formbook | 9061caadfa15767ca0cd66ce193a074f003948acc0502400ce75c73086c2f49a

Analysis

max time kernel
36s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Size

281KB
MD5

c7a30945ff76cf5e44be926589ad132a
SHA1

370fe0640a5ad3fbd6d43a191a54c5b216e26f85
SHA256

9061caadfa15767ca0cd66ce193a074f003948acc0502400ce75c73086c2f49a
SHA512

0103b151860ac485da1d07439afefe3062fc9b8ca58111817fe584340adbe73bcfae648125719bc729586c19b9df0390738e600594b389f5971b9625913befb8
SSDEEP

6144:93oZd7FqsBHxguKD/EczgmtRNuB2kZhYOvx7Lcr8+hE:93oZLqMHxw/1gmtnucaYcdwh

Score

10^/10

formbook kg50 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

kg50

Decoy

customlasercutter.com

greenworldnursery.net

baltess.com

tanabatahotel.com

pinfang168.com

vakunda.com

gravityassistmaneuver.com

diyuntong.com

brnthz.info

carclubmail.com

gnkye.info

bfclady.com

starboard-realtty.com

guenstig-potenzdoktor.win

qc746g.biz

aplfinder.com

self-serviceshop.com

contenderwrestlingclub.com

jess-tures.com

themorningchannel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2376-5-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2376-52-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 2376 set thread context of 1204	2376	RegAsm.exe	21
PID 1248 set thread context of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 2184 set thread context of 1204	2184	RegAsm.exe	21
PID 2816 set thread context of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2796 set thread context of 1204	2796	RegAsm.exe	21
PID 2784 set thread context of 2704	2784	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	41
PID 2704 set thread context of 1204	2704	RegAsm.exe	21
PID 2584 set thread context of 2640	2584	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	44
PID 2640 set thread context of 1204	2640	RegAsm.exe	21
PID 2652 set thread context of 2128	2652	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	48
PID 2128 set thread context of 1204	2128	RegAsm.exe	21
PID 2864 set thread context of 2976	2864	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	51
PID 536 set thread context of 1556	536	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	56
PID 2976 set thread context of 1204	2976	RegAsm.exe	21
PID 1556 set thread context of 1204	1556	RegAsm.exe	21
PID 1824 set thread context of 2068	1824	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	59
PID 2068 set thread context of 1204	2068	RegAsm.exe	21
PID 2296 set thread context of 1268	2296	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	62
PID 1268 set thread context of 1204	1268	RegAsm.exe	21
PID 1812 set thread context of 908	1812	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	65
PID 2772 set thread context of 1088	2772	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	67
PID 908 set thread context of 1204	908	RegAsm.exe	21
PID 1088 set thread context of 1204	1088	RegAsm.exe	21
PID 2152 set thread context of 1764	2152	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	69
PID 1764 set thread context of 1204	1764	RegAsm.exe	21
PID 1660 set thread context of 2292	1660	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	73
PID 2292 set thread context of 1204	2292	RegAsm.exe	21
PID 2364 set thread context of 2444	2364	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	78
PID 2444 set thread context of 1204	2444	RegAsm.exe	21
PID 2240 set thread context of 872	2240	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	82
PID 872 set thread context of 1204	872	RegAsm.exe	21
PID 2492 set thread context of 1948	2492	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	85
PID 1948 set thread context of 1204	1948	RegAsm.exe	21
PID 2788 set thread context of 1308	2788	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	94
PID 1308 set thread context of 1204	1308	RegAsm.exe	21
PID 2168 set thread context of 2816	2168	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	96
PID 2816 set thread context of 1204	2816	RegAsm.exe	21
PID 2952 set thread context of 1640	2952	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	100
PID 1640 set thread context of 1204	1640	RegAsm.exe	21
PID 836 set thread context of 1832	836	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	103
PID 1832 set thread context of 1204	1832	RegAsm.exe	21
PID 1912 set thread context of 2872	1912	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	105
PID 2872 set thread context of 1204	2872	RegAsm.exe	21
PID 2864 set thread context of 1992	2864	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	108
PID 1992 set thread context of 1204	1992	RegAsm.exe	21
PID 1484 set thread context of 1824	1484	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	111
PID 1824 set thread context of 1204	1824	RegAsm.exe	21
PID 876 set thread context of 1560	876	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	114
PID 1560 set thread context of 1204	1560	RegAsm.exe	21
PID 1716 set thread context of 2244	1716	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	119
PID 2244 set thread context of 1204	2244	RegAsm.exe	21
PID 236 set thread context of 1624	236	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	121
PID 1624 set thread context of 1204	1624	RegAsm.exe	21
PID 2028 set thread context of 1644	2028	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	130
PID 1644 set thread context of 1204	1644	RegAsm.exe	21
PID 2836 set thread context of 2720	2836	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	133
PID 2720 set thread context of 1204	2720	RegAsm.exe	21
PID 372 set thread context of 1248	372	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	137
PID 1248 set thread context of 1204	1248	RegAsm.exe	21
