lokibot | e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70

Analysis

max time kernel
147s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Size

460KB
MD5

cb41ab7f417be462a34754b5f862cbf6
SHA1

d03c1f82c582d9824b06d284225785432e976057
SHA256

e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70
SHA512

668403a2856073173a95787c63adb9c435494dab41be0c3d04ab3386474182b3cd2e1f1397046b82203b88cd1c8ec004b6a8b3df89aa437f62f5738024d7a9b6
SSDEEP

12288:3dp0NlFrPFxVB/H4RZFrmtdlEm9Ojz15eL:j0NlFrPFxVB/H4RZFrmvlEmEjS

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://corpcougar.in/jayy/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 1748	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	89
PID 1764 set thread context of 2432	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	96
PID 1308 set thread context of 1636	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	104
PID 3176 set thread context of 2112	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	109
PID 3016 set thread context of 4412	3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	114
PID 5064 set thread context of 4040	5064	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	120
PID 412 set thread context of 4308	412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	125
PID 1980 set thread context of 2648	1980	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	133
PID 1660 set thread context of 3192	1660	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	138
PID 4324 set thread context of 4952	4324	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	144
PID 4208 set thread context of 3940	4208	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	150
PID 3384 set thread context of 212	3384	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	155
PID 4484 set thread context of 3356	4484	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	163
PID 4184 set thread context of 2236	4184	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	168
PID 3224 set thread context of 2188	3224	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	173
PID 2568 set thread context of 5104	2568	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	178
PID 2480 set thread context of 3176	2480	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	183
PID 3120 set thread context of 1392	3120	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	189
PID 4380 set thread context of 3412	4380	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	194
PID 1628 set thread context of 1004	1628	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	199
PID 2252 set thread context of 1016	2252	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	204
PID 2188 set thread context of 4552	2188	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	210
PID 2056 set thread context of 1248	2056	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	215
PID 2492 set thread context of 4328	2492	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	220
PID 3360 set thread context of 880	3360	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	225
PID 3632 set thread context of 4360	3632	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	231
PID 3524 set thread context of 4184	3524	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	237
PID 4816 set thread context of 1308	4816	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	242
PID 2624 set thread context of 5112	2624	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	247
PID 3836 set thread context of 4712	3836	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	253
PID 4444 set thread context of 1584	4444	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	258
PID 4008 set thread context of 2492	4008	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	263
PID 4868 set thread context of 688	4868	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	269
PID 552 set thread context of 376	552	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	274
PID 3940 set thread context of 5088	3940	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	279
PID 2452 set thread context of 1392	2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	288
PID 1632 set thread context of 2624	1632	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	293
PID 4920 set thread context of 3260	4920	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	299
PID 3480 set thread context of 4952	3480	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	304
PID 3144 set thread context of 2296	3144	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	311
PID 376 set thread context of 3068	376	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	316
PID 1248 set thread context of 2960	1248	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	321
PID 1544 set thread context of 4396	1544	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	326
PID 1004 set thread context of 1472	1004	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	331
PID 4428 set thread context of 4968	4428	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	337
PID 5020 set thread context of 2812	5020	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	344
PID 3236 set thread context of 2840	3236	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	349
PID 856 set thread context of 2096	856	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	355
PID 4080 set thread context of 3420	4080	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	360
PID 2452 set thread context of 5028	2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	365
PID 1360 set thread context of 2236	1360	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	370
PID 212 set thread context of 4540	212	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	375
PID 4500 set thread context of 4744	4500	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	380
PID 2072 set thread context of 976	2072	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	385
PID 4460 set thread context of 808	4460	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	392
PID 1080 set thread context of 4692	1080	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	398
PID 3220 set thread context of 3900	3220	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	403
PID 3512 set thread context of 3172	3512	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	408
PID 716 set thread context of 4592	716	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	413
PID 2840 set thread context of 3600	2840	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	418
PID 1956 set thread context of 1788	1956	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	423
PID 1892 set thread context of 1660	1892	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	428
PID 4476 set thread context of 1176	4476	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	433
PID 4344 set thread context of 3964	4344	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	438

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
5064	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
5064	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1980	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1980	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1980	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1660	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4324	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4324	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4208	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4208	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3384	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4484	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4484	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4184	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3224	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2568	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2480	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3120	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3120	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4380	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1628	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2252	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2188	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2188	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2056	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2492	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3360	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3632	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3632	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3524	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3524	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4816	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2624	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3836	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3836	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4444	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4008	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4868	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4868	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
552	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3940	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1632	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4920	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4920	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3480	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3144	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
3144	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
376	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1248	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1544	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
1004	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
4428	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1748	vbc.exe
Token: SeDebugPrivilege	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	5064	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	412	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1980	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1660	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4324	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4208	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3384	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4484	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4184	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3224	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2568	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2480	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3120	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4380	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1628	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2252	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2188	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2056	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2492	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3360	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3632	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3524	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4816	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2624	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3836	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4444	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4008	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4868	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	552	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3940	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1632	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4920	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3480	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3144	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	376	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1248	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1544	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1004	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4428	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	5020	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3236	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	856	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4080	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2452	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1360	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	212	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4500	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2072	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4460	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1080	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3220	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	3512	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	716	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1956	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	1892	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
Token: SeDebugPrivilege	4476	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4412	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	84
PID 1468 wrote to memory of 4412	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	84
PID 1468 wrote to memory of 4412	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	84
PID 4412 wrote to memory of 1176	4412	csc.exe	87
PID 4412 wrote to memory of 1176	4412	csc.exe	87
PID 4412 wrote to memory of 1176	4412	csc.exe	87
PID 1468 wrote to memory of 1748	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	89
PID 1468 wrote to memory of 1748	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	89
PID 1468 wrote to memory of 1748	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	89
PID 1468 wrote to memory of 1748	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	89
PID 1468 wrote to memory of 1764	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	90
PID 1468 wrote to memory of 1764	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	90
PID 1468 wrote to memory of 1764	1468	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	90
PID 1764 wrote to memory of 4172	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	91
PID 1764 wrote to memory of 4172	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	91
PID 1764 wrote to memory of 4172	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	91
PID 4172 wrote to memory of 4360	4172	csc.exe	93
PID 4172 wrote to memory of 4360	4172	csc.exe	93
PID 4172 wrote to memory of 4360	4172	csc.exe	93
PID 1764 wrote to memory of 2432	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	96
PID 1764 wrote to memory of 2432	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	96
PID 1764 wrote to memory of 2432	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	96
PID 1764 wrote to memory of 2432	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	96
PID 1764 wrote to memory of 1308	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	97
PID 1764 wrote to memory of 1308	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	97
PID 1764 wrote to memory of 1308	1764	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	97
PID 1308 wrote to memory of 4936	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	98
PID 1308 wrote to memory of 4936	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	98
PID 1308 wrote to memory of 4936	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	98
PID 4936 wrote to memory of 2284	4936	csc.exe	101
PID 4936 wrote to memory of 2284	4936	csc.exe	101
PID 4936 wrote to memory of 2284	4936	csc.exe	101
PID 1308 wrote to memory of 4584	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	103
PID 1308 wrote to memory of 4584	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	103
PID 1308 wrote to memory of 4584	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	103
PID 1308 wrote to memory of 1636	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	104
PID 1308 wrote to memory of 1636	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	104
PID 1308 wrote to memory of 1636	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	104
PID 1308 wrote to memory of 1636	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	104
PID 1308 wrote to memory of 3176	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	105
PID 1308 wrote to memory of 3176	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	105
PID 1308 wrote to memory of 3176	1308	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	105
PID 3176 wrote to memory of 4932	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	106
PID 3176 wrote to memory of 4932	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	106
PID 3176 wrote to memory of 4932	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	106
PID 4932 wrote to memory of 2812	4932	csc.exe	108
PID 4932 wrote to memory of 2812	4932	csc.exe	108
PID 4932 wrote to memory of 2812	4932	csc.exe	108
PID 3176 wrote to memory of 2112	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	109
PID 3176 wrote to memory of 2112	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	109
PID 3176 wrote to memory of 2112	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	109
PID 3176 wrote to memory of 2112	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	109
PID 3176 wrote to memory of 3016	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	110
PID 3176 wrote to memory of 3016	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	110
PID 3176 wrote to memory of 3016	3176	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	110
PID 3016 wrote to memory of 1088	3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	111
PID 3016 wrote to memory of 1088	3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	111
PID 3016 wrote to memory of 1088	3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	111
PID 1088 wrote to memory of 4916	1088	csc.exe	113
PID 1088 wrote to memory of 4916	1088	csc.exe	113
PID 1088 wrote to memory of 4916	1088	csc.exe	113
PID 3016 wrote to memory of 4412	3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	114
PID 3016 wrote to memory of 4412	3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	114
PID 3016 wrote to memory of 4412	3016	cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe	114

