ramnit | d421eef701a66ab0b3971de6e995c73bce58dde4b1f9ed078062d8411bc0a36d

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe
Size

179KB
MD5

2a8b5d1b104634099e0626369b4a0d73
SHA1

c94ec018ae1aa116dab97c2b7286c38f99f0f393
SHA256

d421eef701a66ab0b3971de6e995c73bce58dde4b1f9ed078062d8411bc0a36d
SHA512

1f5abedcbdbfdfd0d9d08e1d72d2fb4a73ba7310892e73861096f56ee607564624f0b18edc06c4b9993f39fae7c40599b322d26c857bf40aa2045f8f2ff18e67
SSDEEP

3072:4o1WTnBL5WBLoD/prG6QJ7Wo3fyKa58PkJypyGrc9RdXp:4wWTnB8+/prGFwo3fyC5pyGm

Score

10^/10

ramnit banker defense_evasion discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\vktkgvyh\\eqlwqyfx.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eqlwqyfx.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eqlwqyfx.exe	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
2540	vvjrvxhe.exe
1308	vvjrvxhe.exe
1720	vvjrvxhe.exe
744	vvjrvxhe.exe
1212	vvjrvxhe.exe
1956	vvjrvxhe.exe
1692	vvjrvxhe.exe
1628	vvjrvxhe.exe
2328	vvjrvxhe.exe
748	vvjrvxhe.exe
1092	vvjrvxhe.exe
316	vvjrvxhe.exe
2456	vvjrvxhe.exe
2460	vvjrvxhe.exe
1712	vvjrvxhe.exe
1708	vvjrvxhe.exe
832	vvjrvxhe.exe
604	vvjrvxhe.exe
2360	vvjrvxhe.exe
2088	vvjrvxhe.exe
1588	vvjrvxhe.exe
1992	vvjrvxhe.exe
2132	vvjrvxhe.exe
2136	vvjrvxhe.exe
3036	vvjrvxhe.exe
2636	vvjrvxhe.exe
2816	vvjrvxhe.exe
2520	vvjrvxhe.exe
668	vvjrvxhe.exe
800	vvjrvxhe.exe
1296	vvjrvxhe.exe
2000	vvjrvxhe.exe
2416	vvjrvxhe.exe
1940	vvjrvxhe.exe
1288	vvjrvxhe.exe
1148	vvjrvxhe.exe
2676	vvjrvxhe.exe
528	vvjrvxhe.exe
2680	vvjrvxhe.exe
328	vvjrvxhe.exe
896	vvjrvxhe.exe
1724	vvjrvxhe.exe
1532	vvjrvxhe.exe
1776	vvjrvxhe.exe
1712	vvjrvxhe.exe
684	vvjrvxhe.exe
2728	vvjrvxhe.exe
1480	vvjrvxhe.exe
2268	vvjrvxhe.exe
2956	vvjrvxhe.exe
1560	vvjrvxhe.exe
1700	vvjrvxhe.exe
2056	vvjrvxhe.exe
1488	vvjrvxhe.exe
2716	vvjrvxhe.exe
2628	vvjrvxhe.exe
2684	vvjrvxhe.exe
2500	vvjrvxhe.exe
2208	vvjrvxhe.exe
2564	vvjrvxhe.exe
764	vvjrvxhe.exe
2508	vvjrvxhe.exe
1680	vvjrvxhe.exe
1644	vvjrvxhe.exe

