hawkeye_reborn | 088065e6c2fc3b413563bc44b0626a13ad9e32a330ae958dd24141862c3c90de

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Size

798KB
MD5

c7848797c3eb098eb5e6430baf4a26e1
SHA1

0c954e2e62839957e9746dae3438eb4aed1fe5b8
SHA256

088065e6c2fc3b413563bc44b0626a13ad9e32a330ae958dd24141862c3c90de
SHA512

7bc7071d52dd3ec1cfc9f5b4642110c8605f6eddbc22a669cc69ba33be86cf3ea991db231617f5fb3e23fd3cc3020cc01a1bb9becef49bc79dc028df7f9371de
SSDEEP

12288:t0fHs2Sdapyyfx+pO0XD8kx13h0eg6+4iXBj0cPjZgcaOJknl2:ZXapZJ+nXDN6er3MBj0cjk

Score

10^/10

hawkeye_reborn m00nd3v_logger collection credential_access discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
mail.bigmanstan.com
Port:
587
Username:
[email protected]
Password:
khalifa@2020

Mutex

c4ceaee6-98e6-414f-92f0-272fe7bd057c

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:khalifa@2020 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bigmanstan.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:c4ceaee6-98e6-414f-92f0-272fe7bd057c _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

M00nD3v Logger payload 3 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/2336-4-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2336-8-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2336-7-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2848 set thread context of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 3008 set thread context of 2736	3008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	44
PID 2528 set thread context of 560	2528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	52
PID 1096 set thread context of 592	1096	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	57
PID 376 set thread context of 2000	376	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	62
PID 3004 set thread context of 2432	3004	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	67
PID 2664 set thread context of 636	2664	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	76
PID 1008 set thread context of 1572	1008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	82
PID 2552 set thread context of 568	2552	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	88
PID 1956 set thread context of 2624	1956	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	93
PID 1168 set thread context of 2740	1168	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	99
PID 2668 set thread context of 2008	2668	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	104
PID 588 set thread context of 724	588	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	109
PID 2112 set thread context of 1532	2112	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	114
PID 2256 set thread context of 1848	2256	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	123
PID 2012 set thread context of 2920	2012	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	128
PID 2292 set thread context of 2104	2292	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	138
PID 2612 set thread context of 1112	2612	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	143
PID 2936 set thread context of 2284	2936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	149
PID 3040 set thread context of 820	3040	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	155
PID 2352 set thread context of 924	2352	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	162
PID 936 set thread context of 1168	936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	167
PID 3120 set thread context of 3196	3120	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	172
PID 3280 set thread context of 3392	3280	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	179
PID 3476 set thread context of 3564	3476	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	184
PID 3648 set thread context of 3776	3648	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	194
PID 3884 set thread context of 3964	3884	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	199
PID 4076 set thread context of 3172	4076	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	206
PID 3176 set thread context of 628	3176	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	211
PID 3380 set thread context of 3244	3380	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	217
PID 3484 set thread context of 3476	3484	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	226
PID 3652 set thread context of 1632	3652	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	231
PID 3584 set thread context of 400	3584	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	238
PID 3956 set thread context of 3364	3956	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	243
PID 3280 set thread context of 3436	3280	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	250
PID 1288 set thread context of 564	1288	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	256
PID 3116 set thread context of 3308	3116	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	262
PID 3880 set thread context of 1340	3880	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	267
PID 4160 set thread context of 4272	4160	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	274
PID 4376 set thread context of 4456	4376	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	279
PID 4552 set thread context of 4628	4552	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	284
PID 4736 set thread context of 4816	4736	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	289
PID 4928 set thread context of 5020	4928	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	295
PID 3444 set thread context of 3888	3444	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	301
PID 4412 set thread context of 4048	4412	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	306
PID 4636 set thread context of 4308	4636	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	313
PID 4964 set thread context of 4564	4964	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	318
PID 2552 set thread context of 4368	2552	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	323
PID 4940 set thread context of 5064	4940	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	329
PID 3432 set thread context of 4740	3432	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	339
PID 4732 set thread context of 4540	4732	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	345
PID 4544 set thread context of 4588	4544	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	350
PID 4936 set thread context of 876	4936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	355
PID 4512 set thread context of 3204	4512	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	360
PID 2612 set thread context of 4320	2612	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	365
PID 5160 set thread context of 5240	5160	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	370
PID 5340 set thread context of 5420	5340	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	375
PID 5508 set thread context of 5588	5508	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	380
PID 5700 set thread context of 5776	5700	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	385
PID 5876 set thread context of 5976	5876	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	391
PID 6084 set thread context of 4384	6084	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	397
PID 4372 set thread context of 5316	4372	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	402
PID 4592 set thread context of 5608	4592	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	408