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wdhgm1iv\wdhgm1iv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1587.tmp" "c:\Users\Admin\AppData\Local\Temp\wdhgm1iv\CSC51773776F75C42B98D53C16C6E979DDA.TMP"
    3⤵
    PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wwcks2r2\wwcks2r2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DF3.tmp" "c:\Users\Admin\AppData\Local\Temp\wwcks2r2\CSCA1787902EDE441AC8DCD9998F8B056BE.TMP"
      4⤵
      PID:4360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5fmnoe3w\5fmnoe3w.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24D9.tmp" "c:\Users\Admin\AppData\Local\Temp\5fmnoe3w\CSC8C65C6E2FA0A440A9E7332A43CF6A92.TMP"
        5⤵
        
        PID:2284
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3qiual5e\3qiual5e.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26AD.tmp" "c:\Users\Admin\AppData\Local\Temp\3qiual5e\CSC1AC2964737A74EA6BB151B23D3E4A51.TMP"
        6⤵
        
        PID:2812
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qktpqfds\qktpqfds.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES292E.tmp" "c:\Users\Admin\AppData\Local\Temp\qktpqfds\CSC8422A786B3064B9DBD1AF2B01917250.TMP"
        7⤵
        
        PID:4916
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        
        PID:4412
      - C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        6⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fnsn1ngj\fnsn1ngj.cmdline"
        7⤵
        
        PID:4272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BCE.tmp" "c:\Users\Admin\AppData\Local\Temp\fnsn1ngj\CSC85D70B238D8046EFA8A8BAC98999A9AD.TMP"
        8⤵
        
        PID:4416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        7⤵
        
        PID:4636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        7⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zp5m1nf1\zp5m1nf1.cmdline"
        8⤵
        
        PID:3328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DF1.tmp" "c:\Users\Admin\AppData\Local\Temp\zp5m1nf1\CSC200CFC30D1CA47629C2C564A2629CF39.TMP"
        9⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        8⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4cam23t\x4cam23t.cmdline"
        9⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3023.tmp" "c:\Users\Admin\AppData\Local\Temp\x4cam23t\CSCD456412147704757A5548F53251A33B.TMP"
        10⤵
        
        PID:3604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        9⤵
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        9⤵
        
        PID:5008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        9⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d51w3gkb\d51w3gkb.cmdline"
        10⤵
        
        PID:3528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES335F.tmp" "c:\Users\Admin\AppData\Local\Temp\d51w3gkb\CSC35B0E8C22D5B4588B4B23962686D76E3.TMP"
        11⤵
        
        PID:3756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        10⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nf3me02c\nf3me02c.cmdline"
        11⤵
        
        PID:4916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3582.tmp" "c:\Users\Admin\AppData\Local\Temp\nf3me02c\CSC4F568DF8A2C548ACB6ECB4757CBBDA6.TMP"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        11⤵
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        11⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        11⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bgukukb4\bgukukb4.cmdline"
        12⤵
        
        PID:2100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3870.tmp" "c:\Users\Admin\AppData\Local\Temp\bgukukb4\CSC94DB2C1133834911B6323C8C4F45E886.TMP"
        13⤵
        
        PID:4204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        12⤵
        
        PID:708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        12⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wu0so4hg\wu0so4hg.cmdline"
        13⤵
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B5E.tmp" "c:\Users\Admin\AppData\Local\Temp\wu0so4hg\CSC5A7A482B42834B129BF96F7DFCD9274D.TMP"
        14⤵
        
        PID:1236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        13⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hpob0fvu\hpob0fvu.cmdline"
        14⤵
        
        PID:868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D23.tmp" "c:\Users\Admin\AppData\Local\Temp\hpob0fvu\CSCB978BC512BB440479BB98415DD516EBE.TMP"
        15⤵
        
        PID:3064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        14⤵
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        14⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jxdnowo3\jxdnowo3.cmdline"
        15⤵
        
        PID:4956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4011.tmp" "c:\Users\Admin\AppData\Local\Temp\jxdnowo3\CSCE7DC813FB90462D912F672FF779A1FE.TMP"
        16⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        15⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sjrengrd\sjrengrd.cmdline"
        16⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4273.tmp" "c:\Users\Admin\AppData\Local\Temp\sjrengrd\CSC5A8E5FE820D3457B91176642EB57B446.TMP"
        17⤵
        
        PID:3168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        16⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y3euoxek\y3euoxek.cmdline"
        17⤵
        