Loads dropped DLL 64 IoCs

pid	Process
1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe
1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe
2540	vvjrvxhe.exe
1308	vvjrvxhe.exe
1720	vvjrvxhe.exe
744	vvjrvxhe.exe
1212	vvjrvxhe.exe
1956	vvjrvxhe.exe
1692	vvjrvxhe.exe
1628	vvjrvxhe.exe
2328	vvjrvxhe.exe
748	vvjrvxhe.exe
1092	vvjrvxhe.exe
316	vvjrvxhe.exe
2456	vvjrvxhe.exe
2460	vvjrvxhe.exe
1712	vvjrvxhe.exe
1708	vvjrvxhe.exe
832	vvjrvxhe.exe
604	vvjrvxhe.exe
2360	vvjrvxhe.exe
2088	vvjrvxhe.exe
1588	vvjrvxhe.exe
1992	vvjrvxhe.exe
2132	vvjrvxhe.exe
2136	vvjrvxhe.exe
3036	vvjrvxhe.exe
2636	vvjrvxhe.exe
2816	vvjrvxhe.exe
2520	vvjrvxhe.exe
668	vvjrvxhe.exe
800	vvjrvxhe.exe
1296	vvjrvxhe.exe
2000	vvjrvxhe.exe
2416	vvjrvxhe.exe
1940	vvjrvxhe.exe
1288	vvjrvxhe.exe
1148	vvjrvxhe.exe
2676	vvjrvxhe.exe
528	vvjrvxhe.exe
2680	vvjrvxhe.exe
328	vvjrvxhe.exe
896	vvjrvxhe.exe
1724	vvjrvxhe.exe
1532	vvjrvxhe.exe
1776	vvjrvxhe.exe
1712	vvjrvxhe.exe
684	vvjrvxhe.exe
2728	vvjrvxhe.exe
1480	vvjrvxhe.exe
2268	vvjrvxhe.exe
2956	vvjrvxhe.exe
1560	vvjrvxhe.exe
1700	vvjrvxhe.exe
2056	vvjrvxhe.exe
1488	vvjrvxhe.exe
2716	vvjrvxhe.exe
2628	vvjrvxhe.exe
2684	vvjrvxhe.exe
2500	vvjrvxhe.exe
2208	vvjrvxhe.exe
2564	vvjrvxhe.exe
764	vvjrvxhe.exe
2508	vvjrvxhe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EqlWqyfx = "C:\\Users\\Admin\\AppData\\Local\\vktkgvyh\\eqlwqyfx.exe"	svchost.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 2540 set thread context of 1308	2540	vvjrvxhe.exe	35
PID 1720 set thread context of 744	1720	vvjrvxhe.exe	37
PID 1212 set thread context of 1956	1212	vvjrvxhe.exe	39
PID 1692 set thread context of 1628	1692	vvjrvxhe.exe	41
PID 2328 set thread context of 748	2328	vvjrvxhe.exe	43
PID 1092 set thread context of 316	1092	vvjrvxhe.exe	45
PID 2456 set thread context of 2460	2456	vvjrvxhe.exe	47
PID 1712 set thread context of 1708	1712	vvjrvxhe.exe	49
PID 832 set thread context of 604	832	vvjrvxhe.exe	51
PID 2360 set thread context of 2088	2360	vvjrvxhe.exe	53
PID 1588 set thread context of 1992	1588	vvjrvxhe.exe	55
PID 2132 set thread context of 2136	2132	vvjrvxhe.exe	57
PID 3036 set thread context of 2636	3036	vvjrvxhe.exe	59
PID 2816 set thread context of 2520	2816	vvjrvxhe.exe	61
PID 668 set thread context of 800	668	vvjrvxhe.exe	63
PID 1296 set thread context of 2000	1296	vvjrvxhe.exe	65
PID 2416 set thread context of 1940	2416	vvjrvxhe.exe	67
PID 1288 set thread context of 1148	1288	vvjrvxhe.exe	69
PID 2676 set thread context of 528	2676	vvjrvxhe.exe	71
PID 2680 set thread context of 328	2680	vvjrvxhe.exe	73
PID 896 set thread context of 1724	896	vvjrvxhe.exe	75
PID 1532 set thread context of 1776	1532	vvjrvxhe.exe	77
PID 1712 set thread context of 684	1712	vvjrvxhe.exe	79
PID 2728 set thread context of 1480	2728	vvjrvxhe.exe	81
PID 2268 set thread context of 2956	2268	vvjrvxhe.exe	83
PID 1560 set thread context of 1700	1560	vvjrvxhe.exe	85
PID 2056 set thread context of 1488	2056	vvjrvxhe.exe	87
PID 2716 set thread context of 2628	2716	vvjrvxhe.exe	89
PID 2684 set thread context of 2500	2684	vvjrvxhe.exe	91
PID 2208 set thread context of 2564	2208	vvjrvxhe.exe	93
PID 764 set thread context of 2508	764	vvjrvxhe.exe	95
PID 1680 set thread context of 1644	1680	vvjrvxhe.exe	97
PID 1936 set thread context of 1328	1936	vvjrvxhe.exe	99
PID 1152 set thread context of 2844	1152	vvjrvxhe.exe	101
PID 1692 set thread context of 2120	1692	vvjrvxhe.exe	103
PID 2296 set thread context of 1084	2296	vvjrvxhe.exe	105
PID 1088 set thread context of 1616	1088	vvjrvxhe.exe	107
PID 2376 set thread context of 2184	2376	vvjrvxhe.exe	109
PID 836 set thread context of 1820	836	vvjrvxhe.exe	111
PID 2008 set thread context of 568	2008	vvjrvxhe.exe	113
PID 2264 set thread context of 872	2264	vvjrvxhe.exe	115
PID 2152 set thread context of 1996	2152	vvjrvxhe.exe	117
PID 1196 set thread context of 1800	1196	vvjrvxhe.exe	119
PID 2708 set thread context of 2804	2708	vvjrvxhe.exe	121
PID 2800 set thread context of 2772	2800	vvjrvxhe.exe	123
PID 2944 set thread context of 2560	2944	vvjrvxhe.exe	125
PID 2532 set thread context of 1904	2532	vvjrvxhe.exe	127
PID 536 set thread context of 1568	536	vvjrvxhe.exe	129
PID 2252 set thread context of 2820	2252	vvjrvxhe.exe	131
PID 2556 set thread context of 2692	2556	vvjrvxhe.exe	133
PID 2848 set thread context of 952	2848	vvjrvxhe.exe	135
PID 1140 set thread context of 1048	1140	vvjrvxhe.exe	137
PID 740 set thread context of 904	740	vvjrvxhe.exe	139
PID 1672 set thread context of 1648	1672	vvjrvxhe.exe	141
PID 1844 set thread context of 632	1844	vvjrvxhe.exe	143
PID 2144 set thread context of 964	2144	vvjrvxhe.exe	145
PID 3000 set thread context of 868	3000	vvjrvxhe.exe	147
PID 2068 set thread context of 1968	2068	vvjrvxhe.exe	149
PID 2592 set thread context of 3004	2592	vvjrvxhe.exe	151
PID 2784 set thread context of 1652	2784	vvjrvxhe.exe	153
PID 2812 set thread context of 2940	2812	vvjrvxhe.exe	155
PID 2868 set thread context of 2532	2868	vvjrvxhe.exe	157
PID 1364 set thread context of 536	1364	vvjrvxhe.exe	159