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1096	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
376	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3004	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2664	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2664	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2664	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2664	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2664	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2552	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1956	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1168	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1168	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2668	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
588	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2112	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2256	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2256	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2256	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2256	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2256	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2012	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2292	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2292	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2292	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2292	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2292	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2292	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2612	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3040	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3040	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2352	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2352	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2352	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3120	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3280	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3280	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3280	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3476	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3648	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3648	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3648	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3648	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3648	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3648	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3884	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
4076	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
4076	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
4076	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3176	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe

Suspicious behavior: SetClipboardViewer 64 IoCs

pid	Process
2748	RegAsm.exe
2736	RegAsm.exe
560	RegAsm.exe
592	RegAsm.exe
2000	RegAsm.exe
2432	RegAsm.exe
636	RegAsm.exe
1572	RegAsm.exe
568	RegAsm.exe
2624	RegAsm.exe
2740	RegAsm.exe
2008	RegAsm.exe
724	RegAsm.exe
1532	RegAsm.exe
1848	RegAsm.exe
2920	RegAsm.exe
2104	RegAsm.exe
1112	RegAsm.exe
2284	RegAsm.exe
820	RegAsm.exe
924	RegAsm.exe
1168	RegAsm.exe
3196	RegAsm.exe
3392	RegAsm.exe
3564	RegAsm.exe
3776	RegAsm.exe
3964	RegAsm.exe
3172	RegAsm.exe
628	RegAsm.exe
3244	RegAsm.exe
3476	RegAsm.exe
1632	RegAsm.exe
400	RegAsm.exe
3364	RegAsm.exe
3436	RegAsm.exe
564	RegAsm.exe
3308	RegAsm.exe
1340	RegAsm.exe
4272	RegAsm.exe
4456	RegAsm.exe
4628	RegAsm.exe
4816	RegAsm.exe
5020	RegAsm.exe
3888	RegAsm.exe
4048	RegAsm.exe
4308	RegAsm.exe
4564	RegAsm.exe
4368	RegAsm.exe
5064	RegAsm.exe
4740	RegAsm.exe
4540	RegAsm.exe
4588	RegAsm.exe
876	RegAsm.exe
3204	RegAsm.exe
4320	RegAsm.exe
5240	RegAsm.exe
5420	RegAsm.exe
5588	RegAsm.exe
5776	RegAsm.exe
5976	RegAsm.exe
4384	RegAsm.exe
5316	RegAsm.exe
5608	RegAsm.exe
5924	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1096	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	376	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3004	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2664	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2336	RegAsm.exe
Token: SeDebugPrivilege	2552	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2748	RegAsm.exe
Token: SeDebugPrivilege	1956	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	RegAsm.exe
Token: SeDebugPrivilege	1168	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	560	RegAsm.exe
Token: SeDebugPrivilege	2668	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	592	RegAsm.exe
Token: SeDebugPrivilege	588	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2000	RegAsm.exe
Token: SeDebugPrivilege	2112	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2432	RegAsm.exe
Token: SeDebugPrivilege	2256	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	636	RegAsm.exe
Token: SeDebugPrivilege	2012	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1572	RegAsm.exe
Token: SeDebugPrivilege	2292	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	568	RegAsm.exe
Token: SeDebugPrivilege	2612	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2624	RegAsm.exe
Token: SeDebugPrivilege	2936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2740	RegAsm.exe
Token: SeDebugPrivilege	3040	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2008	RegAsm.exe
Token: SeDebugPrivilege	2352	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	724	RegAsm.exe
Token: SeDebugPrivilege	936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1532	RegAsm.exe
Token: SeDebugPrivilege	3120	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1848	RegAsm.exe
Token: SeDebugPrivilege	3280	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2920	RegAsm.exe
Token: SeDebugPrivilege	3476	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2104	RegAsm.exe
Token: SeDebugPrivilege	3648	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1112	RegAsm.exe
Token: SeDebugPrivilege	3884	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2284	RegAsm.exe
Token: SeDebugPrivilege	4076	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	820	RegAsm.exe
Token: SeDebugPrivilege	3176	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	924	RegAsm.exe
Token: SeDebugPrivilege	3380	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	RegAsm.exe
Token: SeDebugPrivilege	3484	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3196	RegAsm.exe
Token: SeDebugPrivilege	3652	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3392	RegAsm.exe
Token: SeDebugPrivilege	3584	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3564	RegAsm.exe
Token: SeDebugPrivilege	3956	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3776	RegAsm.exe