        PID:2756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44D4.tmp" "c:\Users\Admin\AppData\Local\Temp\y3euoxek\CSC9526FB3DA1664E81B6AADBEF4133CBC2.TMP"
        18⤵
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xsbxepgf\xsbxepgf.cmdline"
        18⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4774.tmp" "c:\Users\Admin\AppData\Local\Temp\xsbxepgf\CSCFFFB28B78E1A4B1F8E9357EACB9B1EA.TMP"
        19⤵
        
        PID:2100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        18⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        18⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ge5tu3u\4ge5tu3u.cmdline"
        19⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4958.tmp" "c:\Users\Admin\AppData\Local\Temp\4ge5tu3u\CSC524CDEE77C674DAA908720B9F5524BB.TMP"
        20⤵
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        19⤵
        
        PID:3604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        19⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        19⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evcnzv2d\evcnzv2d.cmdline"
        20⤵
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AFE.tmp" "c:\Users\Admin\AppData\Local\Temp\evcnzv2d\CSCDF271DBE50854169A09C75DEA266D2.TMP"
        21⤵
        
        PID:4424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        20⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        20⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1xgp5lag\1xgp5lag.cmdline"
        21⤵
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CB4.tmp" "c:\Users\Admin\AppData\Local\Temp\1xgp5lag\CSCB2A48F16D63F4C4B9C52AA7C87C7EE34.TMP"
        22⤵
        
        PID:4376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        21⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yeliy2jk\yeliy2jk.cmdline"
        22⤵
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FFF.tmp" "c:\Users\Admin\AppData\Local\Temp\yeliy2jk\CSC38E6A257BC93465180D91FB532716F7.TMP"
        23⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        22⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3wbay03e\3wbay03e.cmdline"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES529F.tmp" "c:\Users\Admin\AppData\Local\Temp\3wbay03e\CSC2456946F3794501A2E74453D93D9D36.TMP"
        24⤵
        
        PID:4836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        23⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        23⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\obqlpuem\obqlpuem.cmdline"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES555E.tmp" "c:\Users\Admin\AppData\Local\Temp\obqlpuem\CSC3B13E7F82A05446E91D5421BEDE2B365.TMP"
        25⤵
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        24⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        24⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r5yicp1v\r5yicp1v.cmdline"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57DF.tmp" "c:\Users\Admin\AppData\Local\Temp\r5yicp1v\CSCE29C7631EA824C8292D5292DCC17A6F2.TMP"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        25⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\si03tcoq\si03tcoq.cmdline"
        26⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A40.tmp" "c:\Users\Admin\AppData\Local\Temp\si03tcoq\CSC4923AB4AAA74EBCB9D460B41B97843.TMP"
        27⤵
        
        PID:836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        26⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xbuieag\4xbuieag.cmdline"
        27⤵
        
        PID:3280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EB5.tmp" "c:\Users\Admin\AppData\Local\Temp\4xbuieag\CSC90C4DD9865DF4524B98D9CAD66BE3CC.TMP"
        28⤵
        
        PID:3680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        27⤵
        
        PID:4220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        27⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        27⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bat2rovl\bat2rovl.cmdline"
        28⤵
        
        PID:808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES623F.tmp" "c:\Users\Admin\AppData\Local\Temp\bat2rovl\CSC4924605A53EB48759BC03FF445E174BE.TMP"
        29⤵
        
        PID:4560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        28⤵
        
        PID:408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        28⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        28⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ucxjcr1l\ucxjcr1l.cmdline"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64DF.tmp" "c:\Users\Admin\AppData\Local\Temp\ucxjcr1l\CSC5DB0EE8E44914E30A8C82EF2B6267FF7.TMP"
        30⤵
        
        PID:5076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        29⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y0xgsml4\y0xgsml4.cmdline"
        30⤵
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES677F.tmp" "c:\Users\Admin\AppData\Local\Temp\y0xgsml4\CSCD51C614067C84327B375D0F73B67EDC1.TMP"
        31⤵
        
        PID:2736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        30⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2ddjlwd\n2ddjlwd.cmdline"
        31⤵
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A4E.tmp" "c:\Users\Admin\AppData\Local\Temp\n2ddjlwd\CSCB4DD2ABBA481485CB1FD2D24C89048.TMP"
        32⤵
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        31⤵
        
        PID:4900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        31⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ypttadtx\ypttadtx.cmdline"
        32⤵
        
        PID:1432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D9A.tmp" "c:\Users\Admin\AppData\Local\Temp\ypttadtx\CSC828961C04419492DBFA7AEC67218D75.TMP"
        33⤵
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        32⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amitg4ir\amitg4ir.cmdline"
        33⤵
        
        PID:3412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70F5.tmp" "c:\Users\Admin\AppData\Local\Temp\amitg4ir\CSCF90C3640468D49529B3FF8DF6E4D9D19.TMP"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        33⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        33⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ml2sx1so\ml2sx1so.cmdline"
        34⤵
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7450.tmp" "c:\Users\Admin\AppData\Local\Temp\ml2sx1so\CSC72518037F2344674B79D31C64CF115C.TMP"
        35⤵
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t3ms4daw\t3ms4daw.cmdline"
        35⤵
        
        PID:3416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES772F.tmp" "c:\Users\Admin\AppData\Local\Temp\t3ms4daw\CSC56987E0EED8C4BD7921E1A51F690A75.TMP"
        36⤵
        
        PID:4184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        35⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p35bsc00\p35bsc00.cmdline"
        36⤵
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79BF.tmp" "c:\Users\Admin\AppData\Local\Temp\p35bsc00\CSC5728F7F919B149898BEE70D5E6373E78.TMP"
        37⤵
        
        PID:4976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        36⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xxxdu0lq\xxxdu0lq.cmdline"
        37⤵
        
        PID:1248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CAD.tmp" "c:\Users\Admin\AppData\Local\Temp\xxxdu0lq\CSC2251821B497D404DB3E97112538123A4.TMP"
        38⤵
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        37⤵
        
        PID:3420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        37⤵
        
        PID:1236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        37⤵
        
        PID:4436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        37⤵
        
        PID:1276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        37⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        37⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5gnqwps\f5gnqwps.cmdline"
        38⤵
        
        PID:1696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F5C.tmp" "c:\Users\Admin\AppData\Local\Temp\f5gnqwps\CSC186EA5CB4034DCC86C5D1AFA491FE7C.TMP"
        39⤵
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        38⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lo5b4hhl\lo5b4hhl.cmdline"
        39⤵
        
        PID:3412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES824A.tmp" "c:\Users\Admin\AppData\Local\Temp\lo5b4hhl\CSC4971791DBF014E7ABAA3515BB7A1C5AD.TMP"
        40⤵
        
