lokibot | e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Size

460KB
MD5

cb41ab7f417be462a34754b5f862cbf6
SHA1

d03c1f82c582d9824b06d284225785432e976057
SHA256

e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70
SHA512

668403a2856073173a95787c63adb9c435494dab41be0c3d04ab3386474182b3cd2e1f1397046b82203b88cd1c8ec004b6a8b3df89aa437f62f5738024d7a9b6
SSDEEP

12288:3dp0NlFrPFxVB/H4RZFrmtdlEm9Ojz15eL:j0NlFrPFxVB/H4RZFrmvlEmEjS

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://corpcougar.in/jayy/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 25 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 2912	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	33
PID 2540 set thread context of 1692	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	38
PID 1412 set thread context of 2176	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	43
PID 2900 set thread context of 1256	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	48
PID 872 set thread context of 2380	872	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	53
PID 2168 set thread context of 2056	2168	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	58
PID 1644 set thread context of 772	1644	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	63
PID 2320 set thread context of 832	2320	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	68
PID 752 set thread context of 1652	752	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	74
PID 2688 set thread context of 2576	2688	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	79
PID 2604 set thread context of 1448	2604	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	84
PID 964 set thread context of 2976	964	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	89
PID 2788 set thread context of 2540	2788	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	94
PID 1608 set thread context of 628	1608	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	99
PID 2208 set thread context of 1616	2208	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	104
PID 2192 set thread context of 1928	2192	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	109
PID 1504 set thread context of 2620	1504	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	114
PID 2624 set thread context of 592	2624	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	119
PID 1600 set thread context of 1528	1600	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	125
PID 2824 set thread context of 1804	2824	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	130
PID 2436 set thread context of 768	2436	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	135
PID 1712 set thread context of 1952	1712	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	140
PID 2592 set thread context of 444	2592	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	145
PID 2144 set thread context of 840	2144	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	151
PID 2332 set thread context of 2112	2332	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	156

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3040	2888	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 28 IoCs

pid	Process
1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
872	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2168	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1644	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2320	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
752	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
752	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2688	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2604	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
964	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2788	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1608	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2208	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2192	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1504	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2624	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1600	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1600	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2824	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2436	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1712	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2592	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2144	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2144	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2332	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	872	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2168	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1644	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2320	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	752	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2688	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2912	vbc.exe
Token: SeDebugPrivilege	964	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2788	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1608	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2208	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2192	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1504	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2624	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1600	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2824	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2436	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1712	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2592	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2144	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2332	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2744	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2744	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2744	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2744	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	30
PID 2744 wrote to memory of 2668	2744	csc.exe	32
PID 2744 wrote to memory of 2668	2744	csc.exe	32
PID 2744 wrote to memory of 2668	2744	csc.exe	32
PID 2744 wrote to memory of 2668	2744	csc.exe	32
PID 1952 wrote to memory of 2912	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	33
PID 1952 wrote to memory of 2912	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	33
PID 1952 wrote to memory of 2912	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	33
PID 1952 wrote to memory of 2912	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	33
PID 1952 wrote to memory of 2912	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	33
PID 1952 wrote to memory of 2540	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	34
PID 1952 wrote to memory of 2540	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	34
PID 1952 wrote to memory of 2540	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	34
PID 1952 wrote to memory of 2540	1952	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	34
PID 2540 wrote to memory of 2616	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	35
PID 2540 wrote to memory of 2616	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	35
PID 2540 wrote to memory of 2616	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	35
PID 2540 wrote to memory of 2616	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	35
PID 2616 wrote to memory of 2068	2616	csc.exe	37
PID 2616 wrote to memory of 2068	2616	csc.exe	37
PID 2616 wrote to memory of 2068	2616	csc.exe	37
PID 2616 wrote to memory of 2068	2616	csc.exe	37
PID 2540 wrote to memory of 1692	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	38
PID 2540 wrote to memory of 1692	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	38
PID 2540 wrote to memory of 1692	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	38
PID 2540 wrote to memory of 1692	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	38
PID 2540 wrote to memory of 1692	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	38
PID 2540 wrote to memory of 1412	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	39
PID 2540 wrote to memory of 1412	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	39
PID 2540 wrote to memory of 1412	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	39
PID 2540 wrote to memory of 1412	2540	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	39
PID 1412 wrote to memory of 2508	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	40
PID 1412 wrote to memory of 2508	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	40
PID 1412 wrote to memory of 2508	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	40
PID 1412 wrote to memory of 2508	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	40
PID 2508 wrote to memory of 2160	2508	csc.exe	42
PID 2508 wrote to memory of 2160	2508	csc.exe	42
PID 2508 wrote to memory of 2160	2508	csc.exe	42
PID 2508 wrote to memory of 2160	2508	csc.exe	42
PID 1412 wrote to memory of 2176	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	43
PID 1412 wrote to memory of 2176	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	43
PID 1412 wrote to memory of 2176	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	43
PID 1412 wrote to memory of 2176	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	43
PID 1412 wrote to memory of 2176	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	43
PID 1412 wrote to memory of 2900	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	44
PID 1412 wrote to memory of 2900	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	44
PID 1412 wrote to memory of 2900	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	44
PID 1412 wrote to memory of 2900	1412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	44
PID 2900 wrote to memory of 2980	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	45
PID 2900 wrote to memory of 2980	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	45
PID 2900 wrote to memory of 2980	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	45
PID 2900 wrote to memory of 2980	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	45
PID 2980 wrote to memory of 2640	2980	csc.exe	47
PID 2980 wrote to memory of 2640	2980	csc.exe	47
PID 2980 wrote to memory of 2640	2980	csc.exe	47
PID 2980 wrote to memory of 2640	2980	csc.exe	47
PID 2900 wrote to memory of 1256	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	48
PID 2900 wrote to memory of 1256	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	48
PID 2900 wrote to memory of 1256	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	48
PID 2900 wrote to memory of 1256	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	48
PID 2900 wrote to memory of 1256	2900	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	48