PID 1372 set thread context of 2324	1372	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	140
PID 2324 set thread context of 1204	2324	RegAsm.exe	21
PID 2792 set thread context of 2712	2792	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	149
PID 2704 set thread context of 1204	2704	RegAsm.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NAPSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NAPSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Gathers network information 2 TTPs 32 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3392	NETSTAT.EXE
6488	Process not Found
6412	Process not Found
8120	Process not Found
1600	NETSTAT.EXE
3428	NETSTAT.EXE
5012	Process not Found
6656	Process not Found
2752	ipconfig.exe
5000	ipconfig.exe
6680	Process not Found
6732	Process not Found
6816	Process not Found
5172	Process not Found
4832	NETSTAT.EXE
5524	Process not Found
6664	Process not Found
8376	Process not Found
2800	NETSTAT.EXE
6912	Process not Found
2968	NETSTAT.EXE
5816	Process not Found
5892	Process not Found
5868	Process not Found
8148	Process not Found
1660	NETSTAT.EXE
3360	NETSTAT.EXE
6612	Process not Found
7428	Process not Found
7440	Process not Found
2352	NETSTAT.EXE
320	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2376	RegAsm.exe
1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2184	RegAsm.exe
2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2796	RegAsm.exe
2784	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2704	RegAsm.exe
2584	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2584	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2640	RegAsm.exe
2652	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2652	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2652	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2128	RegAsm.exe
2864	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2864	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2976	RegAsm.exe
536	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
536	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
536	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
536	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1556	RegAsm.exe
1824	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2068	RegAsm.exe
2296	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1268	RegAsm.exe
1812	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1812	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
908	RegAsm.exe
2772	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1088	RegAsm.exe
2152	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1764	RegAsm.exe
1660	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1660	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2292	RegAsm.exe
2364	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2444	RegAsm.exe
2240	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2240	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
872	RegAsm.exe
2492	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2492	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2376	RegAsm.exe
2376	RegAsm.exe
2184	RegAsm.exe
2184	RegAsm.exe
1948	RegAsm.exe
2788	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2788	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1308	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2168	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2816	RegAsm.exe
2952	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2952	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
2952	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1640	RegAsm.exe
836	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
1832	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2376	RegAsm.exe
Token: SeDebugPrivilege	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2184	RegAsm.exe
Token: SeDebugPrivilege	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2796	RegAsm.exe
Token: SeDebugPrivilege	2784	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2704	RegAsm.exe
Token: SeDebugPrivilege	2584	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2640	RegAsm.exe
Token: SeDebugPrivilege	2652	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2128	RegAsm.exe
Token: SeDebugPrivilege	2864	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2976	RegAsm.exe
Token: SeDebugPrivilege	536	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1556	RegAsm.exe
Token: SeDebugPrivilege	1824	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2068	RegAsm.exe
Token: SeDebugPrivilege	2296	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1268	RegAsm.exe
Token: SeDebugPrivilege	1812	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	908	RegAsm.exe
Token: SeDebugPrivilege	2772	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1088	RegAsm.exe
Token: SeDebugPrivilege	2152	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1764	RegAsm.exe
Token: SeDebugPrivilege	1660	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2292	RegAsm.exe
Token: SeDebugPrivilege	2364	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2444	RegAsm.exe
Token: SeDebugPrivilege	2240	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	872	RegAsm.exe
Token: SeDebugPrivilege	2492	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2392	msdt.exe
Token: SeDebugPrivilege	1948	RegAsm.exe
Token: SeDebugPrivilege	2788	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2900	raserver.exe
Token: SeDebugPrivilege	1308	RegAsm.exe
Token: SeDebugPrivilege	2760	systray.exe
Token: SeDebugPrivilege	2168	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2816	RegAsm.exe