        PID:404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        39⤵
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        39⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        39⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yel442uq\yel442uq.cmdline"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8604.tmp" "c:\Users\Admin\AppData\Local\Temp\yel442uq\CSC1DB7880E42B54F7DA25250C5A43D80CF.TMP"
        41⤵
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        40⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        40⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gq0mv3cd\gq0mv3cd.cmdline"
        41⤵
        
        PID:3680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8884.tmp" "c:\Users\Admin\AppData\Local\Temp\gq0mv3cd\CSCAAE3E1E2F40C40A58F212E91D6E44A6.TMP"
        42⤵
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        41⤵
        
        PID:4976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        41⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        41⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\su5taarx\su5taarx.cmdline"
        42⤵
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B14.tmp" "c:\Users\Admin\AppData\Local\Temp\su5taarx\CSCD5203BC134D74693A4E3F861AE9A803C.TMP"
        43⤵
        
        PID:1652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        42⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        42⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykovk51e\ykovk51e.cmdline"
        43⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D95.tmp" "c:\Users\Admin\AppData\Local\Temp\ykovk51e\CSC9E50A7861512463CA4349D4C36BAA8.TMP"
        44⤵
        
        PID:4984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        43⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        43⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cr5mq4vb\cr5mq4vb.cmdline"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90A2.tmp" "c:\Users\Admin\AppData\Local\Temp\cr5mq4vb\CSC7F4A2856A76F47EB84A41D2C459BF571.TMP"
        45⤵
        
        PID:4456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        44⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        44⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mvtrtfxw\mvtrtfxw.cmdline"
        45⤵
        
        PID:4344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92C5.tmp" "c:\Users\Admin\AppData\Local\Temp\mvtrtfxw\CSCA0EE7BC9B8B14D959FFCF73B62B13DC9.TMP"
        46⤵
        
        PID:60
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        45⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        45⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\23kejtro\23kejtro.cmdline"
        46⤵
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES966F.tmp" "c:\Users\Admin\AppData\Local\Temp\23kejtro\CSC33E95714DC5F41AB8C523496C69A32DB.TMP"
        47⤵
        
        PID:3360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        46⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        46⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        46⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tats1i05\tats1i05.cmdline"
        47⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES996C.tmp" "c:\Users\Admin\AppData\Local\Temp\tats1i05\CSC69CF13CF4068476B86A23BE3AA785E34.TMP"
        48⤵
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        47⤵
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        47⤵
        
        PID:964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        47⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        47⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\syhibtll\syhibtll.cmdline"
        48⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CB8.tmp" "c:\Users\Admin\AppData\Local\Temp\syhibtll\CSC117FF29B98A74609B7D1D776A88DF1B7.TMP"
        49⤵
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        48⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        48⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4wr4rl5\i4wr4rl5.cmdline"
        49⤵
        
        PID:4900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EDB.tmp" "c:\Users\Admin\AppData\Local\Temp\i4wr4rl5\CSCD61CFD778BA5453998838A2972AA6D2.TMP"
        50⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        49⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        49⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uassdlf2\uassdlf2.cmdline"
        50⤵
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA062.tmp" "c:\Users\Admin\AppData\Local\Temp\uassdlf2\CSC9D67889CD70C4471BA7EA1D53EF15E7.TMP"
        51⤵
        
        PID:412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        50⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        50⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtjp233k\gtjp233k.cmdline"
        51⤵
        
        PID:3280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1C9.tmp" "c:\Users\Admin\AppData\Local\Temp\gtjp233k\CSC855D6C221C204332BCCA54C2391829B6.TMP"
        52⤵
        
        PID:4644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        51⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        51⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jcgjyi33\jcgjyi33.cmdline"
        52⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA36F.tmp" "c:\Users\Admin\AppData\Local\Temp\jcgjyi33\CSCD6FC9CC52C9543EAACA9A2976699FDA6.TMP"
        53⤵
        
        PID:4692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        52⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        52⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xh0dybom\xh0dybom.cmdline"
        53⤵
        
        PID:436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA505.tmp" "c:\Users\Admin\AppData\Local\Temp\xh0dybom\CSCC57404FB91B94F74B91FB02D8212BCA0.TMP"
        54⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        53⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        53⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utjg4clf\utjg4clf.cmdline"
        54⤵
        
        PID:4828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7D4.tmp" "c:\Users\Admin\AppData\Local\Temp\utjg4clf\CSC4BFED15B7D1C49BFAD689E3594E548B.TMP"
        55⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        54⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        54⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anty2zfq\anty2zfq.cmdline"
        55⤵
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA45.tmp" "c:\Users\Admin\AppData\Local\Temp\anty2zfq\CSC23D4E8EE5D3A4CBFB72EC29211CA19.TMP"
        56⤵
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        55⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kmdsfx0y\kmdsfx0y.cmdline"
        56⤵
        
        PID:4840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF4.tmp" "c:\Users\Admin\AppData\Local\Temp\kmdsfx0y\CSC8128C9C9DE542A4AB9E76EE2098B51D.TMP"
        57⤵
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        56⤵
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        56⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        56⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        56⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4k40dvoo\4k40dvoo.cmdline"
        57⤵
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF08.tmp" "c:\Users\Admin\AppData\Local\Temp\4k40dvoo\CSC26E116A1F7B149A18E2BB863EA777E3F.TMP"
        58⤵
        
        PID:1212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        57⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        57⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrh4ftnq\wrh4ftnq.cmdline"
        58⤵
        
        PID:3368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB14A.tmp" "c:\Users\Admin\AppData\Local\Temp\wrh4ftnq\CSCA479FC041B7B4AD9843A2A9659A5709A.TMP"
        59⤵
        
        PID:2480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        58⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        58⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ng2dpujm\ng2dpujm.cmdline"
        59⤵
        
        PID:1132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3CA.tmp" "c:\Users\Admin\AppData\Local\Temp\ng2dpujm\CSCFD4AD61ACA2F425AB085536BECD45793.TMP"
        60⤵
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        59⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        59⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4njtrsjx\4njtrsjx.cmdline"
        60⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB716.tmp" "c:\Users\Admin\AppData\Local\Temp\4njtrsjx\CSCD0AF81DAEB9A46A5B466D3DE116FC3BA.TMP"
        61⤵
        
        PID:4976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        60⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        60⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\don3h1rb\don3h1rb.cmdline"
        61⤵
        
        PID:4456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9D5.tmp" "c:\Users\Admin\AppData\Local\Temp\don3h1rb\CSC4C72D057A0604098BEA4AC32AF6B599C.TMP"
        62⤵
        
        PID:1136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        61⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nahacrsy\nahacrsy.cmdline"
        62⤵
        
        PID:364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD5F.tmp" "c:\Users\Admin\AppData\Local\Temp\nahacrsy\CSC2C2A5867D48435395AFE8AD654AFF5A.TMP"
        63⤵
        