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1376-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1376-8-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1376-11-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1376-3-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1376-2-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1376-9-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1376-44-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1376-83-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1308-103-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/744-117-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1956-137-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1628-154-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/748-168-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/316-188-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1708-222-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2088-254-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2136-287-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2520-322-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2636-305-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/800-338-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1940-362-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/528-389-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1724-414-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1776-427-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1480-452-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1700-477-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1488-488-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2500-513-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1644-550-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1616-611-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1800-686-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2560-723-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/904-806-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/964-845-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1652-894-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2380-953-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2764-1016-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2188-1025-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2188-1033-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2188-1492-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2008-1511-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/776-1532-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1576-1573-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1692-1586-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2360-1881-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2188-2186-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2188-2641-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2740-2660-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2188-2832-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2188-2856-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2600-2875-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2572-2960-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/832-2993-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbgnqlig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbgnqlig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvjrvxhe.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443961304"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0B23AB1-DB03-11EF-9438-E643F72B7232} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe
Token: SeDebugPrivilege	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe
Token: SeSecurityPrivilege	1732	svchost.exe
Token: SeSecurityPrivilege	2632	svchost.exe
Token: SeDebugPrivilege	2632	svchost.exe
Token: SeSecurityPrivilege	1308	vvjrvxhe.exe
Token: SeDebugPrivilege	1308	vvjrvxhe.exe
Token: SeSecurityPrivilege	744	vvjrvxhe.exe
Token: SeDebugPrivilege	744	vvjrvxhe.exe
Token: SeSecurityPrivilege	1956	vvjrvxhe.exe
Token: SeDebugPrivilege	1956	vvjrvxhe.exe
Token: SeSecurityPrivilege	1628	vvjrvxhe.exe
Token: SeDebugPrivilege	1628	vvjrvxhe.exe
Token: SeSecurityPrivilege	748	vvjrvxhe.exe
Token: SeDebugPrivilege	748	vvjrvxhe.exe
Token: SeSecurityPrivilege	316	vvjrvxhe.exe
Token: SeDebugPrivilege	316	vvjrvxhe.exe
Token: SeSecurityPrivilege	2460	vvjrvxhe.exe
Token: SeDebugPrivilege	2460	vvjrvxhe.exe
Token: SeSecurityPrivilege	1708	vvjrvxhe.exe
Token: SeDebugPrivilege	1708	vvjrvxhe.exe
Token: SeSecurityPrivilege	604	vvjrvxhe.exe