Token: SeDebugPrivilege	3280	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3964	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2256	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2256	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2256	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2256	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2256	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2256	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2256	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2912	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2912	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2912	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2912	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2912	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2912	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2912	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2136 wrote to memory of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2136 wrote to memory of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2136 wrote to memory of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2136 wrote to memory of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2136 wrote to memory of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2136 wrote to memory of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2136 wrote to memory of 2336	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	32
PID 2136 wrote to memory of 1840	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	33
PID 2136 wrote to memory of 1840	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	33
PID 2136 wrote to memory of 1840	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	33
PID 2136 wrote to memory of 1840	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	33
PID 1840 wrote to memory of 2160	1840	cmd.exe	35
PID 1840 wrote to memory of 2160	1840	cmd.exe	35
PID 1840 wrote to memory of 2160	1840	cmd.exe	35
PID 1840 wrote to memory of 2160	1840	cmd.exe	35
PID 2136 wrote to memory of 2848	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	36
PID 2136 wrote to memory of 2848	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	36
PID 2136 wrote to memory of 2848	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	36
PID 2136 wrote to memory of 2848	2136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	36
PID 2848 wrote to memory of 2780	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	37
PID 2848 wrote to memory of 2780	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	37
PID 2848 wrote to memory of 2780	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	37
PID 2848 wrote to memory of 2780	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	37
PID 2848 wrote to memory of 2780	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	37
PID 2848 wrote to memory of 2780	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	37
PID 2848 wrote to memory of 2780	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	37
PID 2848 wrote to memory of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 2848 wrote to memory of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 2848 wrote to memory of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 2848 wrote to memory of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 2848 wrote to memory of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 2848 wrote to memory of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 2848 wrote to memory of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 2848 wrote to memory of 2748	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	38
PID 2848 wrote to memory of 3028	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	39
PID 2848 wrote to memory of 3028	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	39
PID 2848 wrote to memory of 3028	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	39
PID 2848 wrote to memory of 3028	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	39
PID 2848 wrote to memory of 3008	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	41
PID 2848 wrote to memory of 3008	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	41
PID 2848 wrote to memory of 3008	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	41
PID 2848 wrote to memory of 3008	2848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	41
PID 3028 wrote to memory of 2788	3028	cmd.exe	42
PID 3028 wrote to memory of 2788	3028	cmd.exe	42
PID 3028 wrote to memory of 2788	3028	cmd.exe	42
PID 3028 wrote to memory of 2788	3028	cmd.exe	42
PID 3008 wrote to memory of 2792	3008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	43
PID 3008 wrote to memory of 2792	3008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	43
PID 3008 wrote to memory of 2792	3008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	43

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2160
- C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2788
- - C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
      4⤵
      PID:2668
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2528
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:688
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:784
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        5⤵
        
        PID:2920
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:968
    - - C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        6⤵
        
        PID:776
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:1060
      - C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        7⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        8⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:1112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:3060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        9⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        10⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        11⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        12⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        13⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        14⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        15⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        16⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        16⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        17⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:1148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:1804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:1008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        17⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        18⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        18⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        19⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:1964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:1444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        19⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        20⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        20⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        21⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        21⤵
        