        PID:1188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        62⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        62⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b1gva4ma\b1gva4ma.cmdline"
        63⤵
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFC1.tmp" "c:\Users\Admin\AppData\Local\Temp\b1gva4ma\CSC42C0A5FD81554410A97C36763D17AC38.TMP"
        64⤵
        
        PID:3940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        63⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        63⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kg1iwzxv\kg1iwzxv.cmdline"
        64⤵
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC270.tmp" "c:\Users\Admin\AppData\Local\Temp\kg1iwzxv\CSC542F252B24CB40A09891674F43FE229B.TMP"
        65⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        64⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        64⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xhz0dins\xhz0dins.cmdline"
        65⤵
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6B6.tmp" "c:\Users\Admin\AppData\Local\Temp\xhz0dins\CSCA5A17404ED6A46B587D9D875743C35FF.TMP"
        66⤵
        
        PID:116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        65⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        65⤵
        Checks computer location settings
        
        PID:2168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eo4n2124\eo4n2124.cmdline"
        66⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC966.tmp" "c:\Users\Admin\AppData\Local\Temp\eo4n2124\CSC175C468F664F4BB384A28F1380CC2D4.TMP"
        67⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        66⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ty0vr2wm\ty0vr2wm.cmdline"
        67⤵
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBA8.tmp" "c:\Users\Admin\AppData\Local\Temp\ty0vr2wm\CSCAF317AB511E84CF19CD254A592C07A8C.TMP"
        68⤵
        
        PID:1532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        67⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        67⤵
        
        PID:4748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yichekvf\yichekvf.cmdline"
        68⤵
        
        PID:376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE76.tmp" "c:\Users\Admin\AppData\Local\Temp\yichekvf\CSCBE685960831B4FE8945E582B9345872.TMP"
        69⤵
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        68⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        68⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pa2v3ak1\pa2v3ak1.cmdline"
        69⤵
        
        PID:2736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1B3.tmp" "c:\Users\Admin\AppData\Local\Temp\pa2v3ak1\CSC7DEC1E58110B4792ACE1C3C751A93A67.TMP"
        70⤵
        
        PID:3940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        69⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        69⤵
        
        PID:540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvyq0ods\yvyq0ods.cmdline"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59B.tmp" "c:\Users\Admin\AppData\Local\Temp\yvyq0ods\CSCE6DB0225B2D5460CB779A9CC94B25D73.TMP"
        71⤵
        
        PID:4028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        70⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        70⤵
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        70⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        70⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        70⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        70⤵
        Checks computer location settings
        
        PID:3464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvrlyv42\vvrlyv42.cmdline"
        71⤵
        
        PID:4356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD81B.tmp" "c:\Users\Admin\AppData\Local\Temp\vvrlyv42\CSC25648446942E481E9514B25872BB3D8.TMP"
        72⤵
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        71⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        71⤵
        Checks computer location settings
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mlnzq2mg\mlnzq2mg.cmdline"
        72⤵
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAFA.tmp" "c:\Users\Admin\AppData\Local\Temp\mlnzq2mg\CSCF255AEB3C39A493288ED832350D068FC.TMP"
        73⤵
        
        PID:4532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        72⤵
        
        PID:4796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        72⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        72⤵
        
        PID:532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sm51ayhj\sm51ayhj.cmdline"
        73⤵
        
        PID:964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDE8.tmp" "c:\Users\Admin\AppData\Local\Temp\sm51ayhj\CSCD13BF9D5A89A4FA9BF27C32CE7D99B.TMP"
        74⤵
        
        PID:4744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        73⤵
        
        PID:4660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        73⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\02l10g4e\02l10g4e.cmdline"
        74⤵
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE104.tmp" "c:\Users\Admin\AppData\Local\Temp\02l10g4e\CSCB35D044328D740CAA8F4A04CCB8CF67.TMP"
        75⤵
        
        PID:708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        74⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        74⤵
        Checks computer location settings
        
        PID:5028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\00deb15t\00deb15t.cmdline"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE347.tmp" "c:\Users\Admin\AppData\Local\Temp\00deb15t\CSC4B9E07CA8E246129872203CA57A5B62.TMP"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        75⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        75⤵
        
        PID:5032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jouuoq2f\jouuoq2f.cmdline"
        76⤵
        
        PID:1472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE72F.tmp" "c:\Users\Admin\AppData\Local\Temp\jouuoq2f\CSCCB6CCDB1B6D04D55BBEA16C88B6FCFA7.TMP"
        77⤵
        
        PID:3416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        76⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        76⤵
        
        PID:1932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wu4oupg4\wu4oupg4.cmdline"
        77⤵
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA6B.tmp" "c:\Users\Admin\AppData\Local\Temp\wu4oupg4\CSCB7A1723610F64A95A3D0303943BF83FF.TMP"
        78⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        77⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        77⤵
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v4i44le2\v4i44le2.cmdline"
        78⤵
        
        PID:4328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDB6.tmp" "c:\Users\Admin\AppData\Local\Temp\v4i44le2\CSCEFCFF5335AB547F0B4A3683590CCFF5.TMP"
        79⤵
        
        PID:4308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        78⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        78⤵
        Checks computer location settings
        
        PID:4956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1tl1xuwr\1tl1xuwr.cmdline"
        79⤵
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C4.tmp" "c:\Users\Admin\AppData\Local\Temp\1tl1xuwr\CSC94B82A3182C94D068E99938CA4BD3160.TMP"
        80⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        79⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        79⤵
        Checks computer location settings
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ujtxvkb1\ujtxvkb1.cmdline"
        80⤵
        
        PID:2196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3E1.tmp" "c:\Users\Admin\AppData\Local\Temp\ujtxvkb1\CSC947AFA475582487CA1872ABEE92ADB96.TMP"
        81⤵
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        80⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        80⤵
        
        PID:1300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhsy5zp4\nhsy5zp4.cmdline"
        81⤵
        
        PID:1248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6EE.tmp" "c:\Users\Admin\AppData\Local\Temp\nhsy5zp4\CSC84315CB2D1894E398A1DF641A38952.TMP"
        82⤵
        
        PID:664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        81⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        81⤵
        
        PID:808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rwfr5qwk\rwfr5qwk.cmdline"
        82⤵
        
        PID:4460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAA7.tmp" "c:\Users\Admin\AppData\Local\Temp\rwfr5qwk\CSCC0378BA1E3064CF3B48FF0547F4B546.TMP"
        83⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        82⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        82⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\up11n0sn\up11n0sn.cmdline"
        83⤵
        
        PID:1080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDF3.tmp" "c:\Users\Admin\AppData\Local\Temp\up11n0sn\CSCB5B441C42C0246A9A0FFB4BA4C7BA6A1.TMP"
        84⤵
        
