nanocore | 33359ddd082b23c721c6ceb77db5e5534b2bf6d33167abffca2c705439fc666c

Analysis

max time kernel
69s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Size

853KB
MD5

001841be7c47d683d72ff03ecc3b1781
SHA1

db8c8eb540075fd068136b351d466190308fe2dd
SHA256

33359ddd082b23c721c6ceb77db5e5534b2bf6d33167abffca2c705439fc666c
SHA512

109a006bee8af521a2936d17ef48699ca7916fc07b438d981855e1ce8802f2a5575af1ef2e6dbd4ec95f69435dea89aaa34f3669c67462b6bf77310afb6c615a
SSDEEP

24576:PC+arTXZjaNJWEEi/iznKRpdUfrK/gMc81S7IEFUcfP8:PypV0/iznKRPUfm/gQin

Score

10^/10

nanocore agilenet evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

meeti.ddns.net:1144

173.254.223.125:1144

Mutex

4aacaf0b-2d1e-4f63-86bc-f3a10404b945

Attributes

activate_away_mode
true
backup_connection_host
173.254.223.125
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-06-15T00:11:27.949979336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1144
default_group
AAAAAAAA
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4aacaf0b-2d1e-4f63-86bc-f3a10404b945
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
meeti.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 56 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/736-4-0x0000000004D40000-0x0000000004DEE000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 56 IoCs

Processes:

description	pid	process	target process
PID 736 set thread context of 3744	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1248 set thread context of 1908	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4736 set thread context of 3236	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3900 set thread context of 3716	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1496 set thread context of 808	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 5084 set thread context of 556	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2164 set thread context of 3468	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1412 set thread context of 3460	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4052 set thread context of 3616	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4476 set thread context of 3436	4476	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4580 set thread context of 4192	4580	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 912 set thread context of 1460	912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4376 set thread context of 4472	4376	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2536 set thread context of 1496	2536	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1464 set thread context of 448	1464	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4596 set thread context of 2752	4596	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4580 set thread context of 2900	4580	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 712 set thread context of 3460	712	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1908 set thread context of 1520	1908	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3900 set thread context of 4052	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1884 set thread context of 804	1884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3508 set thread context of 1460	3508	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3664 set thread context of 2396	3664	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1084 set thread context of 5084	1084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1176 set thread context of 2132	1176	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3076 set thread context of 968	3076	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2044 set thread context of 4304	2044	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1232 set thread context of 3244	1232	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4924 set thread context of 3064	4924	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3268 set thread context of 756	3268	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1440 set thread context of 1644	1440	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3116 set thread context of 232	3116	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3728 set thread context of 3240	3728	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2888 set thread context of 1428	2888	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1656 set thread context of 5032	1656	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 808 set thread context of 4100	808	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 3268 set thread context of 2276	3268	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1836 set thread context of 4288	1836	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1588 set thread context of 3436	1588	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 316 set thread context of 4700	316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3940 set thread context of 3252	3940	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 724 set thread context of 4660	724	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4388 set thread context of 3116	4388	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2460 set thread context of 2740	2460	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 3528 set thread context of 4564	3528	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4884 set thread context of 2072	4884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2144 set thread context of 2276	2144	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1928 set thread context of 3980	1928	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2964 set thread context of 724	2964	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3396 set thread context of 2888	3396	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2440 set thread context of 4896	2440	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1872 set thread context of 3764	1872	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4100 set thread context of 3232	4100	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3728 set thread context of 4020	3728	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 680 set thread context of 3608	680	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4576 set thread context of 992	4576	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\DDP Service\ddpsv.exe	RegAsm.exe
File created	C:\Program Files (x86)\DDP Service\ddpsv.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