Token: SeDebugPrivilege	2952	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1640	RegAsm.exe
Token: SeDebugPrivilege	836	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1832	RegAsm.exe
Token: SeDebugPrivilege	1912	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2872	RegAsm.exe
Token: SeDebugPrivilege	2864	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1748	colorcpl.exe
Token: SeDebugPrivilege	1992	RegAsm.exe
Token: SeDebugPrivilege	1484	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1796	netsh.exe
Token: SeDebugPrivilege	1824	RegAsm.exe
Token: SeDebugPrivilege	876	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1560	RegAsm.exe
Token: SeDebugPrivilege	1716	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	2244	RegAsm.exe
Token: SeDebugPrivilege	236	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1624	RegAsm.exe
Token: SeDebugPrivilege	2028	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Token: SeDebugPrivilege	1768	chkdsk.exe
Token: SeDebugPrivilege	1644	RegAsm.exe
Token: SeDebugPrivilege	2352	NETSTAT.EXE
Token: SeDebugPrivilege	2836	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2376	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	30
PID 1452 wrote to memory of 1248	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	31
PID 1452 wrote to memory of 1248	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	31
PID 1452 wrote to memory of 1248	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	31
PID 1452 wrote to memory of 1248	1452	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	31
PID 1248 wrote to memory of 2248	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2248	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2248	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2248	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2248	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2248	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2248	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	32
PID 1248 wrote to memory of 2460	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	33
PID 1248 wrote to memory of 2460	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	33
PID 1248 wrote to memory of 2460	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	33
PID 1248 wrote to memory of 2460	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	33
PID 1248 wrote to memory of 2460	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	33
PID 1248 wrote to memory of 2460	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	33
PID 1248 wrote to memory of 2460	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	33
PID 1248 wrote to memory of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 1248 wrote to memory of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 1248 wrote to memory of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 1248 wrote to memory of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 1248 wrote to memory of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 1248 wrote to memory of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 1248 wrote to memory of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 1248 wrote to memory of 2184	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	34
PID 1204 wrote to memory of 2392	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2392	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2392	1204	Explorer.EXE	35
PID 1204 wrote to memory of 2392	1204	Explorer.EXE	35
PID 1248 wrote to memory of 2816	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	36
PID 1248 wrote to memory of 2816	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	36
PID 1248 wrote to memory of 2816	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	36
PID 1248 wrote to memory of 2816	1248	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	36
PID 1204 wrote to memory of 2900	1204	Explorer.EXE	37
PID 1204 wrote to memory of 2900	1204	Explorer.EXE	37
PID 1204 wrote to memory of 2900	1204	Explorer.EXE	37
PID 1204 wrote to memory of 2900	1204	Explorer.EXE	37
PID 2816 wrote to memory of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2816 wrote to memory of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2816 wrote to memory of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2816 wrote to memory of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2816 wrote to memory of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2816 wrote to memory of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2816 wrote to memory of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2816 wrote to memory of 2796	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	38
PID 2816 wrote to memory of 2784	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	39
PID 2816 wrote to memory of 2784	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	39
PID 2816 wrote to memory of 2784	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	39
PID 2816 wrote to memory of 2784	2816	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	39
PID 1204 wrote to memory of 2760	1204	Explorer.EXE	40
PID 1204 wrote to memory of 2760	1204	Explorer.EXE	40
PID 1204 wrote to memory of 2760	1204	Explorer.EXE	40
PID 1204 wrote to memory of 2760	1204	Explorer.EXE	40
PID 2784 wrote to memory of 2704	2784	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	41
PID 2784 wrote to memory of 2704	2784	c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2460
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:2768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:1640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\autoconv.exe
        