Token: SeDebugPrivilege	604	vvjrvxhe.exe
Token: SeSecurityPrivilege	2088	vvjrvxhe.exe
Token: SeDebugPrivilege	2088	vvjrvxhe.exe
Token: SeSecurityPrivilege	1992	vvjrvxhe.exe
Token: SeDebugPrivilege	1992	vvjrvxhe.exe
Token: SeSecurityPrivilege	2136	vvjrvxhe.exe
Token: SeDebugPrivilege	2136	vvjrvxhe.exe
Token: SeSecurityPrivilege	2636	vvjrvxhe.exe
Token: SeDebugPrivilege	2636	vvjrvxhe.exe
Token: SeSecurityPrivilege	2520	vvjrvxhe.exe
Token: SeDebugPrivilege	2520	vvjrvxhe.exe
Token: SeSecurityPrivilege	800	vvjrvxhe.exe
Token: SeDebugPrivilege	800	vvjrvxhe.exe
Token: SeSecurityPrivilege	2000	vvjrvxhe.exe
Token: SeDebugPrivilege	2000	vvjrvxhe.exe
Token: SeSecurityPrivilege	1940	vvjrvxhe.exe
Token: SeDebugPrivilege	1940	vvjrvxhe.exe
Token: SeSecurityPrivilege	1148	vvjrvxhe.exe
Token: SeDebugPrivilege	1148	vvjrvxhe.exe
Token: SeSecurityPrivilege	528	vvjrvxhe.exe
Token: SeDebugPrivilege	528	vvjrvxhe.exe
Token: SeSecurityPrivilege	328	vvjrvxhe.exe
Token: SeDebugPrivilege	328	vvjrvxhe.exe
Token: SeSecurityPrivilege	1724	vvjrvxhe.exe
Token: SeDebugPrivilege	1724	vvjrvxhe.exe
Token: SeSecurityPrivilege	1776	vvjrvxhe.exe
Token: SeDebugPrivilege	1776	vvjrvxhe.exe
Token: SeSecurityPrivilege	684	vvjrvxhe.exe
Token: SeDebugPrivilege	684	vvjrvxhe.exe
Token: SeSecurityPrivilege	1480	vvjrvxhe.exe
Token: SeDebugPrivilege	1480	vvjrvxhe.exe
Token: SeSecurityPrivilege	2956	vvjrvxhe.exe
Token: SeDebugPrivilege	2956	vvjrvxhe.exe
Token: SeSecurityPrivilege	1700	vvjrvxhe.exe
Token: SeDebugPrivilege	1700	vvjrvxhe.exe
Token: SeSecurityPrivilege	1488	vvjrvxhe.exe
Token: SeDebugPrivilege	1488	vvjrvxhe.exe
Token: SeSecurityPrivilege	2628	vvjrvxhe.exe
Token: SeDebugPrivilege	2628	vvjrvxhe.exe
Token: SeSecurityPrivilege	2500	vvjrvxhe.exe
Token: SeDebugPrivilege	2500	vvjrvxhe.exe
Token: SeSecurityPrivilege	2564	vvjrvxhe.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 2092 wrote to memory of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 2092 wrote to memory of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 2092 wrote to memory of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 2092 wrote to memory of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 2092 wrote to memory of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 2092 wrote to memory of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 2092 wrote to memory of 1376	2092	JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe	31
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 1732	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	32
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2632	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	33
PID 1376 wrote to memory of 2540	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	34
PID 1376 wrote to memory of 2540	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	34
PID 1376 wrote to memory of 2540	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	34
PID 1376 wrote to memory of 2540	1376	jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe	34
PID 2540 wrote to memory of 1308	2540	vvjrvxhe.exe	35
PID 2540 wrote to memory of 1308	2540	vvjrvxhe.exe	35
PID 2540 wrote to memory of 1308	2540	vvjrvxhe.exe	35
PID 2540 wrote to memory of 1308	2540	vvjrvxhe.exe	35
PID 2540 wrote to memory of 1308	2540	vvjrvxhe.exe	35
PID 2540 wrote to memory of 1308	2540	vvjrvxhe.exe	35
PID 2540 wrote to memory of 1308	2540	vvjrvxhe.exe	35
PID 2540 wrote to memory of 1308	2540	vvjrvxhe.exe	35
PID 1308 wrote to memory of 1720	1308	vvjrvxhe.exe	36
PID 1308 wrote to memory of 1720	1308	vvjrvxhe.exe	36
PID 1308 wrote to memory of 1720	1308	vvjrvxhe.exe	36
PID 1308 wrote to memory of 1720	1308	vvjrvxhe.exe	36
PID 1720 wrote to memory of 744	1720	vvjrvxhe.exe	37
PID 1720 wrote to memory of 744	1720	vvjrvxhe.exe	37
PID 1720 wrote to memory of 744	1720	vvjrvxhe.exe	37
PID 1720 wrote to memory of 744	1720	vvjrvxhe.exe	37
PID 1720 wrote to memory of 744	1720	vvjrvxhe.exe	37
PID 1720 wrote to memory of 744	1720	vvjrvxhe.exe	37
PID 1720 wrote to memory of 744	1720	vvjrvxhe.exe	37
PID 1720 wrote to memory of 744	1720	vvjrvxhe.exe	37
PID 744 wrote to memory of 1212	744	vvjrvxhe.exe	38
PID 744 wrote to memory of 1212	744	vvjrvxhe.exe	38
PID 744 wrote to memory of 1212	744	vvjrvxhe.exe	38
PID 744 wrote to memory of 1212	744	vvjrvxhe.exe	38
PID 1212 wrote to memory of 1956	1212	vvjrvxhe.exe	39
PID 1212 wrote to memory of 1956	1212	vvjrvxhe.exe	39
PID 1212 wrote to memory of 1956	1212	vvjrvxhe.exe	39
PID 1212 wrote to memory of 1956	1212	vvjrvxhe.exe	39
PID 1212 wrote to memory of 1956	1212	vvjrvxhe.exe	39
PID 1212 wrote to memory of 1956	1212	vvjrvxhe.exe	39