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3xagtv0\n3xagtv0.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3958.tmp" "c:\Users\Admin\AppData\Local\Temp\n3xagtv0\CSCDC52ADB57DCB4E6394FA7A2ABA472435.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2hp31p4r\2hp31p4r.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FCE.tmp" "c:\Users\Admin\AppData\Local\Temp\2hp31p4r\CSC1904E6A360124393B48EBD395F36A1B6.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mvkcsqqx\mvkcsqqx.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4588.tmp" "c:\Users\Admin\AppData\Local\Temp\mvkcsqqx\CSC50712CFD1714FB396A778F0EF9C19AC.TMP"
        5⤵
        
        PID:2160
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sifxdyh1\sifxdyh1.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46EF.tmp" "c:\Users\Admin\AppData\Local\Temp\sifxdyh1\CSCC6D7FC05D8314B6CAFB5D82673B5698F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:1256
    - - C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ar5anlh\1ar5anlh.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47E9.tmp" "c:\Users\Admin\AppData\Local\Temp\1ar5anlh\CSC6F51D096D4EE426B89E62B36E71A.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\geigepyt\geigepyt.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES499E.tmp" "c:\Users\Admin\AppData\Local\Temp\geigepyt\CSC802C7710C54A4E17B23C562EE5B865F.TMP"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        7⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylkaotfq\ylkaotfq.cmdline"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AC6.tmp" "c:\Users\Admin\AppData\Local\Temp\ylkaotfq\CSC467586F4D75A49CD945B1781536D70C5.TMP"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        8⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylii0cxw\ylii0cxw.cmdline"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C3C.tmp" "c:\Users\Admin\AppData\Local\Temp\ylii0cxw\CSCBBA53F13F6D346D295E6A73861989BA.TMP"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        9⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0yw50efq\0yw50efq.cmdline"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E01.tmp" "c:\Users\Admin\AppData\Local\Temp\0yw50efq\CSCF495A0197AAF4003BE162194DAC3F662.TMP"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        10⤵
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        10⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irdl1ndi\irdl1ndi.cmdline"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F96.tmp" "c:\Users\Admin\AppData\Local\Temp\irdl1ndi\CSCBF87ACAF65044C018B3CF3ED711C6E4.TMP"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        11⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c1rftwjo\c1rftwjo.cmdline"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES516A.tmp" "c:\Users\Admin\AppData\Local\Temp\c1rftwjo\CSCAB93A1C53B846B3A67D93766E3B896.TMP"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        12⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52cueaql\52cueaql.cmdline"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5264.tmp" "c:\Users\Admin\AppData\Local\Temp\52cueaql\CSCAAB680BEBD614403A9F03C4988787DC7.TMP"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qf54hv5g\qf54hv5g.cmdline"
        14⤵
        
        PID:1208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5448.tmp" "c:\Users\Admin\AppData\Local\Temp\qf54hv5g\CSC693C0FB7B3B444F7ADA1F0EFBF2A2C9.TMP"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        14⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\heso3kgc\heso3kgc.cmdline"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5522.tmp" "c:\Users\Admin\AppData\Local\Temp\heso3kgc\CSC971A3B486DF64199B8C33D6405540A1.TMP"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        15⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\stdgajq0\stdgajq0.cmdline"
        16⤵
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5698.tmp" "c:\Users\Admin\AppData\Local\Temp\stdgajq0\CSCC9A8086875BF49838FA38C0F4DCBC.TMP"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        16⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1rbv334z\1rbv334z.cmdline"
        17⤵
        
        PID:2900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5792.tmp" "c:\Users\Admin\AppData\Local\Temp\1rbv334z\CSC292C2057A2674E88A65E745D63F3226D.TMP"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1oomukix\1oomukix.cmdline"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5957.tmp" "c:\Users\Admin\AppData\Local\Temp\1oomukix\CSC5EAF3A7BA0504DC495A13FE4F8A00E6.TMP"
        19⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        18⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\24blco3e\24blco3e.cmdline"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A50.tmp" "c:\Users\Admin\AppData\Local\Temp\24blco3e\CSC6D147965B29F45FBB62EB584BBAE9893.TMP"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        19⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ni4tepsf\ni4tepsf.cmdline"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BC7.tmp" "c:\Users\Admin\AppData\Local\Temp\ni4tepsf\CSC3A368145E1AE4C08B543BB7DACE46EE5.TMP"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        20⤵
        