        "C:\Windows\SysWOW64\autoconv.exe"
        11⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\autoconv.exe
        
        "C:\Windows\SysWOW64\autoconv.exe"
        11⤵
        
        PID:372
        
        C:\Windows\SysWOW64\autoconv.exe
        
        "C:\Windows\SysWOW64\autoconv.exe"
        11⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\autoconv.exe
        
        "C:\Windows\SysWOW64\autoconv.exe"
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmstp.exe
        
        "C:\Windows\SysWOW64\cmstp.exe"
        11⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\SysWOW64\autoconv.exe
        
        "C:\Windows\SysWOW64\autoconv.exe"
        13⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\autofmt.exe
        
        "C:\Windows\SysWOW64\autofmt.exe"
        13⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmstp.exe
        
        "C:\Windows\SysWOW64\cmstp.exe"
        13⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        14⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:1600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe"
        20⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:1372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\SysWOW64\chkdsk.exe
        
        "C:\Windows\SysWOW64\chkdsk.exe"
        22⤵
        Enumerates system info in registry
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:2768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:1316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        27⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:3004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        Suspicious use of SetThreadContext
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        31⤵
        Suspicious use of SetThreadContext
        
        PID:372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        Suspicious use of SetThreadContext
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        32⤵
        Suspicious use of SetThreadContext
        
        PID:1372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        Suspicious use of SetThreadContext
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        33⤵
        Suspicious use of SetThreadContext
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:1180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        36⤵
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        37⤵
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        38⤵
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        41⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        42⤵
        
        PID:688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:3036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        43⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:1316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:1528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        45⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        46⤵
        
        PID:2076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        47⤵
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        48⤵
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        49⤵
        
        PID:1524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:3004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        50⤵
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        51⤵
        
        PID:1064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        52⤵
        
        PID:928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        53⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        54⤵
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        55⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        56⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:1528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        58⤵
        
        PID:1972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        59⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        60⤵
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        61⤵
        
        PID:2280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        62⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        63⤵
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:2232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:1064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        65⤵
        
        PID:372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        66⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        67⤵
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\SysWOW64\control.exe"
        69⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        68⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:1480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\SysWOW64\control.exe"
        70⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        69⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        71⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        72⤵
        
        PID:876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:1340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:1924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        74⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\autofmt.exe
        
        "C:\Windows\SysWOW64\autofmt.exe"
        76⤵
        
        PID:996
        
        C:\Windows\SysWOW64\autoconv.exe
        
        "C:\Windows\SysWOW64\autoconv.exe"
        76⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\wlanext.exe
        
        "C:\Windows\SysWOW64\wlanext.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        75⤵
        
        PID:776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\SysWOW64\svchost.exe"
        77⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        76⤵
        
        PID:1504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        77⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        78⤵
        
        PID:1132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:2028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        79⤵
        
        PID:2768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:1972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        81⤵
        
        PID:1936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        82⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        83⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        84⤵
        
        PID:1792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        85⤵
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        86⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        87⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        
        PID:1504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        88⤵
        
        PID:1964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        89⤵
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        90⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        
        PID:1792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        91⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        92⤵
        
        PID:2380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        93⤵
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        94⤵
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        95⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        95⤵
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        96⤵
        
        PID:1964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        97⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        97⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        99⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        99⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        99⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:2396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\raserver.exe
        
        "C:\Windows\SysWOW64\raserver.exe"
        101⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        100⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:1528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        102⤵
        
        PID:372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:1100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:2404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\autoconv.exe
        
        "C:\Windows\SysWOW64\autoconv.exe"
        104⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\systray.exe
        
        "C:\Windows\SysWOW64\systray.exe"
        104⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        103⤵
        
        PID:1712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        104⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:3180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:3188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        105⤵
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        
        PID:3284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        106⤵
        
        PID:3324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:3372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        107⤵
        
        PID:3436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:3480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:3488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        109⤵
        
        PID:3648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        110⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        110⤵
        
        PID:3732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        111⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\SysWOW64\msiexec.exe"
        112⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        111⤵
        
        PID:3852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        112⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\SysWOW64\netsh.exe"
        113⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        112⤵
        
        PID:3964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:4000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\help.exe
        
        "C:\Windows\SysWOW64\help.exe"
        114⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        113⤵
        
        PID:4056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:4092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        
        PID:3080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        116⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        116⤵
        
        PID:3208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        117⤵
        
        PID:3504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        117⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        117⤵
        