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a8b5d1b104634099e0626369b4a0d73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092
- \??\c:\users\admin\appdata\local\temp\jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe
  "c:\users\admin\appdata\local\temp\jaffacakes118_2a8b5d1b104634099e0626369b4a0d73.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
    "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
      "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1692
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2328
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1092
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2456
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1712
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:832
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2360
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1588
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2132
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:3036
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2816
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:668
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1296
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2416
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2676
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2680
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:896
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1712
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2728
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2268
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1560
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2716
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        59⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2684
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        61⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2208
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        63⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:764
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1680
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        66⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        68⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        69⤵
        Suspicious use of SetThreadContext
        
        PID:1152
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        70⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        71⤵
        Suspicious use of SetThreadContext
        
        PID:1692
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        72⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        73⤵
        Suspicious use of SetThreadContext
        
        PID:2296
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        74⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        75⤵
        Suspicious use of SetThreadContext
        
        PID:1088
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        77⤵
        Suspicious use of SetThreadContext
        
        PID:2376
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        78⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        79⤵
        Suspicious use of SetThreadContext
        
        PID:836
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        80⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        81⤵
        Suspicious use of SetThreadContext
        
        PID:2008
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        82⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2264
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        84⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        85⤵
        Suspicious use of SetThreadContext
        
        PID:2152
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        86⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        87⤵
        Suspicious use of SetThreadContext
        
        PID:1196
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        88⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        89⤵
        Suspicious use of SetThreadContext
        
        PID:2708
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        90⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2800
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        92⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        93⤵
        Suspicious use of SetThreadContext
        
        PID:2944
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        94⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        96⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        97⤵
        Suspicious use of SetThreadContext
        
        PID:536
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        98⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        99⤵
        Suspicious use of SetThreadContext
        
        PID:2252
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        100⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2556
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        102⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2848
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        104⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        105⤵
        Suspicious use of SetThreadContext
        
        PID:1140
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        106⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        107⤵
        Suspicious use of SetThreadContext
        
        PID:740
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        108⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        109⤵
        Suspicious use of SetThreadContext
        
        PID:1672
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        110⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        111⤵
        Suspicious use of SetThreadContext
        
        PID:1844
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        112⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        113⤵
        Suspicious use of SetThreadContext
        
        PID:2144
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        114⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        115⤵
        Suspicious use of SetThreadContext
        
        PID:3000
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        116⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        117⤵
        Suspicious use of SetThreadContext
        
        PID:2068
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        120⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        121⤵
        Suspicious use of SetThreadContext
        
        PID:2784
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        122⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        123⤵
        Suspicious use of SetThreadContext
        
        PID:2812
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        126⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        127⤵
        Suspicious use of SetThreadContext
        
        PID:1364
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        129⤵
        
        PID:2416
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        130⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        131⤵
        
        PID:1288
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        132⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        133⤵
        
        PID:2848
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        134⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        135⤵
        
        PID:1572
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        136⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        137⤵
        
        PID:1740
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        138⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        139⤵
        
        PID:1716
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        140⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        141⤵
        
        PID:2216
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        142⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        143⤵
        
        PID:2268
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        144⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        146⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
        147⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275472 /prefetch:2
        147⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:406549 /prefetch:2
        147⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275495 /prefetch:2
        147⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:668696 /prefetch:2
        147⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        145⤵
        
        PID:2712
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        146⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\jbgnqlig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jbgnqlig.exe" elevate
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        \??\c:\users\admin\appdata\local\temp\jbgnqlig.exe
        
        "c:\users\admin\appdata\local\temp\jbgnqlig.exe"
        146⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        148⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        150⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        152⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        153⤵
        
        PID:1680
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        155⤵
        
        PID:1952
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        156⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        157⤵
        
        PID:1112
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        158⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        159⤵
        
        PID:2536
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        160⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        162⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        164⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        165⤵
        
        PID:2140
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        166⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        167⤵
        