        PID:1644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        20⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vddtsnvc\vddtsnvc.cmdline"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CFF.tmp" "c:\Users\Admin\AppData\Local\Temp\vddtsnvc\CSCFE0EBDAEFC084228AA48B09C44F35A95.TMP"
        22⤵
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        21⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        21⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsl3iflu\gsl3iflu.cmdline"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DF8.tmp" "c:\Users\Admin\AppData\Local\Temp\gsl3iflu\CSC9E63195927C8426DBFB6150152B95B7.TMP"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        22⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4g3oq4qk\4g3oq4qk.cmdline"
        23⤵
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F40.tmp" "c:\Users\Admin\AppData\Local\Temp\4g3oq4qk\CSCCB89D93D4FAE41C8B88D1366A8D5A2C6.TMP"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        23⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcmtfcco\lcmtfcco.cmdline"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6114.tmp" "c:\Users\Admin\AppData\Local\Temp\lcmtfcco\CSC2BED31E3675744D0942BF4470581477.TMP"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        24⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        24⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3jqlgqt3\3jqlgqt3.cmdline"
        25⤵
        
        PID:888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6365.tmp" "c:\Users\Admin\AppData\Local\Temp\3jqlgqt3\CSC39242101BE524A8AA57EA33A2287EA6.TMP"
        26⤵
        
        PID:2092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        25⤵
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        25⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eommvlgt\eommvlgt.cmdline"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES648D.tmp" "c:\Users\Admin\AppData\Local\Temp\eommvlgt\CSC78DC834DEC434CD7B0A3A27940C69BFD.TMP"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        26⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bn3egexb\bn3egexb.cmdline"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65A6.tmp" "c:\Users\Admin\AppData\Local\Temp\bn3egexb\CSC834838988EFE4C76943E4A4D1DFCE926.TMP"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 8772
        27⤵
        Program crash
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DictionaryToMapAdapter

Filesize
564KB

MD5
d86193a6ff3c76df08572915ee80f976

SHA1
44c9cf2894de5acb2b6f834de04335dffa061427

SHA256
4930ff20d7aadc7d93eee99e582a8ab83129e26aee6607a1a205a0ec8dbe242b

SHA512
5d3b3533f4ac7c0da4f4068fad3c568edf808479d0269046765cb57e8133591a6d6bfbbf7d6628ec8d66c6beda81343b3dd58fbecd4bf0c2a4260abc81edd067

Download Submit
C:\Users\Admin\AppData\Local\Temp\0yw50efq\0yw50efq.dll

Filesize
379KB

MD5
4747f6d04d36cf52544e8eb29cacb412

SHA1
260f3960c04ee19666b9c7accd447e30e8a5f410

SHA256
025022dc3f59dcf0b4ad5f32162bc4beba6dc18e2f7adc351eef4482fe13c087

SHA512
c6f28c73cdb9cb9476e4354a02bdfb3b115e0230d89beeeb099697c0333ef6ed6e2ec8a4c2e4b94d2da34611bc025d223714f7b4655888b4e709c1911c935fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ar5anlh\1ar5anlh.dll

Filesize
379KB

MD5
84b11b3b8990ea3f4f977cd8bfdb113e

SHA1
080d0babb2867c36822dc160c97e103d430772b2

SHA256
71d4b777d04bdb779bd5e22aaaf085906b574c53a554cf718669b3a4d39ab69b

SHA512
fdd51452f7645292c654d8584dbdc43508b77ec6a4a3a1321867b89c52708361192e547724677028275acf97f7c2fd52d705f8d8cf26be4478e38599e770889d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2hp31p4r\2hp31p4r.dll

Filesize
379KB

MD5
8b0e82c9e2b6ea69725bfa17b36c4351

SHA1
6cd1c2179c16901009a338d322d92d56470088dc

SHA256
34b360af067bbaabbbf71ac997c421be44825a1d5aede2e06fb7f227b3996c82

SHA512
14620c1eace61634e6c2c0ff70697ee8b0328725bb56920d2e525f02d5a947335e1982d2bb43aaecbb6497449fd5f62086ce5446a2a86822fc808321ab6c648d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3958.tmp

Filesize
1KB

MD5
63435bbef8465b68f92d8035db7b6270

SHA1
a6c5710e83d459f84673f694494f464a57f6819a

SHA256
c3398780d7f00cf02c4d349a9efbfdd1bd171aaa5ba8ebc03bc099229b07b8d2

SHA512
0a0ad9c092406cc0191bbe7f9dff5da96241ffdbe9d2faf33686ec67a7b7a8c38df540de92cc3d33ae3ea4ca167a51ee5a7ab590ab52fc6919eb8a0e855ea5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3FCE.tmp