        PID:3232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:3544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        118⤵
        
        PID:3624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        
        PID:3456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        120⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        120⤵
        
        PID:3948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        
        PID:3732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        
        PID:4040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        121⤵
        
        PID:3908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        122⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        123⤵
        
        PID:3300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        124⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        124⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:1480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        125⤵
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        126⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        127⤵
        
        PID:3816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        127⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\systray.exe
        
        "C:\Windows\SysWOW64\systray.exe"
        128⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        128⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\NETSTAT.EXE
        
        "C:\Windows\SysWOW64\NETSTAT.EXE"
        129⤵
        Gathers network information
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        128⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        129⤵
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        129⤵
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        129⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\raserver.exe
        
        "C:\Windows\SysWOW64\raserver.exe"
        130⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        129⤵
        
        PID:3872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        130⤵
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        130⤵
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        130⤵
        
        PID:3780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        130⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        130⤵
        
        PID:3148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        131⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        131⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        132⤵
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        133⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        133⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\SysWOW64\netsh.exe"
        135⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        134⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        135⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        136⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        135⤵
        
        PID:3724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:3440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:3624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:3436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        136⤵
        
        PID:3832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        137⤵
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        138⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        138⤵
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        139⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        139⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        139⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        
        PID:3304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        140⤵
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        141⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        141⤵
        
        PID:4052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        142⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        142⤵
        
        PID:3372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        143⤵
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        144⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        144⤵
        
        PID:3812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        144⤵
        
        PID:3540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        144⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        144⤵
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:3840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:4084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:3720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:3688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:3844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        145⤵
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        146⤵
        
        PID:3344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        146⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        146⤵
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        147⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\systray.exe
        
        "C:\Windows\SysWOW64\systray.exe"
        148⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        147⤵
        
        PID:3364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        148⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        148⤵
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:3972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        149⤵
        
        PID:3608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:3308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:3152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        150⤵
        
        PID:3580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:3520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        151⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:3200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:4012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        152⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        153⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        153⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        153⤵
        
        PID:4052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:3364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        154⤵
        
        PID:760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        155⤵
        
        PID:3260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        156⤵
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        156⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        156⤵
        
        PID:3660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        157⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        157⤵
        
        PID:3328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        158⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        158⤵
        
        PID:3780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        159⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        160⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        160⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        161⤵
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        162⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        163⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        163⤵
        
        PID:3572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        164⤵
        
        PID:3540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        164⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        164⤵
        
        PID:4084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        165⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        165⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:3256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        166⤵
        
        PID:1964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        167⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        167⤵
        
        PID:3996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        168⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        168⤵
        
        PID:4076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        169⤵
        
        PID:4028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        169⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        169⤵
        
        PID:3944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        170⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        170⤵
        
        PID:1144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:3832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:3200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        171⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        173⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        172⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        173⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        173⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        174⤵
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        174⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        174⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        174⤵
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        175⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        175⤵
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        176⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        176⤵
        
        PID:3084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        177⤵
        
        PID:3348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        177⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        177⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        178⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        178⤵
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        179⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        179⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        180⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        180⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        180⤵
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        181⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        181⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        181⤵
        
        PID:3544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        182⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        182⤵
        
        PID:3256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        183⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        183⤵
        
        PID:3876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        184⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        184⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        184⤵
        
        PID:3732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        185⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        185⤵
        
        PID:3824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        186⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        186⤵
        
        PID:3172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        187⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        187⤵
        
        PID:3080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        188⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        188⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        188⤵
        
        PID:3384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        189⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        189⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        190⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        190⤵
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        191⤵
        
        PID:3980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        191⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        191⤵
        
        PID:4160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        192⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        192⤵
        
        PID:4248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        193⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        193⤵
        
        PID:4372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        194⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\chkdsk.exe
        
        "C:\Windows\SysWOW64\chkdsk.exe"
        195⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        194⤵
        
        PID:4488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        195⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        195⤵
        
        PID:4592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        196⤵
        
        PID:4648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        196⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        196⤵
        
        PID:4732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        197⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        197⤵
        
        PID:4812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        198⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        198⤵
        
        PID:4916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        199⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        199⤵
        
        PID:5076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        200⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        200⤵
        