        PID:2156
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        169⤵
        
        PID:1920
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        170⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        171⤵
        
        PID:2756
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        172⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        173⤵
        
        PID:2288
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        174⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        176⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        177⤵
        
        PID:2576
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        178⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        179⤵
        
        PID:2488
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        180⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        181⤵
        
        PID:2016
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        182⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        184⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        185⤵
        
        PID:2188
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        186⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        188⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        189⤵
        
        PID:2108
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        190⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        192⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        194⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        195⤵
        
        PID:2252
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        198⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        199⤵
        
        PID:2192
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        200⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        201⤵
        
        PID:2700
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        202⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        203⤵
        
        PID:1740
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        204⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        205⤵
        
        PID:2552
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        206⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        207⤵
        
        PID:3052
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        208⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        209⤵
        
        PID:2364
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        210⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        211⤵
        
        PID:572
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        212⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        214⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        215⤵
        
        PID:1952
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        217⤵
        
        PID:2656
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        218⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        220⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        221⤵
        
        PID:2712
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        222⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        223⤵
        
        PID:1612
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        224⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        225⤵
        
        PID:996
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        226⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        227⤵
        
        PID:1588
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        228⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        229⤵
        
        PID:2760
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        230⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        231⤵
        
        PID:2936
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        233⤵
        
        PID:1952
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        234⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        236⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        238⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        239⤵
        
        PID:1032
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        240⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        241⤵
        
        PID:2140
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        242⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        243⤵
        
        PID:2408
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        244⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        245⤵
        
        PID:2756
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        246⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        249⤵
        
        PID:1276
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        250⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        251⤵
        
        PID:1288
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        252⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        253⤵
        
        PID:2536
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        254⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        256⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        257⤵
        
        PID:2452
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        258⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        259⤵
        
        PID:3028
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        259⤵
        
        PID:2268
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        260⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        259⤵
        
        PID:1364
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        259⤵
        
        PID:2288
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        260⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\jbgnqlig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jbgnqlig.exe" elevate
        259⤵
        
        PID:624
        
        \??\c:\users\admin\appdata\local\temp\jbgnqlig.exe
        
        "c:\users\admin\appdata\local\temp\jbgnqlig.exe"
        260⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        261⤵
        
        PID:448
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        262⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        263⤵
        
        PID:2860
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        264⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        265⤵
        
        PID:2372
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        267⤵
        
        PID:2572
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        269⤵
        
        PID:2392
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        271⤵
        
        PID:2044
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        272⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        274⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        275⤵
        
        PID:2652
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        276⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        277⤵
        
        PID:1476
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        278⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        281⤵
        
        PID:2948
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        282⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        283⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        284⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        286⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        287⤵
        
        PID:2720
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        289⤵
        
        PID:2540
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        289⤵
        
        PID:2712
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        290⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        289⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        290⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\jbgnqlig.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jbgnqlig.exe" elevate
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        \??\c:\users\admin\appdata\local\temp\jbgnqlig.exe
        
        "c:\users\admin\appdata\local\temp\jbgnqlig.exe"
        290⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        291⤵
        
        PID:2452
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        292⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        293⤵
        
        PID:1656
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        294⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        295⤵
        
        PID:2800
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        296⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        298⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        299⤵
        
        PID:892
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        300⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        301⤵
        
        PID:1804
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        302⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        303⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        304⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        305⤵
        
        PID:2264
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        306⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        307⤵
        
        PID:764
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        308⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        309⤵
        
        PID:1756
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        310⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        312⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        313⤵
        
        PID:2320
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        314⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        315⤵
        
        PID:1240
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        316⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vvjrvxhe.exe" elevate
        317⤵
        
        PID:920
        
        \??\c:\users\admin\appdata\local\temp\vvjrvxhe.exe
        
        "c:\users\admin\appdata\local\temp\vvjrvxhe.exe"
        318⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        319⤵
        
        PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d210fc46991cc32c70925d13410c775

SHA1
82318deb2fa0ec01d80c9074009c9589c1c7589e

SHA256
86667a03231bd68a54a7359eb48d93826ede41c8f7fcc01f187fdf53fab924a5

SHA512
b03417d8b40151a3223f63277f9c99cf1820471c5cf9964268407cf8f93fa31dee3f35ff34909372a023976841f4831dc5138368100e9e1be556994100305cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
209e2f8b6870f00ad7e833108b3e21a2

SHA1
41541cd1e8fad842d54ba0988045b80352ec0c26

SHA256
447c226e2cd058c462ef1e92dadc7fefbf38fb86c0e09bbb82b729848584a09f

SHA512
5ff1c1348e155cf91d0932fa810ae0be9a6d6c833e407aa5450d3049834e7cfd304f2e8534af58018cd32d052607d97bf2ef1dc6a0808241a829d8de9af0c7a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e15008e90f509583160075361626cf2