Filesize
1KB

MD5
336d7d2de4388aac4b5f8bffa83eb7bd

SHA1
9a03e15b6600f07f4ce683c41bec1e2ef3e9f88c

SHA256
1cd285b6897faeca86238354e086ca5fb2886a19b462a3d23f1e4c5046c7e626

SHA512
b772acfd5b0fe6b401e39495121468610d6b945bf9aeeefae3e65e20b8445d917548b5fa6f478a42a0077813c2a1012262b675a468a6d93162862bf55d708bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4588.tmp

Filesize
1KB

MD5
0040f4c72c338882c4af661106668e83

SHA1
4304efda97fbda6395e4125075a003bbb91b687c

SHA256
a58aa777cf97dcab56d2c892298519f7ba5d4e163afefc0c55b9cd63e6120e7b

SHA512
501fa389304a005de50b6037bc4061774fa793f280272ba06aa005e8eb433273088f2d9b5cdd2c8d3c13bdc8855b23f3de421e3764d005993cbcccd4bb5c4c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES46EF.tmp

Filesize
1KB

MD5
dfc18cbabaa6d3caead32639ed06ceec

SHA1
89945b7039a43e51227ae27d2a437939f70d6213

SHA256
4542eed5e5e9b013c007ad73dd8eacc9a6a9f8f8b24b346388357c4aefeff304

SHA512
268c1be1247a18d8bffdb22ad54c60d81a5eb44fd3bec77cdaa3036ec71bb4efddfde010118ff575c4fd9062db3ac79d6365e40a3b346922e50cd956654ee172

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES47E9.tmp

Filesize
1KB

MD5
33d29973d61cc988e76c0651e877313a

SHA1
f03154fd0180a2076126f47e62ffbd911519df5a

SHA256
76169e02b186a0b6ca3c23fda03aa7eb1eeb415886be8bad42da390e6207c285

SHA512
c599f1fbe53250772b4dba0988635718b69542aa51c906a4965362d70eefda048cee986d7ccce81eebb00b103ab9f8e55bbeeabb086d6532b1566cbf1ceab8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES499E.tmp

Filesize
1KB

MD5
f5142b3c67d51f19e6cb20251113cd8a

SHA1
f5685db29d02de0cd142204fb03b5672f6b3c1f7

SHA256
c83ef89d05110ce49e571ec1a6784ed5e2d471a66a64ca4b061caaebe1852b7d

SHA512
5e6c28d671ae0c83c140710d40842bd0104701cf60e8969f068ac3e32332ee8b0e424aad13a840ef1802e87a73edf02935edc7401fb3eb4539b71aa9ea57ad46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4AC6.tmp

Filesize
1KB

MD5
2f511716d53b82e63e8c8adbd0556b13

SHA1
511c0b7df641d7dcfba798e483babda2f45d68b7

SHA256
2d27a25adc4966cd5ac08e27a61d836821311609b9f4086cd08037ac5045dadd

SHA512
c76f769ead070db42a3387fe5591f0c43c876b27aef7327eb43817d3118aca8eadd9bbfffcf80a04cce867012e8be76212bed65d46dca45b1478165668100aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C3C.tmp

Filesize
1KB

MD5
c5e313018dba47646f0c7b6dc2d90fa3

SHA1
26ea00b9fb9df0887d941a0988a8b993b792d3f4

SHA256
1e9c994b335132d4108f353c53cb4418482d01799f3f3e7bd66575571aae4127

SHA512
2401e822f5a7a2f84477de45c425bdbcfdfa45b14ec5103fe5dc67ce2f3db6715d1675e9223d35fc78eecfe4b0ae625b42746c54d35dd65284fb6a48b7bcb4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E01.tmp

Filesize
1KB

MD5
3d359393298bd020bacfc7b9c5c7d9f4

SHA1
6bb141702da44880222055913f869b4407d0327b

SHA256
71c3f79ed3bb5aa393fe5d0b0969e53eafee906351a59ad7a3a31cb23c4d86c4

SHA512
b2d89799606341b42ec4ebf3c877a11824ef95ff16210daf500f0989086aed86c3bb94e3707e1f3989a0981a528e825245235081c5eb8f89d15537cf8489089d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F96.tmp

Filesize
1KB

MD5
0223407765bb6209d26e97e086ebda20

SHA1
e1fcff0b350a651dbcf5f3136480402c9bb9f7db

SHA256
16027c124c58143a2c8e6a1f426c1ee29d38740e0cfe171f3ee7fae81034767e

SHA512
020773f76bb019faf0f084125ecba80cce7da829b971fa8bdd80d404312b6135200a956b82934eb92ca494c4219784ba96a7d3668d15a77690c09efb3f8a3493

Download Submit
C:\Users\Admin\AppData\Local\Temp\geigepyt\geigepyt.dll

Filesize
379KB

MD5
ccd3f622f28866e0ee6be4aceca3bbb0

SHA1
34d0012e2dc881ab75f34a52b3073c40c125f7fd

SHA256
95f1d0be1087155d79fff54875b6e94665435ba897b7eddc97fb408915a971b9

SHA512
15f737d86dc0eeb2a8d0b0bba1ceff8be27bc8f9f052fb900525659b98be9cea4fa1f2f1927a0c0369308fd35f796943ec5d52a1cbff39cbb6b1da1d6dc06b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\irdl1ndi\irdl1ndi.dll

