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2696 RegAsm.exe

pid	process
2696	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2756	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2148	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1300	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2260	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1840	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1576	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
760	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1792	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1792	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2124	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3000	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2444	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2488	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1696	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2600	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
808	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2792	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1608	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2256	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2704	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2092	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2492	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1420	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1420	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1552	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2636	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2472	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
904	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1508	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2032	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2724	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2020	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2352	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2760	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2972	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
872	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
840	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
296	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2772	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2772	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1564	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2568	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1652	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1652	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2984	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2036	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1420	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1420	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
772	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3056	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3056	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
876	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
628	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1804	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exeRegAsm.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2696	RegAsm.exe
Token: SeDebugPrivilege	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2756	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2148	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1300	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2260	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1840	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1576	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	760	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1792	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2124	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3000	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2444	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1696	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2600	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	808	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1608	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2256	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2704	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2092	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2492	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1420	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1552	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2636	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2472	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	904	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1508	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2032	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2724	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2020	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2352	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2760	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2972	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	872	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	840	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	296	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2772	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1564	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2568	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1652	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2984	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2036	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1420	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	772	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3056	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	876	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	628	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1804	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	868	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1640	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1532	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2032	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2676	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2956 wrote to memory of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2956 wrote to memory of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2956 wrote to memory of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2956 wrote to memory of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2956 wrote to memory of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2956 wrote to memory of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2956 wrote to memory of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2956 wrote to memory of 2800	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2956 wrote to memory of 2884	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2956 wrote to memory of 2884	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2956 wrote to memory of 2884	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2956 wrote to memory of 2884	2956	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2884 wrote to memory of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 wrote to memory of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 wrote to memory of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 wrote to memory of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 wrote to memory of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 wrote to memory of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 wrote to memory of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 wrote to memory of 2636	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2884 wrote to memory of 2684	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2884 wrote to memory of 2684	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2884 wrote to memory of 2684	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2884 wrote to memory of 2684	2884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2684 wrote to memory of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 wrote to memory of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 wrote to memory of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 wrote to memory of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 wrote to memory of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 wrote to memory of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 wrote to memory of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 wrote to memory of 2696	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2684 wrote to memory of 2468	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2684 wrote to memory of 2468	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2684 wrote to memory of 2468	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2684 wrote to memory of 2468	2684	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2468 wrote to memory of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 wrote to memory of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 wrote to memory of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 wrote to memory of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 wrote to memory of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 wrote to memory of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 wrote to memory of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 wrote to memory of 2472	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2468 wrote to memory of 2944	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2468 wrote to memory of 2944	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2468 wrote to memory of 2944	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2468 wrote to memory of 2944	2468	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2944 wrote to memory of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 wrote to memory of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 wrote to memory of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 wrote to memory of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 wrote to memory of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 wrote to memory of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 wrote to memory of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 wrote to memory of 2656	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2944 wrote to memory of 2756	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2944 wrote to memory of 2756	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2944 wrote to memory of 2756	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2944 wrote to memory of 2756	2944	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2756 wrote to memory of 1804	2756	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2756 wrote to memory of 1804	2756	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2756 wrote to memory of 1804	2756	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2756 wrote to memory of 1804	2756	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
6⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
7⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
8⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
9⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
10⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
12⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
13⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
14⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
14⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
15⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
16⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
17⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
18⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
19⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
20⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
21⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
22⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
23⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
24⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
25⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
26⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
27⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
28⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
28⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
29⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
30⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
31⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
32⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
33⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
34⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
35⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
36⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
37⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
38⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
39⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
40⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
41⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
42⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
43⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
44⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
45⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
45⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
46⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
47⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
48⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
49⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
49⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
50⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
51⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
52⤵
PID:984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
52⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
54⤵
PID:308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
54⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
55⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
55⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
56⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
57⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
58⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
59⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
60⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
61⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
62⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
63⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
63⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
64⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
64⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
64⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
64⤵
- Suspicious use of SetThreadContext
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
65⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
65⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
66⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
66⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
67⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
67⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
67⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
68⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
68⤵
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
69⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
69⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
70⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
70⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
71⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
71⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
72⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
72⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
73⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
73⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
74⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
74⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
74⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
75⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
75⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
75⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
76⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
76⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
77⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
77⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
77⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
78⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
78⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
79⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
79⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
80⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
80⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
81⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
81⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
82⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
82⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
83⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
83⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
84⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
84⤵
PID:1652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
85⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
85⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
86⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
86⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
87⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
87⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
88⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
88⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
89⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
89⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
90⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
90⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
90⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
91⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
91⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
92⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
92⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
93⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
93⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
93⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
93⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
94⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
94⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
95⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
95⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
96⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
96⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
96⤵
PID:1896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
97⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
97⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
98⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
98⤵
PID:2108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
99⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
99⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
100⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
100⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
101⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
101⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
102⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
102⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
102⤵
PID:604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
103⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
103⤵
PID:536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
104⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
104⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
105⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
105⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
106⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
106⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
107⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
107⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
107⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
108⤵
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
856KB

MD5
580a8987fb4fe3131d1d234d80719979

SHA1
04e022f3b7c73e72fe0c447737bd23c546b67f12

SHA256
46b408cc6899a6c14c87f8d0df5123c169bee34eed0223493f8d7894aea35b3b

SHA512
4b2de08ad6decd0ddfd89c4c853c9cb57cb30873f64fd4def63463faca08fe05155840188ce6c5c0fa3f40468b895e1393e52e01ccfa047390e9a7121ef58c61

Download Submit
memory/760-120-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/952-118-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-107-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-78-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/1300-77-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-95-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/1508-75-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-100-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1576-108-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/1576-109-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/1804-65-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-119-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-90-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-115-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/1840-99-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2148-82-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2148-67-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2260-87-0x0000000004740000-0x0000000004780000-memory.dmp

Filesize
256KB

Download
memory/2260-86-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2260-105-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2460-97-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-121-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-33-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-34-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2468-51-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2472-98-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-66-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2472-43-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-47-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-88-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-22-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-55-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-76-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-110-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-23-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-41-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-24-0x0000000004660000-0x00000000046A0000-memory.dmp

Filesize
256KB

Download
memory/2696-57-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-32-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-74-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/2696-50-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/2756-56-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2756-72-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-58-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2800-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2800-46-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-10-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2800-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2800-21-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-89-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-85-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-111-0x0000000071570000-0x0000000071B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-29-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-14-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/2884-13-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2944-64-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2944-44-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2944-45-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2956-0-0x00000000001B0000-0x000000000028A000-memory.dmp

Filesize
872KB

Download
memory/2956-8-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2956-6-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/2956-19-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-5-0x0000000000580000-0x00000000005FE000-memory.dmp

Filesize
504KB

Download
memory/2956-4-0x0000000000790000-0x000000000083E000-memory.dmp

Filesize
696KB

Download
memory/2956-3-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2956-2-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/2956-1-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download