        PID:588
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        22⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:1700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        22⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        23⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        23⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        24⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        24⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        25⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        26⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:3376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:3384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        26⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        27⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        27⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        27⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        28⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        29⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        30⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:3116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        30⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        31⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        31⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:3308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        33⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        32⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:3504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:3496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        33⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        34⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        33⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        34⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        35⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:4080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:1588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        35⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        36⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        36⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        37⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:3936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        37⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        38⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        37⤵
        Suspicious use of SetThreadContext
        
        PID:1288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:3880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        38⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        39⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        38⤵
        Suspicious use of SetThreadContext
        
        PID:3116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        39⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        40⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        39⤵
        Suspicious use of SetThreadContext
        
        PID:3880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        40⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        41⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        40⤵
        Suspicious use of SetThreadContext
        
        PID:4160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:4256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:4264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        41⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        42⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        41⤵
        Suspicious use of SetThreadContext
        
        PID:4376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        42⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        43⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        42⤵
        Suspicious use of SetThreadContext
        
        PID:4552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        43⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        44⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        43⤵
        Suspicious use of SetThreadContext
        
        PID:4736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        44⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        44⤵
        Suspicious use of SetThreadContext
        
        PID:4928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:5012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        45⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        46⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        45⤵
        Suspicious use of SetThreadContext
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:3580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        46⤵
        
        PID:484
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        47⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        46⤵
        Suspicious use of SetThreadContext
        
        PID:4412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        47⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        48⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        47⤵
        Suspicious use of SetThreadContext
        
        PID:4636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:4728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:4360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        48⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        49⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        48⤵
        Suspicious use of SetThreadContext
        
        PID:4964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        50⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        49⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        50⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        51⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        50⤵
        Suspicious use of SetThreadContext
        
        PID:4940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:5084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        51⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        52⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        51⤵
        Suspicious use of SetThreadContext
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:4424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:4604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:4412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:4752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:4680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        52⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        53⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        52⤵
        Suspicious use of SetThreadContext
        
        PID:4732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:4532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        53⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        54⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        53⤵
        Suspicious use of SetThreadContext
        
        PID:4544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        54⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        55⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        54⤵
        Suspicious use of SetThreadContext
        
        PID:4936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        55⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        56⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        55⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        56⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        57⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        56⤵
        Suspicious use of SetThreadContext
        
        PID:2612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        57⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        57⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        59⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        58⤵
        Suspicious use of SetThreadContext
        
        PID:5340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        59⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        59⤵
        Suspicious use of SetThreadContext
        
        PID:5508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        60⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:5700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        61⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        61⤵
        Suspicious use of SetThreadContext
        
        PID:5876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:5968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        62⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        63⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        62⤵
        Suspicious use of SetThreadContext
        
        PID:6084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:4968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        63⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:4372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        64⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        65⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:4592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:5416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        66⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        65⤵
        
        PID:5292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        67⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        66⤵
        
        PID:5620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:5212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        Accesses Microsoft Outlook profiles
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        67⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        68⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        67⤵
        
        PID:5840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        68⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        69⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        68⤵
        
        PID:5736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        69⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        70⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        69⤵
        
        PID:3332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        Accesses Microsoft Outlook profiles
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        71⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        70⤵
        
        PID:3500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        72⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        71⤵
        
        PID:5688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:5308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        72⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        73⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        72⤵
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        Accesses Microsoft Outlook profiles
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        73⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        73⤵
        
        PID:4600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        74⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        75⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        74⤵
        
        PID:5796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        75⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        76⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        75⤵
        
        PID:6184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:6256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:6264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        76⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        77⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        76⤵
        
        PID:6400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        77⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        78⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        77⤵
        
        PID:6588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        Accesses Microsoft Outlook profiles
        
        PID:6636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        79⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        78⤵
        
        PID:6740
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:6820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        79⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        80⤵
        
        PID:6904
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        79⤵
        
        PID:6936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:7016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:7024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        80⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        81⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        80⤵
        