Filesize
379KB

MD5
4fcb1fa6c5861bb8ccd107137a55ef76

SHA1
6e5ac5e2c1a610d87f915465bfa2cc9aaf355afe

SHA256
6b7743b2ea8acc96f4deb7dcbf9677a507f65c7c60241bd66da654da1640a6bf

SHA512
c41c832c6aee0074e25b3dceaa3d88c76e01b15ff299a03998b90aabf09735f27f158fe511a6ec5dd508e81dce18a5160efe9f2f7e0d177afaaa889c440d7636

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvkcsqqx\mvkcsqqx.dll

Filesize
379KB

MD5
5844ede4d76211c63dd4bdf02015b6ea

SHA1
d1e5547072110c18a1515d5051fa041a2ba59536

SHA256
0f617db9e91359cbb43890b42a31275da7ec98c7823137ba214d1ba770953843

SHA512
2a8900f25afcbdd5206ac30961951bc32a02fe71194493bb5e773f27d6035f1d46805df181d6bb45cb90441934c7d08c12c9cf63e43cb409937c6c29d5d1b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3xagtv0\n3xagtv0.dll

Filesize
379KB

MD5
447c1b03b3f9ee71be612a9972f6f9f9

SHA1
d98bee8b2cef241b9f80c75ecd00be90dec8b09c

SHA256
d713af54a67efc1ff57ec27d3a18ad4fd93b6738dd039e1ee5403fe64751dc50

SHA512
a2cccdd4be5533b5cc8abcd11b5532221bcef3d83bb3e7f51ec44cfc20e82217671bc74617c935c87ad37d7a370e84f9f2f42a23f2c48c8c05459a41cf40a325

Download Submit
C:\Users\Admin\AppData\Local\Temp\sifxdyh1\sifxdyh1.dll

Filesize
379KB

MD5
2620538ba9a5ab7774dba1f8638a8345

SHA1
d9ef57284f2ae892d83cfbb34acefb8a16d00b02

SHA256
1b53af06b152358d5b95a531a8c0ac184ab76faad6a1a052bb72dfc3efed1d74

SHA512
9d32ca425eb916046f47a28c85f178d8f05dd3464eda11ebff357ffda357a21ab18fd21424adae3f11dfd8b67fa170b8c4071d257852b058a2f6a7e7cf2aae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylii0cxw\ylii0cxw.dll

Filesize
379KB

MD5
339f7dda557c5197f28c84fdea1cc8b6

SHA1
6a6e1a4e80809b1f8ce73dfadec716b255a75a8e

SHA256
bff2fc73e9ad2243730871eafdf95a4bee6711cf5802fa4e8709f6e48cfd0f30

SHA512
0ae796fb47fb4b0ac90a14d2a4e914013a654257bfee6c1edeec26b0980ebae841d048a62a12d7299ea80ebdf4cd097f71300a720385f8943fbbfe9cd51b5fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylkaotfq\ylkaotfq.dll

Filesize
379KB

MD5
824963f0a64805d7fb42b947952844c7

SHA1
d54ee4d6360cea59428a2f8521f36fdcadaa01f3

SHA256
71fdab1a28ed49e413833754596bc13effd2f45ec738244f4a482909b7cdee5f

SHA512
c13d584746114a9eced71e1e5b28c7c32bfb777ca2da52a225d330d750d3caf3ea5422c4404e9f6c65d6231fbf05d7919aa9c010570e63f00e2d6c5e0acbed2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172136094-3310281978-782691160-1000\0f5007522459c86e95ffcc62f32308f1_ad67a936-7f42-4f72-a93a-f5bcf669d37e

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2172136094-3310281978-782691160-1000\0f5007522459c86e95ffcc62f32308f1_ad67a936-7f42-4f72-a93a-f5bcf669d37e

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Filesize
460KB

MD5
cb41ab7f417be462a34754b5f862cbf6

SHA1
d03c1f82c582d9824b06d284225785432e976057

SHA256
e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70

SHA512
668403a2856073173a95787c63adb9c435494dab41be0c3d04ab3386474182b3cd2e1f1397046b82203b88cd1c8ec004b6a8b3df89aa437f62f5738024d7a9b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0yw50efq\0yw50efq.cmdline

Filesize
302B

MD5
f70cc1671f1b06efd0f14303522fa069

SHA1
44318d1c3f6171aa4b7de2e8079b47e5805f5047

SHA256
13f3d5da897725c8edf84b7ac3ed7318b9386b5761c15695262ff2494ccdfdfc

SHA512
79b81e2c83de66d3ca25681fe22468eb12c081cfb129e44fba16a57fb61588827e2ed4b748387b27da5bde25f82467b501e898297f2fd5ec29f0d7f5ccd8935a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0yw50efq\CSCF495A0197AAF4003BE162194DAC3F662.TMP