        PID:3384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        83⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        83⤵
        
        PID:3528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u33m0at0\u33m0at0.cmdline"
        84⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64.tmp" "c:\Users\Admin\AppData\Local\Temp\u33m0at0\CSC868605262E8A440C919B361BC1BF11AD.TMP"
        85⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        84⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        84⤵
        
        PID:4312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yphfem2\4yphfem2.cmdline"
        85⤵
        
        PID:1296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C5.tmp" "c:\Users\Admin\AppData\Local\Temp\4yphfem2\CSC67F9D38918B04F048CE5D4731458BE9A.TMP"
        86⤵
        
        PID:1360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        85⤵
        
        PID:4360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        85⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        85⤵
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\30r33oeh\30r33oeh.cmdline"
        86⤵
        
        PID:220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES620.tmp" "c:\Users\Admin\AppData\Local\Temp\30r33oeh\CSCE85DF037BAA42D8AC596FB02928C342.TMP"
        87⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        86⤵
        
        PID:828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        86⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        86⤵
        Checks computer location settings
        
        PID:4828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cij0m4dl\cij0m4dl.cmdline"
        87⤵
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES891.tmp" "c:\Users\Admin\AppData\Local\Temp\cij0m4dl\CSC80B0750F2D5C4678B4AEFA318B3929E8.TMP"
        88⤵
        
        PID:1816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        87⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        87⤵
        Checks computer location settings
        
        PID:4296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\drawowlk\drawowlk.cmdline"
        88⤵
        
        PID:2244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB70.tmp" "c:\Users\Admin\AppData\Local\Temp\drawowlk\CSC5EE3B566652343B9ACCA65895D1D8DBF.TMP"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        88⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        88⤵
        Checks computer location settings
        
        PID:4476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\le0dr3jv\le0dr3jv.cmdline"
        89⤵
        
        PID:3204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDB.tmp" "c:\Users\Admin\AppData\Local\Temp\le0dr3jv\CSCBE5C1DBF749146E4B8DF4C3F78EA64.TMP"
        90⤵
        
        PID:224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        89⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        89⤵
        
        PID:1300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dhnqncqx\dhnqncqx.cmdline"
        90⤵
        
        PID:3148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES110D.tmp" "c:\Users\Admin\AppData\Local\Temp\dhnqncqx\CSC46FDC2BF4EF9413C8B692428FF958DEA.TMP"
        91⤵
        
        PID:5028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        90⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        90⤵
        
        PID:4740
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        90⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        90⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\au0zhtyy\au0zhtyy.cmdline"
        91⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13EC.tmp" "c:\Users\Admin\AppData\Local\Temp\au0zhtyy\CSC2F0545DC3C714F029FFB451FC6883DDF.TMP"
        92⤵
        
        PID:1868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        91⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        91⤵
        
        PID:4428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylxb3ywb\ylxb3ywb.cmdline"
        92⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES168C.tmp" "c:\Users\Admin\AppData\Local\Temp\ylxb3ywb\CSC46DBB11715104E13995980386C8283C9.TMP"
        93⤵
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        92⤵
        
        PID:4456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        92⤵
        
        PID:1752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        92⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        92⤵
        
        PID:4540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y3dv4oak\y3dv4oak.cmdline"
        93⤵
        
        PID:1720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18AE.tmp" "c:\Users\Admin\AppData\Local\Temp\y3dv4oak\CSC844E3859C2444D1A68BDF746AE9A83.TMP"
        94⤵
        
        PID:2196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        93⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        93⤵
        
        PID:3052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nx2gfdhf\nx2gfdhf.cmdline"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7D.tmp" "c:\Users\Admin\AppData\Local\Temp\nx2gfdhf\CSCCDE16108BC954F3DB020666F6AE47B83.TMP"
        95⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        94⤵
        
        PID:3604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        94⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        94⤵
        Checks computer location settings
        
        PID:3292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1u1dtsvy\1u1dtsvy.cmdline"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DCF.tmp" "c:\Users\Admin\AppData\Local\Temp\1u1dtsvy\CSC7898CCA053764644AC7E9892D7304.TMP"
        96⤵
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        95⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        95⤵
        Checks computer location settings
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yikvniuh\yikvniuh.cmdline"
        96⤵
        
        PID:4232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES207E.tmp" "c:\Users\Admin\AppData\Local\Temp\yikvniuh\CSCAE93466225394776B1AE23E2A42DFD2.TMP"
        97⤵
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        96⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        96⤵
        
        PID:4508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzl3bhm4\uzl3bhm4.cmdline"
        97⤵
        
        PID:1248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2244.tmp" "c:\Users\Admin\AppData\Local\Temp\uzl3bhm4\CSC1105837F79CD45D4A34DF038B61CA073.TMP"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        97⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        97⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        97⤵
        
        PID:552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yssdpsdn\yssdpsdn.cmdline"
        98⤵
        
        PID:4840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2457.tmp" "c:\Users\Admin\AppData\Local\Temp\yssdpsdn\CSC8B1060D9DA704C7CAF31D2392A81B660.TMP"
        99⤵
        
        PID:3368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        98⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        98⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ifa04egd\ifa04egd.cmdline"
        99⤵
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25FD.tmp" "c:\Users\Admin\AppData\Local\Temp\ifa04egd\CSC5451698DF9F140F9857C13199F498035.TMP"
        100⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        99⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        99⤵
        
        PID:4800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        99⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        99⤵
        Checks computer location settings
        
        PID:540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\43f13nss\43f13nss.cmdline"
        100⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28FA.tmp" "c:\Users\Admin\AppData\Local\Temp\43f13nss\CSC9A92D6916406474DB1F05246B57BA192.TMP"
        101⤵
        
        PID:3244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        100⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        100⤵
        
        PID:4412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4z24dfde\4z24dfde.cmdline"
        101⤵
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BD9.tmp" "c:\Users\Admin\AppData\Local\Temp\4z24dfde\CSCF0B9DC31AA46438A8BA89E8461D097E4.TMP"
        102⤵
        
        PID:4340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        101⤵
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        101⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        101⤵
        Checks computer location settings
        
        PID:4444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pghbhkwf\pghbhkwf.cmdline"
        102⤵
        
        PID:412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EE6.tmp" "c:\Users\Admin\AppData\Local\Temp\pghbhkwf\CSCE2B1AA8921DD4E09A161616B928EB979.TMP"
        103⤵
        
        PID:4208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        102⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        102⤵
        