        PID:7120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        Accesses Microsoft Outlook profiles
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        81⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        82⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        81⤵
        
        PID:1256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:5216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        82⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        83⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        82⤵
        
        PID:5812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        Accesses Microsoft Outlook profiles
        
        PID:6340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        84⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        Accesses Microsoft Outlook profiles
        
        PID:7040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:6660
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        85⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        84⤵
        
        PID:5828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        
        PID:6924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        Accesses Microsoft Outlook profiles
        
        PID:6744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:6900
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        86⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        87⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        86⤵
        
        PID:6280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        87⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        88⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        87⤵
        
        PID:5812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        Accesses Microsoft Outlook profiles
        
        PID:6880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        88⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        89⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        88⤵
        
        PID:5552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:5860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        Accesses Microsoft Outlook profiles
        
        PID:6692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        89⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        90⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        89⤵
        
        PID:6596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        Accesses Microsoft Outlook profiles
        
        PID:6800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        90⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        91⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        90⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        91⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        92⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        91⤵
        
        PID:4380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        
        PID:6132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        92⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        93⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        92⤵
        
        PID:7236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:7300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        93⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        94⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        93⤵
        
        PID:7424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:7492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:7500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        Accesses Microsoft Outlook profiles
        
        PID:7508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        94⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        94⤵
        
        PID:7616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        95⤵
        Accesses Microsoft Outlook profiles
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        95⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        96⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        95⤵
        
        PID:7808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        
        PID:7888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:7896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        96⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        97⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        96⤵
        
        PID:7988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        97⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        97⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        98⤵
        
        PID:8188
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:7024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:7016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        98⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        99⤵
        
        PID:7408
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        98⤵
        
        PID:7164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        99⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        100⤵
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:7504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:7860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        
        PID:7856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:7904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        101⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        100⤵
        
        PID:7592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:7628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        101⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        102⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:7404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        Accesses Microsoft Outlook profiles
        
        PID:8024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        102⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        103⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        102⤵
        
        PID:7308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        103⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        104⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        103⤵
        
        PID:3620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:7732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:5204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:6580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:5180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        Accesses Microsoft Outlook profiles
        
        PID:7860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        104⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        104⤵
        
        PID:6780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:7452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:7912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:7908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        105⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        106⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        105⤵
        
        PID:7412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        
        PID:7504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        Accesses Microsoft Outlook profiles
        
        PID:7476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        106⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        107⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        106⤵
        
        PID:6164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        107⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        108⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        107⤵
        
        PID:7604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:7808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:2704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:6980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:7568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        108⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:8256
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:8288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:8316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:8324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:8332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        109⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:8440
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:8476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        110⤵
        
        PID:8536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        110⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        110⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        111⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        110⤵
        
        PID:8672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        111⤵
        
        PID:8756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        111⤵
        
        PID:8764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        111⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        111⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        112⤵
        
        PID:8868
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        111⤵
        
        PID:8888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        112⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        112⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        113⤵
        
        PID:9064
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        112⤵
        
        PID:9084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        Accesses Microsoft Outlook profiles
        outlook_office_path
        outlook_win_path
        
        PID:9160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        113⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        114⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:7996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:8348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        114⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        114⤵
        
        PID:8472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        115⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        116⤵
        
        PID:8216
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        115⤵
        
        PID:8660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        116⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        116⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        117⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        116⤵
        
        PID:8996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        117⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        117⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        118⤵
        
        PID:8836
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:8856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:6648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        118⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        119⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        118⤵
        
        PID:6840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        119⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        120⤵
        
        PID:8884
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        119⤵
        
        PID:6700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        120⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:8220
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        120⤵
        
        PID:7660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        121⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        122⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        121⤵
        
        PID:8996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x00000000000E0000-0x00000000001AE000-memory.dmp

Filesize
824KB

Download
memory/2136-2-0x0000000002060000-0x00000000020F8000-memory.dmp

Filesize
608KB

Download
memory/2136-9-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2136-14-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-4-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2336-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2336-7-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2336-10-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download