Filesize
652B

MD5
7d1305df971d5b999c0549c96db8a155

SHA1
414b2f84e21ec2432d2c0d9c3ec72c3d830bb5e0

SHA256
7e9c3533a1d2bd2c4e3f1fa9cba479d5fcfb364ffa422e2eb82348471b345024

SHA512
3377a2b47b0d29f1132453f0edf2184a886d8fc1f588635dde3bf4f06267290070b9ce2ad90037e15874f44af625f3a35e9bf0963be6955be053cfd84c69641d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ar5anlh\1ar5anlh.cmdline

Filesize
302B

MD5
dc07eef43d476139d911f78d8c901174

SHA1
4ad3a4c92e538dcfef22648a728598693be46a5e

SHA256
cb90c1bdf8bba828c91fe3e7c7ecb5e897f4cd1aba384ee96c39c4b945026c90

SHA512
eab921cec423258b43225eb0ffb90601a479216912f88cba78990deaf8a5a85fbffa8acc25ad0568772a07ee11615ca9956646f604c55e2bd3faba8722cc5159

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ar5anlh\CSC6F51D096D4EE426B89E62B36E71A.TMP

Filesize
652B

MD5
1e4805ff86a765ee6bca7538d8ecf1db

SHA1
abedc8e402aeb63cd3489527031778f0afbc784f

SHA256
70ddceb3b9d9e022f7dd3b3ed46f9112b69dbfe2e08deff9cf598e638761ce41

SHA512
f73c9960adc75b4f815c26d623f09b133ea123bbb456cd31e3b1a01a35981194b989caed20984a3bc22bc5550f9c89aacd8c333f350614751e88aef11e96e2d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2hp31p4r\2hp31p4r.cmdline

Filesize
302B

MD5
4a9659155185b56f95a3035c4427f56c

SHA1
aa358469ce681fdeddff22a02e978e3ce66bbdb0

SHA256
3054c23ae38ed84f50238f53b7eb995e574cb574cc79732839273ba5f261bd2e

SHA512
1d9831686453c9d2645bd6209acb8c68667e202b2bdd7df62fe499899fa54bd2c7db1184e65942355699f53651c4d46520187d9bb7ed905259b038c7c757e3c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2hp31p4r\CSC1904E6A360124393B48EBD395F36A1B6.TMP

Filesize
652B

MD5
bf0c41cb019f86e96ab72811710591d8

SHA1
25761de61a85d9fb6524e3719303585a2c00dacb

SHA256
0aa81268c2e6ca81ee93547037b147d08b91b8dc9059aff0d7d06e6413d5dbb4

SHA512
ee14f56a86612feecca32cd15abc3520bd2f3d84dc45db6b09de6897e860cf3af3b9cbd082efa152a8d295e376fb0dfd49750fb722519475163ff48a966375d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1rftwjo\CSCAB93A1C53B846B3A67D93766E3B896.TMP

Filesize
652B

MD5
b805bff41d3e48a4b02275e3c1596423

SHA1
3b02414beac523c89e3e62b95d9ca810d60eef3a

SHA256
12b8aad34e8380aeb27b35c422138f7d2f06130470de4c54dc2f619bccfe74f5

SHA512
4e22e914b63331e9434a9faa2d426d7e5f577e05c58f26b0e3d8e82f60fe3de517a63c8762af736f6e978c02a9332f7295bf554e4508865c425b96d61df5f099

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1rftwjo\c1rftwjo.cmdline

Filesize
302B

MD5
d7183edf4b16ceed9313ac90684813e2

SHA1
22a94a64bfb36a494f6b15a82453c2aca5dda942

SHA256
f5bafd8797bca09b5fb9ebebfe9f93733113bb2260d5efb584b16f3fd373983e

SHA512
e02be1d4a81288cc5005be1f294532bb12f3f9a42958324f92e648036da8ff7d83e02d72fc2b521a7eb10a1009e8131462b0d801d2976396d23856c2413c8e77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\geigepyt\CSC802C7710C54A4E17B23C562EE5B865F.TMP

Filesize
652B

MD5
12d7e242f17b60220ee58db8b1faf503

SHA1
3373b3014a20fdc5a05f09c4390923e2b9bf94e1

SHA256
92a964e6a16e20eda9830ae80e0f5460b880b15a09225a555f6937c4cf5c395a

SHA512
895dc3fc2d0c0bcc96c78808364b3194bd6923d592dd8ada1dd2766cbe65bc3ed63b8b139c706a48e8def038e3d160201acffda252eca7c3e15cff78c62edd94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\geigepyt\geigepyt.cmdline

Filesize
302B

MD5
925336fd54122383b7f6504d0ea74743

SHA1
d60ec9ac75cc86968222ae832c31bbdfa729ce60

SHA256
a844f4b6db334d7e8f53397ab4ca9b984cd658a5f9dbe06d861ae629161a291e

SHA512
1f9a2bc88e7fb7b736ede53b69a7f4edc24e22dfb42e68b391cb6e2db154b0ce41b51bde3d4bde17246227ea5326340688a917c09d52f2e8a0eb8a75bd7a22cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\irdl1ndi\CSCBF87ACAF65044C018B3CF3ED711C6E4.TMP

