Malware Analysis Report

2025-01-19 05:02

Sample ID 240921-1dr8davflr
Target f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118
SHA256 3a7e74024c233663dc9b627117a4df291f5a413cc829b5282f090941254365ee
Tags
phoenix collection credential_access discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a7e74024c233663dc9b627117a4df291f5a413cc829b5282f090941254365ee

Threat Level: Known bad

The file f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

phoenix collection credential_access discovery keylogger stealer

Phoenix Keylogger payload

Phoenix Keylogger

Credentials from Password Stores: Credentials from Web Browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

AutoIT Executable

Suspicious use of SetThreadContext

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 21:32

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 21:32

Reported

2024-09-21 21:34

Platform

win7-20240708-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe"

Signatures

Phoenix Keylogger

stealer keylogger phoenix

Phoenix Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2788 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1288

Network

Country Destination Domain Proto
US 8.8.8.8:53 ifconfig.me udp
US 34.160.111.145:80 ifconfig.me tcp

Files

memory/2672-0-0x00000000000B0000-0x00000000000CF000-memory.dmp

memory/2672-1-0x0000000000110000-0x0000000000113000-memory.dmp

memory/2788-6-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2788-4-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2788-2-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2788-7-0x00000000743AE000-0x00000000743AF000-memory.dmp

memory/2788-8-0x0000000000510000-0x000000000054A000-memory.dmp

memory/2788-9-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2672-10-0x0000000000110000-0x0000000000113000-memory.dmp

memory/2788-11-0x00000000743AE000-0x00000000743AF000-memory.dmp

memory/2788-12-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-21 21:32

Reported

2024-09-21 21:35

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe"

Signatures

Phoenix Keylogger

stealer keylogger phoenix

Phoenix Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A
N/A ifconfig.me N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4296 set thread context of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4752 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1436 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4448 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4776 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1552 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4832 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3480 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1868 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 704 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4608 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3728 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1584 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4232 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4436 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 992 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1320 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3180 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3500 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4352 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4788 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4820 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1664 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3484 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1488 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3036 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1756 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4244 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4368 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 872 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3408 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 1924 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2592 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 748 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 940 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 5016 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2328 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4388 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3556 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2448 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3356 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4344 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3200 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4004 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 464 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4620 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 60 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 4524 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 set thread context of 3152 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4296 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0a7a1ef68bf80596ec2048e4740cde2_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1492 -ip 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2924 -ip 2924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1912 -ip 1912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4776 -ip 4776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2872 -ip 2872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2724 -ip 2724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1552 -ip 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4832 -ip 4832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3480 -ip 3480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 704 -ip 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4608 -ip 4608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2488 -ip 2488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3728 -ip 3728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1584 -ip 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1320 -ip 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3180 -ip 3180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3500 -ip 3500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2960 -ip 2960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4788 -ip 4788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3484 -ip 3484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3036 -ip 3036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1756 -ip 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 872 -ip 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3408 -ip 3408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2560 -ip 2560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 748 -ip 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 940 -ip 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2328 -ip 2328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3556 -ip 3556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2680 -ip 2680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3356 -ip 3356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3200 -ip 3200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4004 -ip 4004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 464 -ip 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2992 -ip 2992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 60 -ip 60

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4524 -ip 4524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2996 -ip 2996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 ifconfig.me udp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 ifconfig.me udp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp
US 34.160.111.145:80 ifconfig.me tcp

Files

memory/4296-0-0x0000000001780000-0x000000000179F000-memory.dmp

memory/4296-1-0x00000000017A0000-0x00000000017A3000-memory.dmp

memory/1492-2-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1492-3-0x0000000073BBE000-0x0000000073BBF000-memory.dmp

memory/1492-4-0x0000000005300000-0x000000000533A000-memory.dmp

memory/1492-5-0x0000000005D10000-0x00000000062B4000-memory.dmp

memory/1492-6-0x0000000073BB0000-0x0000000074360000-memory.dmp

memory/1492-7-0x0000000005840000-0x00000000058DC000-memory.dmp

memory/1492-8-0x00000000063C0000-0x0000000006426000-memory.dmp

memory/1492-9-0x0000000006BE0000-0x0000000006DA2000-memory.dmp

memory/1492-10-0x0000000073BB0000-0x0000000074360000-memory.dmp

memory/2924-12-0x0000000073BBE000-0x0000000073BBF000-memory.dmp

memory/2924-13-0x0000000073BB0000-0x0000000074360000-memory.dmp

memory/2924-14-0x0000000073BB0000-0x0000000074360000-memory.dmp

memory/4296-19-0x00000000017A0000-0x00000000017A3000-memory.dmp

memory/4296-22-0x00000000017A0000-0x00000000017A3000-memory.dmp