        PID:1840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbgqia1s\bbgqia1s.cmdline"
        103⤵
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3212.tmp" "c:\Users\Admin\AppData\Local\Temp\bbgqia1s\CSCA41B789693CC4595BCF6DF3650203AC.TMP"
        104⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        103⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        103⤵
        Checks computer location settings
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ppoyj5t\2ppoyj5t.cmdline"
        104⤵
        
        PID:1464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3426.tmp" "c:\Users\Admin\AppData\Local\Temp\2ppoyj5t\CSC568EA1FA995A49CB89DF392F379B6B7.TMP"
        105⤵
        
        PID:4204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        104⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        104⤵
        
        PID:960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dmkjpnik\dmkjpnik.cmdline"
        105⤵
        
        PID:3384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36E5.tmp" "c:\Users\Admin\AppData\Local\Temp\dmkjpnik\CSCB140B82983D543C4933C25BFBC8546BA.TMP"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        105⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        105⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ldmi1iwh\ldmi1iwh.cmdline"
        106⤵
        
        PID:664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3994.tmp" "c:\Users\Admin\AppData\Local\Temp\ldmi1iwh\CSCAE7ED24973944AEAA2CE936CA88D467.TMP"
        107⤵
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        106⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        106⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pr1rpzpe\pr1rpzpe.cmdline"
        107⤵
        
        PID:5108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D8C.tmp" "c:\Users\Admin\AppData\Local\Temp\pr1rpzpe\CSCABC76DCF14EC419180C3DFCC1521A5FE.TMP"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        107⤵
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        107⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        107⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bon2hiwc\bon2hiwc.cmdline"
        108⤵
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES406A.tmp" "c:\Users\Admin\AppData\Local\Temp\bon2hiwc\CSC1EB8FAEAD6874D86B79CE59EC203F8E.TMP"
        109⤵
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        108⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        108⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzn0zxhv\yzn0zxhv.cmdline"
        109⤵
        
        PID:1460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4387.tmp" "c:\Users\Admin\AppData\Local\Temp\yzn0zxhv\CSC809D9EB7A774EE6881BB18E2829F731.TMP"
        110⤵
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        109⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        109⤵
        
        PID:412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmufal2f\tmufal2f.cmdline"
        110⤵
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46E3.tmp" "c:\Users\Admin\AppData\Local\Temp\tmufal2f\CSC2824BF67C01548B992F67AB358C293C.TMP"
        111⤵
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        110⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        110⤵
        
        PID:440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a5az1yhh\a5az1yhh.cmdline"
        111⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4973.tmp" "c:\Users\Admin\AppData\Local\Temp\a5az1yhh\CSC1F64E562F6774279BA7A33B9D91413FC.TMP"
        112⤵
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        111⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        111⤵
        Checks computer location settings
        
        PID:3964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0e1lvwzh\0e1lvwzh.cmdline"
        112⤵
        
        PID:5096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C90.tmp" "c:\Users\Admin\AppData\Local\Temp\0e1lvwzh\CSC49D1503C10143549BDE943AAE915385.TMP"
        113⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        112⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        112⤵
        
        PID:4900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1mzdflhb\1mzdflhb.cmdline"
        113⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F5E.tmp" "c:\Users\Admin\AppData\Local\Temp\1mzdflhb\CSC2CEA7F5B4A204EAD88CAAED7CBB6F2A.TMP"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        113⤵
        
        PID:864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        113⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        113⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        113⤵
        
        PID:4228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tzlukrku\tzlukrku.cmdline"
        114⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES524C.tmp" "c:\Users\Admin\AppData\Local\Temp\tzlukrku\CSC6AAD3D2E2AEA4F6399A524B5EBCA1A8D.TMP"
        115⤵
        
        PID:3520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        114⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        114⤵
        
        PID:4424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        114⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        114⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3vv54n5c\3vv54n5c.cmdline"
        115⤵
        
        PID:1524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54EC.tmp" "c:\Users\Admin\AppData\Local\Temp\3vv54n5c\CSC73520A9CD5A42BABBBBB3BCEC43CC5F.TMP"
        116⤵
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        115⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        115⤵
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q40yw1f1\q40yw1f1.cmdline"
        116⤵
        
        PID:4532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES576D.tmp" "c:\Users\Admin\AppData\Local\Temp\q40yw1f1\CSC9C1CEC568C9F480FA8BC37C431E38439.TMP"
        117⤵
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        116⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        116⤵
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwh1l2pu\hwh1l2pu.cmdline"
        117⤵
        
        PID:4956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A7A.tmp" "c:\Users\Admin\AppData\Local\Temp\hwh1l2pu\CSCAB8D397964D44309899D2238823DD42.TMP"
        118⤵
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        117⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        117⤵
        
        PID:648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2oyekyil\2oyekyil.cmdline"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D68.tmp" "c:\Users\Admin\AppData\Local\Temp\2oyekyil\CSC424A8BF3B3CF4F95A9361DF587D0B20.TMP"
        119⤵
        
        PID:4660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        118⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        118⤵
        
        PID:1536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vputcxld\vputcxld.cmdline"
        119⤵
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6047.tmp" "c:\Users\Admin\AppData\Local\Temp\vputcxld\CSCDDC7B6AAD8CA4BA79FAC4BB42AA49AC.TMP"
        120⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        119⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        119⤵
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1nardho2\1nardho2.cmdline"
        120⤵
        
        PID:364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6383.tmp" "c:\Users\Admin\AppData\Local\Temp\1nardho2\CSC185F412425A7418D8A1BFD53AAA0CCF.TMP"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        120⤵
        
        PID:1764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        120⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        120⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ctpokv4h\ctpokv4h.cmdline"
        121⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6642.tmp" "c:\Users\Admin\AppData\Local\Temp\ctpokv4h\CSC4B1EF2E58EDF480EACFA5B3DE639DAC.TMP"
        122⤵
        
        PID:4740
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        121⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        121⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcrngyva\xcrngyva.cmdline"
        122⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6901.tmp" "c:\Users\Admin\AppData\Local\Temp\xcrngyva\CSC6FD34BAA436844B19A39F51311BED0A4.TMP"
        123⤵
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        122⤵
        
        PID:3112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        122⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        122⤵
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwsdzyiq\jwsdzyiq.cmdline"
        123⤵
        
        PID:1788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C1E.tmp" "c:\Users\Admin\AppData\Local\Temp\jwsdzyiq\CSC57DFF1EA5A14C3AA17EC129FF086E7.TMP"
        124⤵
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        123⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        123⤵
        
        PID:964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2xopurhp\2xopurhp.cmdline"
        124⤵
        
        PID:2736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FA8.tmp" "c:\Users\Admin\AppData\Local\Temp\2xopurhp\CSCD7F3EF9658F74AD8B2A17E707575699D.TMP"
        125⤵
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        124⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        124⤵
        Checks computer location settings
        