        PID:4136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        201⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        201⤵
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        202⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        202⤵
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:4432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        203⤵
        
        PID:4524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:4248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:4564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        204⤵
        
        PID:4384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        205⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        205⤵
        
        PID:4692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        206⤵
        
        PID:4604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        206⤵
        
        PID:4616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        206⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        206⤵
        
        PID:4888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:4996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:4980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        207⤵
        
        PID:4756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        208⤵
        
        PID:5068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        208⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        208⤵
        
        PID:4856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        209⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        209⤵
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        210⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        210⤵
        
        PID:5100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        211⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        211⤵
        
        PID:3080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        212⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        212⤵
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        213⤵
        
        PID:4632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        213⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        213⤵
        
        PID:4416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        214⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        214⤵
        
        PID:4252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        215⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        215⤵
        
        PID:4728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        216⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        216⤵
        
        PID:4748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        217⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        217⤵
        
        PID:4596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:3544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        218⤵
        
        PID:4824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        219⤵
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        219⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        219⤵
        
        PID:4116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        220⤵
        
        PID:4856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        220⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        220⤵
        
        PID:5024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        221⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        221⤵
        
        PID:3164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        222⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        222⤵
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        223⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        223⤵
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        224⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        224⤵
        
        PID:4268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        225⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        225⤵
        
        PID:4620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        226⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        226⤵
        
        PID:4736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        227⤵
        
        PID:4804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        227⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        227⤵
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:4888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:4596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:4200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:5084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:4856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        228⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        229⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        229⤵
        
        PID:5072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        230⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        230⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        231⤵
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        231⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        231⤵
        
        PID:4500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        232⤵
        
        PID:5032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        232⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        232⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        233⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        233⤵
        
        PID:5056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        234⤵
        
        PID:3644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        234⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        234⤵
        
        PID:4232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        235⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        235⤵
        
        PID:3400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        236⤵
        
        PID:4968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        236⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        236⤵
        
        PID:4600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        237⤵
        
        PID:1100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        237⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        237⤵
        
        PID:5004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        238⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        238⤵
        
        PID:4392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        239⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        239⤵
        
        PID:3284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        240⤵
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        240⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        240⤵
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        241⤵
        
        PID:3436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        241⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        241⤵
        
        PID:4136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        242⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        242⤵
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        243⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        243⤵
        
        PID:4972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        244⤵
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        244⤵
        
        PID:4788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        244⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        244⤵
        
        PID:4304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        245⤵
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        245⤵
        
        PID:3164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        245⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        245⤵
        
        PID:5076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        246⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        246⤵
        
        PID:4824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        247⤵
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        247⤵
        
        PID:4184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        247⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        247⤵
        
        PID:4168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        248⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        248⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        249⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        249⤵
        
        PID:3640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        250⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        250⤵
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        251⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"
        251⤵
        