pid	process
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

3744 RegAsm.exe

pid	process
3744	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4476	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4476	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4476	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4476	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4476	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4580	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4580	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4376	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4376	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2536	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2536	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1464	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1464	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4596	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4580	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
712	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1908	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3508	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3664	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1176	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1176	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3076	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3076	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2044	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1232	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1232	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4924	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3268	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3268	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1440	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3116	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3116	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3728	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2888	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1656	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
808	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3268	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1836	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1836	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
1588	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3940	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
724	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
724	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4388	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
2460	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3528	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
3528	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
4884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exeRegAsm.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3744	RegAsm.exe
Token: SeDebugPrivilege	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4476	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4580	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	912	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4376	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2536	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1464	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4596	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4580	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	712	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1908	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3508	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3664	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1176	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3076	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2044	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1232	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4924	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3268	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1440	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3116	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3728	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2888	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1656	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	808	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3268	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1836	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1588	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	316	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3940	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	724	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4388	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2460	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3528	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4884	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2144	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1928	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2964	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3396	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	2440	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	1872	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4100	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	3728	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	680	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
Token: SeDebugPrivilege	4576	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 736 wrote to memory of 3744	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 736 wrote to memory of 3744	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 736 wrote to memory of 3744	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 736 wrote to memory of 3744	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 736 wrote to memory of 1248	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 736 wrote to memory of 1248	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 736 wrote to memory of 1248	736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 1248 wrote to memory of 1908	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1248 wrote to memory of 1908	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1248 wrote to memory of 1908	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1248 wrote to memory of 1908	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1248 wrote to memory of 4736	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 1248 wrote to memory of 4736	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 1248 wrote to memory of 4736	1248	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 4736 wrote to memory of 3236	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4736 wrote to memory of 3236	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4736 wrote to memory of 3236	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4736 wrote to memory of 3236	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4736 wrote to memory of 3900	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 4736 wrote to memory of 3900	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 4736 wrote to memory of 3900	4736	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 3900 wrote to memory of 3716	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3900 wrote to memory of 3716	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3900 wrote to memory of 3716	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3900 wrote to memory of 3716	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3900 wrote to memory of 1496	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3900 wrote to memory of 1496	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 3900 wrote to memory of 1496	3900	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1496 wrote to memory of 808	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1496 wrote to memory of 808	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1496 wrote to memory of 808	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1496 wrote to memory of 808	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1496 wrote to memory of 5084	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 1496 wrote to memory of 5084	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 1496 wrote to memory of 5084	1496	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 5084 wrote to memory of 556	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 5084 wrote to memory of 556	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 5084 wrote to memory of 556	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 5084 wrote to memory of 556	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 5084 wrote to memory of 2164	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 5084 wrote to memory of 2164	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 5084 wrote to memory of 2164	5084	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2164 wrote to memory of 3468	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2164 wrote to memory of 3468	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2164 wrote to memory of 3468	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2164 wrote to memory of 3468	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 2164 wrote to memory of 1412	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2164 wrote to memory of 1412	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 2164 wrote to memory of 1412	2164	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 1412 wrote to memory of 3460	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 3460	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 3460	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 3460	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 4052	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 4052	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 1412 wrote to memory of 4052	1412	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4052 wrote to memory of 3616	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4052 wrote to memory of 3616	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4052 wrote to memory of 3616	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4052 wrote to memory of 3616	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe
PID 4052 wrote to memory of 4476	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 4052 wrote to memory of 4476	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 4052 wrote to memory of 4476	4052	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
PID 4476 wrote to memory of 1872	4476	001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
6⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
7⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
8⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
9⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
9⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
10⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
10⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
11⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
12⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
12⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
13⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
14⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
14⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
15⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
15⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
15⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
16⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
16⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
17⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
18⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
19⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
20⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
21⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
21⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
22⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
22⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
23⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
24⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
24⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
25⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
26⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
26⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
27⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
27⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
28⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
28⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
29⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
29⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
29⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
30⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
30⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
31⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
31⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
31⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
32⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
32⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
33⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
33⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
33⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
34⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
34⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
35⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
35⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
36⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
36⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
37⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
37⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
38⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
38⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
39⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
39⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
39⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
40⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
40⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
41⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
41⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
42⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
42⤵
- Checks computer location settings
PID:224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
43⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
43⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
44⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
44⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
45⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
45⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
46⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
46⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
47⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
47⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
47⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
48⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
48⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
48⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
48⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
48⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
49⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
49⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
50⤵
PID:224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
50⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
50⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
51⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
51⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
52⤵
PID:4388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
52⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
53⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
54⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
54⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
55⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
55⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
56⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
56⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
57⤵
PID:4512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
57⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
58⤵
PID:4520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
58⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
58⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
59⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
59⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
59⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
59⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
60⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
60⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
60⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
60⤵
PID:3236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
61⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
61⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
62⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
62⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
63⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
63⤵
PID:4516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
64⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
64⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
65⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
65⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
66⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
66⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
66⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
66⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
67⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
67⤵
PID:3116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
68⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
68⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
69⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
69⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
69⤵
PID:4188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
70⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
70⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
71⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
71⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
72⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
72⤵
PID:3284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
73⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
73⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
73⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
74⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
74⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
75⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
75⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
75⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
76⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
76⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
77⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
77⤵
PID:4188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
78⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
78⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
79⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
79⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
80⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
80⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
81⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
81⤵
PID:3236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
82⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
82⤵
PID:3816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
83⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
83⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
84⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
84⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
85⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
85⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
85⤵
PID:448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
86⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
86⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
86⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
87⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
87⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
88⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
88⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
89⤵
PID:4324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
89⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
89⤵
PID:4720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
90⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
90⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
90⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
91⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
91⤵
PID:3976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
92⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
92⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
92⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
93⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
93⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
94⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
94⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
95⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
95⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
96⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
96⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
97⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
97⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
98⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
98⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
99⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
99⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
100⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
100⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
100⤵
PID:4784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
101⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
101⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
101⤵
PID:3904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
102⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
102⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
102⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
102⤵
PID:3244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
103⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
103⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
104⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
104⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
104⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
105⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
105⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
105⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
105⤵
PID:3428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
106⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
106⤵
PID:3524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
107⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
107⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
108⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
108⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
109⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
109⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
109⤵
PID:4200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
110⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
110⤵
PID:4148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
110⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
110⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
111⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
111⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
112⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
112⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
113⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
113⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
114⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
114⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
114⤵
PID:448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
115⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
115⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
116⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
116⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
117⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
117⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
117⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
118⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
118⤵
PID:3752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
119⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
119⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
120⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
120⤵
PID:3664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
121⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
121⤵
PID:4324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
122⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
122⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
122⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
123⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
123⤵
PID:3248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
124⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
124⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
124⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
125⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
125⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
126⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
126⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
126⤵
PID:388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
127⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
127⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
127⤵
PID:2480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
128⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
128⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
128⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
129⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
129⤵
PID:624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
130⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
130⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
131⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001841be7c47d683d72ff03ecc3b1781_JaffaCakes118.exe"
131⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
132⤵
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
856KB