Filesize
652B

MD5
04d215619366dbd21022b22554106e23

SHA1
1d79b4a3964c62fbc491c8cd26039da8b7732652

SHA256
e953a31a188cde4df0c8c18ebc9ad4050168a32d09ec64aba7f96bc8f4dc6a03

SHA512
91ee8e62dae87f7585ea9722364d6a19ad5f5b1a34c240630700a754c0755043d94fcb022b5b941eb2f6e94fd065cc3d5d491fa9a6ed4b1dc2192147ab8d4253

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\irdl1ndi\irdl1ndi.cmdline

Filesize
302B

MD5
ea41c81c5fd1ed337cefc3c54e2ce8ca

SHA1
bcf945bdf19e88bf4244941aa0d5ab3037e3f27c

SHA256
2ce15c17ca30a460e46b7aeedd913f1dde74c5cca7b14fc43c39767090730c3e

SHA512
5e33d33636f42df2d019da2f554cfdb29dc5f25ec202f11c43c858b28f7eac6749696a40a2f242cfcbb7c2a8f5b838a254166c8a1bbc30a63125e9578e7ce41c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mvkcsqqx\CSC50712CFD1714FB396A778F0EF9C19AC.TMP

Filesize
652B

MD5
2e9ff3a6e3d7e6222fb31ce2bad41b98

SHA1
0b8dde2716326833e6d5606df7f69c9a4b452a3f

SHA256
b71fd5367dc20d56bae3965425caa1439f0f393e89d4b5bef2df386a81c29097

SHA512
9ffd4ef13662eb5f84f54f3240da07086de23fb414e8ad0e966e7ed4dab0f7a15ae45259f21dab5bf95578041b0aef19e6518eb6c2192f999ba86526dc6ef49a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mvkcsqqx\mvkcsqqx.cmdline

Filesize
302B

MD5
0f05a60fd973bcbfc8603c33b53f53b7

SHA1
1ea1aa79bd77652c640f5e6a4c8426bddc5fc5e8

SHA256
ffce6a2e49a7ceacb51106b486866ba15f220e418ce254c28e0173306340964f

SHA512
fc69c88a9cb42b7cb1917b5d870e86b90025f5d6dd89a6fd1474b300d447c1657b067061a206da04ae7f1fe5fdb3d6de68c355f492ae73992c30346498b09558

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3xagtv0\CSCDC52ADB57DCB4E6394FA7A2ABA472435.TMP

Filesize
652B

MD5
f0c06f0541045bc8e65782b03d5f6913

SHA1
7eba878da2f860faab90d8be5ee06a79e4aec50c

SHA256
7c509b33cfe3e244df54f7848c9783c07c02e1e9509a2125f587edcb0c397a9e

SHA512
ee503daa736e8ac0e5764db7428b5af4e7974d2c28bbfd6ee1bc2655811455e5a9518f3acb0d491bdd48254fca3f1341d24f7584e51631a3d5f7519df93fc8b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3xagtv0\n3xagtv0.0.cs

Filesize
564KB

MD5
51efd210d3488390f723d0ab82c87698

SHA1
5aea69461249d93a0b9786eddd8cd414f09368c8

SHA256
21079b3584758cd5b87dd69ef99fe2dfe1b342794c40bab22d45cfd3a37329ad

SHA512
131e0fc1a6f0c19c216015864f50b293ff108f7cf96b1f19bb49fb38ceb6c9b279d617f66277983f9f1f45284d16b6b9e30c98fc8d9cd94fa06b3a9a8b4142fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n3xagtv0\n3xagtv0.cmdline

Filesize
302B

MD5
2cf233fec815d7c6b1228c94bd0a4fe1

SHA1
ad3bc545811b833c522bb54fb951a46da2b4ebbd

SHA256
212d5ce306148ea62338441fe53cb010cc374638cbf7abe270d3140fbeee9c77

SHA512
64cbef37ed3d4ee3163150cfd1c3bd462e7eee13874500d5a8de2c2183ec5621efefb07919f0a522d89f85ee94ee3e204180cbf817c28434bf528deec3b23e5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sifxdyh1\CSCC6D7FC05D8314B6CAFB5D82673B5698F.TMP

Filesize
652B

MD5
6929bb8b351f439071c0b18f55834670

SHA1
1c27c19ccfacd1e38e3ef050bbcb7e6381f14095

SHA256
478267fa810c32d9c0d9c8388cb1632ea78fbe94d25b62300cb4db4480eba522

SHA512
b22463583f669c063b1f9ff0a43a7b0dd3143227f06c79c1ffad1198b9a94702bd5a80a68ecbf31d64cf7782a20d7d4d76f13c7fec5d9c233d76482d228d8deb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sifxdyh1\sifxdyh1.cmdline