        PID:3544
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1844
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:848
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:928
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1284
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1916
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2208
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1400
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:2664
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:2304
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:1332
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:840
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1544
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:900
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2412
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1660
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:1532
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:2196
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2440
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2812
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2728
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:2764
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:2856
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:992
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Enumerates system info in registry
  PID:2876
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2220
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1312
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1724
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:964
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3036
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1664
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2224
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:576
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2300
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2540
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1340
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2132
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1620
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:2844
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:1752
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:2052
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:2256
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:2960
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:1516
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:572
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:320
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:2140
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:1932
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1740
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  PID:1904
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:2752
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:2476
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:1912
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:1772
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:1476
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  PID:2308
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  PID:988
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:1400
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Enumerates system info in registry
  PID:1628
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2588
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:912
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:2612
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:1580
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:576
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Enumerates system info in registry
  PID:1816
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:2336
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:2920
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:2504
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:2924
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  PID:2320
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  PID:1800
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1092
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:2768
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:560
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2680
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2152
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2996
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2420
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:576
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:1328
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:1692
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:2420
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:2152
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:884
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:720
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:2264
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:1660
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:1792
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:1756
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:2492
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:2400
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:3120
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:3272
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:3408
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:3512
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  PID:3600
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:3764
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:2396
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:2952
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Enumerates system info in registry
  PID:3180
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:3132
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:3336
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:3368
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  PID:3760
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  PID:3792
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:3920
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  PID:668
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3092
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:1740
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:3216
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3756
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:1600
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:3360
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:3976
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:3948
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:3560
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:3212
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:3528
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:600
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:3104
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1964
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1144
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3580
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3860
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3892
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3832
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4048
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3584
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3700
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  PID:3500
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:3632
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:3888
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:3744
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:3628
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:3688
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:3224
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  PID:3320
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:3428
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:4040
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:3656
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:3416
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:2440
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:684
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  PID:3116
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:3852
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:3076
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3188
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3736
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3392
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3584
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2360
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3380
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  PID:3892
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:3476
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  PID:1916
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:3712
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:3872
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4024
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3452
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3172
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4084
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3580
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3400
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2344
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3532
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3284
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3480
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:2280
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:3316
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:3752
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:4044
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:4052
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:3520
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:3300
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:1596
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  PID:4076
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:3388
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  PID:3312
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  PID:1484
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  PID:3256
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3392
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2656
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2316
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:3740
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:3088
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:2800
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:3736
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  PID:4128
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4336
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4348
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4356
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:4576
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:4716
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4880
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  PID:4936
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:5040
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3284
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:996
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:3392
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  PID:2056
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4172
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4180
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4232
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:4504
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:4528
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:4896
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:4908
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:4024
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:4296
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:2656
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  PID:3472
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:4520
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4696
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:5000
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:4832
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4932
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  PID:5108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  PID:4164
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:4328
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:3732
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  PID:4932
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:3788
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:4480
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:4120
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  PID:4952
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:4668
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:4476
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:4704
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4596
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4200
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:4456
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:4820
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:4948
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:4312
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4248
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4308
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4744
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4420
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4788
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4816
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4448
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:4844
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:3400
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:4756
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:4124
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:4244
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:3084
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:1100
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:4840
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  PID:4620

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1KRB4P5Q\1KRlogim.jpeg

Filesize
70KB

MD5
4e6afb891854d795c98d6de9f713213a

SHA1
346ff60f46763b4f7734dd1fdf7e1805fd532eca

SHA256
081474ed30d9d80b09bd4dd8e88fae6b00d1c7889ec440bfbba086ad8098f948

SHA512
91c73b165d67f34ec4b2773cb10bd774cd5bdb0beb68eb602b88101ce89872970c77926a0b3b0ca707c2eaf9a3484150e4e4dee54cde8e9027b9c19e0db2f878

Download Submit
C:\Users\Admin\AppData\Roaming\1KRB4P5Q\1KRlogri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\1KRB4P5Q\1KRlogrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/1204-66-0x0000000009F00000-0x0000000009FF4000-memory.dmp

Filesize
976KB

Download
memory/1204-25-0x0000000007D00000-0x0000000007E3F000-memory.dmp

Filesize
1.2MB

Download
memory/1204-37-0x0000000005310000-0x00000000053F4000-memory.dmp

Filesize
912KB

Download
memory/1204-39-0x00000000099E0000-0x0000000009AFB000-memory.dmp

Filesize
1.1MB

Download
memory/1204-44-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/1204-47-0x0000000006B70000-0x0000000006C38000-memory.dmp

Filesize
800KB

Download
memory/1452-0-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/1452-1-0x0000000000850000-0x000000000089C000-memory.dmp

Filesize
304KB

Download
memory/1452-6-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-2-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-10-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-3-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1452-4-0x0000000001ED0000-0x0000000001F08000-memory.dmp

Filesize
224KB

Download
memory/1748-74-0x0000000000F90000-0x0000000000FA8000-memory.dmp

Filesize
96KB

Download
memory/1796-80-0x00000000009C0000-0x00000000009DB000-memory.dmp

Filesize
108KB

Download
memory/2376-52-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2376-7-0x0000000002750000-0x0000000002A53000-memory.dmp

Filesize
3.0MB

Download
memory/2376-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2392-53-0x0000000000CB0000-0x0000000000DA4000-memory.dmp

Filesize
976KB

Download
memory/2760-61-0x0000000000510000-0x0000000000515000-memory.dmp

Filesize
20KB

Download
memory/2900-55-0x0000000000D50000-0x0000000000D6C000-memory.dmp

Filesize
112KB

Download