SHA1
2cd66cb77cc56d8a4f63ad2ecac24a856646abc1

SHA256
e9b002219dac6fc29984a250ff7c6e02a0816fbca3cfde4e551fc8d53dbf6d86

SHA512
2d3461b2d1fffc29002bad5dc3918c698b3011daa22388256dd4ad4f44c54631704bcb8f647918e33f1ee9f1978bf4ded79d3e36330455a5ab8be6b37a2ae6a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcce934c5d4062f0f0eb2fab2c40106b

SHA1
741ed536d4f809f6e4bb7f31e65134e616a1e983

SHA256
4319519c7e60ce1873a7b2cba96c70bf9e397cd4f3853310c0199ccf7c37394d

SHA512
bacbeea40782f5c344094b35ad73ceabe057111cf67ecd31619bd50ea1e7039467848623481bad3cba1e5c7935369d9fa7d71a597f20e153e05f1359c038b33d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ae4f0c23ec2ba058aa6bb59f883d092

SHA1
ef326f9a8905b203de4188e8d636e60dc29ae861

SHA256
0480862ad1646244f0df8f4d6f6148e422fe25e3619f7ae53f724522c6250b32

SHA512
5b41432e505ee43bb553b08547c47ad11e8cdca8fd71738353c6aed40315ee3f619134fb21016fe439759528d65a5d8c7a914397a5d14fe4704d1392938a0c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8fc3682f780e1f52242a987e7bcdd14

SHA1
18c92e224eee689ccc1f976117d42dcf6d4e5410

SHA256
cb239b99450428b74fcef0c424e63c965a4ba142cc359cdd9c498c95d470c974

SHA512
5cfd2f8dd2e7276712eaf1a2acd199fb7caae74a8dbf5f761a93805969bbdcd1aab303e8f99aa91b9ac0acb8858292e6a786d9e75c73834df01118733705e3c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9226e9f472a1b6432a46ae468a8cc974

SHA1
fe9b371df5ed2f226041c58cc097cee41dcb8e8f

SHA256
f6ae41d07f1621e0e06f6b0661b30211d13b55a494c21caa358988238018db04

SHA512
8b7dbc3caa36ecc2466c61ba6071a50b8dc3b4a8470ba15697006561fd45a30fe07469b7a0034c98f04b57a7e5b364451972aba3bff36946e1993f3fa7625abc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
644dfe750f50c5a3c72ab0579f360ad5

SHA1
b4a2390c2b0c2a6281e0f0cdb93472f0c301d978

SHA256
ac306ac46d4cb65b88152f761b724ebccc580db62c07905b2001d6bc476201a2

SHA512
de109c8b622f435d5e6e0202b60702f8152ddd364897676f477d9107a9121b8e7e0b2575eef0561c29f61db2f5946dfa390afc5b6bd5cbaabd32f9a3501b2480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38f9e41ccd2f5df6daf685f792ad551a

SHA1
b33df6d4dd3d9c291cb806422f1bcac693a5b328

SHA256
c4785aee64f34644370818b7f30be1853861e243b6fdbbdadbf8bc2e7942c925

SHA512
8db84d44ef05c572b8a27f0ca636de101ff0e93775824aa5dd219844078020fb7a19e7eacf8f3ba351babd4f1e7893b2a25983303cf8756cc41e532e69304d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf45ef1204eeb7d010788cb8dc8327ce

SHA1
b34caba3efb4d49f08cf8ce98504911409644462

SHA256
9175c82f0a3bbb54de57dbf1c0c2fa462072dbb1bd501757c95402a31a0d7dcb

SHA512
17f80f5643b230e2a0cf19acd49c99233a4fe89e8c0279071ace1881bc198a7812ce592cae1326414847bbdeee3636f8a873e1dd79e94e46d045280b04254027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bff2835a9a19b9afe6b661fbdaeff0d2

SHA1
9d55a5a17f2f4d9ccf17d6d582601fdf2fe849c1

SHA256
239c91524b7495b24a48848d82b94d0a486fd1192b73fff7337216bd4deacd24

SHA512
fd57e0af3963c09f7df22930124f5d030f2295d27dec643f8e833144a0182b72a751b046daeb008f17aa81e232a714b7fff83a352f44119912b58aed0e99df43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df5504f6bf1964df4c29e0acbbb60fd2