Filesize
302B

MD5
4422b49167a34ace773cb2e388ef4a20

SHA1
326cfd13cb47f58ac44d0ee798faad9af964f6b7

SHA256
8c62d099a8e27d8825dcea0ed5d318c8823129a97f17dfa8c72bfa941d4f9ae0

SHA512
cdf0a6545cd3c92552e4ea58b047cb189684e519c0ab4266f057a78fecceaa4ea6a43a297dd714c880314daf9f417703913c06fcd16af5b427b004bdb11a86bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylii0cxw\CSCBBA53F13F6D346D295E6A73861989BA.TMP

Filesize
652B

MD5
3f8d2d364f5b4ef79961fc97f8df3aab

SHA1
80650779b2d964ff796fee1a0c0e159a87e93bc1

SHA256
cba5229aa17925c08470208c189c2241cdc600c8b74d76c42247158ffecc4bd2

SHA512
cbce8efceb344340a77fa5936435e875e4ca4a0ef6145fbabf3cf770ef99b2710df3952c764d7afc80e8db66f22e52f213a2e822122244baf0755730a100ef50

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylii0cxw\ylii0cxw.cmdline

Filesize
302B

MD5
5d745788ffb7ff047b9a79ed5457ad1a

SHA1
e82e849eb01cab51e27af5c6594f4adc914ca2de

SHA256
2d96cfd4c18478414cb1f79367259840567d2f2359f1c0cf895afcd825aa070c

SHA512
281f4cbc0188dbad6f1f3b37d0e7ba0f95b8f10c049f75c9d9293ac55ea7a7865cf7e00a9243ecd174f9103ef4677ff8db940e67d446bf87f0cfedc64c45bbfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylkaotfq\CSC467586F4D75A49CD945B1781536D70C5.TMP

Filesize
652B

MD5
84d703a18aef7dc4327a0e2d97cca5f4

SHA1
2bdb581469f032e0a634e202ac536560ce823953

SHA256
e9f80e6b2dd08928049258be1282c5e9e538951b9b847f98e6b44dcc942e3f24

SHA512
67b95b05579c6c8d34c6ee7285f78227c26a7322c90aa004dc6e83e5d062a73adb4582fd8a33c849334d93c22cfd9e60a0c48263d12f82d65e00346c35bf9e48

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylkaotfq\ylkaotfq.cmdline

Filesize
302B

MD5
e11c381d19b65377c75b4cf04092aa88

SHA1
aa12c9dcfba3eb24692025aa4405691996796c1d

SHA256
c7c234fdd6e8762367c4baf6bf3ca88f9ebc76c1dd03a6edea3e360d0703e08d

SHA512
2592739269f3aacb587b2e82a4c923c1134572cf3b6f056f373b0cd394fed52f292e74fc9a0a0c2cf301e1afed811b61eceffec1346b1fb0a7288f487c1a6de6

Download Submit
memory/752-186-0x0000000000580000-0x00000000005E6000-memory.dmp

Filesize
408KB

Download
memory/872-104-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/964-235-0x0000000000580000-0x00000000005E6000-memory.dmp

Filesize
408KB

Download
memory/1412-65-0x0000000000440000-0x00000000004A6000-memory.dmp

Filesize
408KB

Download
memory/1504-308-0x0000000000450000-0x00000000004B6000-memory.dmp

Filesize
408KB

Download
memory/1600-336-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1608-269-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/1644-148-0x00000000004D0000-0x0000000000536000-memory.dmp

Filesize
408KB

Download
memory/1712-379-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/1952-1-0x00000000008D0000-0x0000000000948000-memory.dmp

Filesize
480KB

Download
memory/1952-17-0x00000000003B0000-0x0000000000416000-memory.dmp

Filesize
408KB

Download
memory/1952-19-0x0000000000530000-0x000000000055A000-memory.dmp

Filesize
168KB

Download
memory/1952-49-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1952-21-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1952-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1952-25-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1952-7-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-405-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/2168-129-0x0000000000370000-0x00000000003D6000-memory.dmp

Filesize
408KB

Download
memory/2192-295-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/2208-282-0x00000000004D0000-0x0000000000536000-memory.dmp

Filesize
408KB

Download
memory/2320-167-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/2332-418-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/2436-366-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/2540-42-0x0000000000430000-0x0000000000496000-memory.dmp

Filesize
408KB

Download
memory/2592-392-0x00000000005F0000-0x0000000000656000-memory.dmp

Filesize
408KB

Download
memory/2604-222-0x0000000002040000-0x00000000020A6000-memory.dmp

Filesize
408KB

Download
memory/2624-321-0x00000000002B0000-0x0000000000316000-memory.dmp

Filesize
408KB

Download
memory/2688-205-0x0000000000860000-0x00000000008C6000-memory.dmp

Filesize
408KB

Download
memory/2788-256-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/2824-353-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/2888-445-0x0000000000820000-0x0000000000886000-memory.dmp

Filesize
408KB

Download
memory/2900-85-0x0000000000A30000-0x0000000000A96000-memory.dmp

Filesize
408KB

Download
memory/2912-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2912-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2912-440-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2912-439-0x00000000013C0000-0x0000000001652000-memory.dmp

Filesize
2.6MB

Download
memory/2912-22-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download