MD5
580a8987fb4fe3131d1d234d80719979

SHA1
04e022f3b7c73e72fe0c447737bd23c546b67f12

SHA256
46b408cc6899a6c14c87f8d0df5123c169bee34eed0223493f8d7894aea35b3b

SHA512
4b2de08ad6decd0ddfd89c4c853c9cb57cb30873f64fd4def63463faca08fe05155840188ce6c5c0fa3f40468b895e1393e52e01ccfa047390e9a7121ef58c61

Download Submit
memory/556-54-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/556-53-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/736-21-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/736-3-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/736-6-0x00000000026C0000-0x00000000026C3000-memory.dmp

Filesize
12KB

Download
memory/736-1-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/736-8-0x0000000004DF0000-0x0000000004DF3000-memory.dmp

Filesize
12KB

Download
memory/736-5-0x00000000073F0000-0x000000000746E000-memory.dmp

Filesize
504KB

Download
memory/736-2-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/736-0-0x0000000000390000-0x000000000046A000-memory.dmp

Filesize
872KB

Download
memory/736-4-0x0000000004D40000-0x0000000004DEE000-memory.dmp

Filesize
696KB

Download
memory/736-17-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/808-47-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/808-70-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/808-69-0x0000000001460000-0x0000000001470000-memory.dmp

Filesize
64KB

Download
memory/808-44-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/808-45-0x0000000001460000-0x0000000001470000-memory.dmp

Filesize
64KB

Download
memory/1248-14-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/1248-28-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/1248-15-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1412-67-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/1412-68-0x0000000001170000-0x0000000001180000-memory.dmp

Filesize
64KB

Download
memory/1496-55-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-39-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-40-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/1908-18-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/1908-41-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/1908-20-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/1908-42-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/1908-63-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/1908-19-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/2164-74-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/2164-56-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/2164-57-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/3236-26-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3236-27-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/3236-29-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3236-50-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/3236-75-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3236-51-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3460-73-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3460-72-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3468-64-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3468-65-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3716-58-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3716-35-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3716-36-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/3716-37-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3716-59-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/3744-9-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3744-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3744-31-0x00000000010F0000-0x0000000001100000-memory.dmp

Filesize
64KB

Download
memory/3744-30-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3744-11-0x00000000717A0000-0x0000000071D51000-memory.dmp

Filesize
5.7MB

Download
memory/3744-10-0x00000000010F0000-0x0000000001100000-memory.dmp

Filesize
64KB

Download
memory/3900-46-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-32-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-33-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/4052-76-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-38-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-22-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-23-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/5084-66-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-48-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-49-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download