SHA1
2413b8e2e18bb40e5848133e3ce499a9f8dce732

SHA256
77b255e2fd93e7d16dafe6c71625db518799611e20bbca4812141f948ecd8d55

SHA512
5a06d2f86ba3ac9c03a376521d57068921af84f19355a38d935885f580dad7ab6f22390757e0646049f67f2556024cb79af5bc36095c872cdf63c782994b619e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a79b69407678fde034784207739db997

SHA1
32f52b0c6522f86bdad1cd8cc059b463b9d7863e

SHA256
6b1056da16e8ee778398140b6f00d2e2435c6e82c5e87df934cf03d3efb3c089

SHA512
dc5ec4d0b7e7e476ae6a3f5bf5fbf8288d53f88154809a1e3ad5dd2bb9a9a4cc347a39c372dccef99b36c14472e5e06d9646855a4b18ae3b69982fdafbeeb1e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e1ecdc7ff9fd7b47e544bf88267fc57

SHA1
14abb1b879ed8e745c291d8081b2e5a26707b4f9

SHA256
e4639ed160d5c803b07c0828c5b74ac51edb3dae7bda639325285a9af15c31fb

SHA512
994b4eabf89452d984669d232ee26ff0ca8e6ee08f93849b45a310b4be43dfcce57a0b1901e402597519535abca0b0f4a224899a0e5ede0a9f78010167127ec0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17553ebe239f88ed2dbfb84d22e12e14

SHA1
e296abe5d88f141e61ac434e04cf2feb5482f97e

SHA256
2ff8da6d490a2037662a01db3dee9438577ba5f1a9c8f2215c786446d471848f

SHA512
b658f10b6aa4286569048967df6c41493d79ea6e880fe7890d3858d0af6dec5d1d73a558a4fae76f40232fce36055fe117512c282d93c46ad4a943fc14baeca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd7cde6745279dd7736210c997882d15

SHA1
ccdeef76192fa0cd6ffe0b4638b3009b44a72223

SHA256
479d7fe40dcde66159a61be03ef311d8065420c801cb0d9205516fbab5d185e9

SHA512
e5fd7e47952ec1d2cf322163ebb2dbac31bc92cb683302c124f4c5baeced293d24c392703e131f029a8353c1da01925d33d32cd3ccff354076649a828e1d90ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6904f83af752273efaf9281007e1d1b2

SHA1
0c3e3b639e4332831d450ce993e1fb0f9107ea7f

SHA256
126cd2fc0d256288f58902e2405c27d7823a3399a21d76f4ce5e4616aa6323b5

SHA512
93f80c2cea64449aca70a20156e9844a4a3f6045f8ece81dca3ee3c1a3db353584f0c5caa6b915c7b93069cdf6daea5af679b17e0e55dbe3501e4681a28b7309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15d12b724ed99d21cafdc8f6e72da9be

SHA1
88ae48d520355459f038323b7784b94a0d0c93a4

SHA256
2262dd9fdd10255bfa59ec19201bb52db06360888a43995ec54a08a27cd6b712

SHA512
ca3646f3fe93597e542c02046c1c0a6c2c5120a4fc3ed5e729b83484ac1186a1aa04648edca26b95e94ec153799d696b2f1bb92029843e64b8fc7668fe7ac79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5977.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar59E9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\vktkgvyh\eqlwqyfx.exe

Filesize
179KB

MD5
2a8b5d1b104634099e0626369b4a0d73

SHA1
c94ec018ae1aa116dab97c2b7286c38f99f0f393

SHA256
d421eef701a66ab0b3971de6e995c73bce58dde4b1f9ed078062d8411bc0a36d

SHA512
1f5abedcbdbfdfd0d9d08e1d72d2fb4a73ba7310892e73861096f56ee607564624f0b18edc06c4b9993f39fae7c40599b322d26c857bf40aa2045f8f2ff18e67

Download Submit
memory/316-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/528-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/744-117-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/776-1532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/832-2993-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-806-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/964-845-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-23-0x0000000077E40000-0x0000000077E41000-memory.dmp

Filesize
4KB

Download
memory/1376-22-0x0000000077E3F000-0x0000000077E40000-memory.dmp

Filesize
4KB

Download
memory/1376-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-13-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1376-14-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1376-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1376-34-0x0000000077E40000-0x0000000077E41000-memory.dmp

Filesize
4KB

Download
memory/1376-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1488-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1576-1573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-611-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-894-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-1586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1700-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1708-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-30-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1732-24-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1732-25-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1732-16-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1732-26-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1732-32-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1732-33-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1732-18-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1732-31-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1776-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-686-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-1511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-1025-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-2641-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-2856-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-2832-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-1492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-1033-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-2186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-1881-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-953-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-723-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-2960-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-2875-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-45-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2632-62-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2632-55-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2632-56-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2632-64-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2632-38-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2636-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-2660-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-1016-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download