        PID:3584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gxr3wekv\gxr3wekv.cmdline"
        125⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72F4.tmp" "c:\Users\Admin\AppData\Local\Temp\gxr3wekv\CSCD25DAC4860594D07823A6A1E164AAC4.TMP"
        126⤵
        
        PID:4204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        125⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        125⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zitatov4\zitatov4.cmdline"
        126⤵
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7536.tmp" "c:\Users\Admin\AppData\Local\Temp\zitatov4\CSCCB79AFF23AC745AE887ADC4DEC447C9F.TMP"
        127⤵
        
        PID:4968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        126⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        126⤵
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3wc32jh4\3wc32jh4.cmdline"
        127⤵
        
        PID:948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77C6.tmp" "c:\Users\Admin\AppData\Local\Temp\3wc32jh4\CSC8632EBA58AF4B86BE9063453B1BEA69.TMP"
        128⤵
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        127⤵
        
        PID:3868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        127⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        127⤵
        
        PID:540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y214nabl\y214nabl.cmdline"
        128⤵
        
        PID:364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A56.tmp" "c:\Users\Admin\AppData\Local\Temp\y214nabl\CSC317276E52FBD404A98AFB436772F7896.TMP"
        129⤵
        
        PID:4800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        128⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        128⤵
        Checks computer location settings
        
        PID:436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2kcbx5mg\2kcbx5mg.cmdline"
        129⤵
        
        PID:1528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E3E.tmp" "c:\Users\Admin\AppData\Local\Temp\2kcbx5mg\CSC3088D238CBDA4A73A4B1F37CC9683B99.TMP"
        130⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        129⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        129⤵
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\va1o21ne\va1o21ne.cmdline"
        130⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82C3.tmp" "c:\Users\Admin\AppData\Local\Temp\va1o21ne\CSC490C63F546D241D0A670AE469B367C1E.TMP"
        131⤵
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        130⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ljbohbyw\ljbohbyw.cmdline"
        131⤵
        
        PID:4428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES861E.tmp" "c:\Users\Admin\AppData\Local\Temp\ljbohbyw\CSC54C33FEA746445D18EABF2C18099D88F.TMP"
        132⤵
        
        PID:3964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        131⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        131⤵
        Checks computer location settings
        
        PID:2812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\42f5fq3r\42f5fq3r.cmdline"
        132⤵
        
        PID:4692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89C8.tmp" "c:\Users\Admin\AppData\Local\Temp\42f5fq3r\CSC66C7A120F91B4B6ABBB1CF2911D1B55F.TMP"
        133⤵
        
        PID:1576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        132⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        132⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        132⤵
        
        PID:1472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rz2xfhje\rz2xfhje.cmdline"
        133⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA6.tmp" "c:\Users\Admin\AppData\Local\Temp\rz2xfhje\CSC37F33D6E357F4288B23B41D64EE6B7AF.TMP"
        134⤵
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        133⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        133⤵
        Checks computer location settings
        
        PID:1192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\isvn3jsv\isvn3jsv.cmdline"
        134⤵
        
        PID:1176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ED8.tmp" "c:\Users\Admin\AppData\Local\Temp\isvn3jsv\CSC728CAAEFD9204A7592331D8298D8BE99.TMP"
        135⤵
        
        PID:396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        134⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        134⤵
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3mzfrve\l3mzfrve.cmdline"
        135⤵
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9224.tmp" "c:\Users\Admin\AppData\Local\Temp\l3mzfrve\CSCFDBD9379E35F4BF79179F4BBD3D7FEF3.TMP"
        136⤵
        
        PID:3680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        135⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        135⤵
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sq1fll3x\sq1fll3x.cmdline"
        136⤵
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94D4.tmp" "c:\Users\Admin\AppData\Local\Temp\sq1fll3x\CSCFDB798AD3A2746A29A9DB0C258725987.TMP"
        137⤵
        
        PID:1612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        136⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        136⤵
        Checks computer location settings
        
        PID:4568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cmntzq1o\cmntzq1o.cmdline"
        137⤵
        
        PID:1148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9793.tmp" "c:\Users\Admin\AppData\Local\Temp\cmntzq1o\CSCACB4252E157140049CD09315CEFA81D1.TMP"
        138⤵
        
        PID:540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        137⤵
        
        PID:1804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        137⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        137⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        137⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xicxo2uk\xicxo2uk.cmdline"
        138⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A62.tmp" "c:\Users\Admin\AppData\Local\Temp\xicxo2uk\CSCABBCB69D1AF9461897598A6DC6BDC19.TMP"
        139⤵
        
        PID:1392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        138⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        138⤵
        
        PID:3524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4jc4eix1\4jc4eix1.cmdline"
        139⤵
        
        PID:4812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D50.tmp" "c:\Users\Admin\AppData\Local\Temp\4jc4eix1\CSCC8492DA7D4FF47779751E870F7833488.TMP"
        140⤵
        
        PID:5108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        139⤵
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        139⤵
        
        PID:1544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        139⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        139⤵
        Checks computer location settings
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zshcwjmn\zshcwjmn.cmdline"
        140⤵
        
        PID:688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA01E.tmp" "c:\Users\Admin\AppData\Local\Temp\zshcwjmn\CSC72C317E2DE8C41C1BF257072F8614C65.TMP"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        140⤵
        
        PID:3012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        140⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        140⤵
        
        PID:4092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3gxcux5\z3gxcux5.cmdline"
        141⤵
        
        PID:4776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2CE.tmp" "c:\Users\Admin\AppData\Local\Temp\z3gxcux5\CSCE57D538F226F4F989FCCA991CFC5A5F7.TMP"
        142⤵
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        141⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        141⤵
        
        PID:180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yjugzckd\yjugzckd.cmdline"
        142⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA493.tmp" "c:\Users\Admin\AppData\Local\Temp\yjugzckd\CSC3E51F3DF927D463D89E6289918CA425A.TMP"
        143⤵
        
        PID:5100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        142⤵
        
        PID:4752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        142⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        142⤵
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ulqwnn2\1ulqwnn2.cmdline"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA629.tmp" "c:\Users\Admin\AppData\Local\Temp\1ulqwnn2\CSC7E3354E05A924137A8995E1F60BDAA74.TMP"
        144⤵
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        143⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        143⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkla0vy5\pkla0vy5.cmdline"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7B0.tmp" "c:\Users\Admin\AppData\Local\Temp\pkla0vy5\CSC75967EA737F94FE48EA160DFDE878972.TMP"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        144⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        144⤵
        
        PID:1136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gdzwztso\gdzwztso.cmdline"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA956.tmp" "c:\Users\Admin\AppData\Local\Temp\gdzwztso\CSCC2D1EDFD1F4AA88389BE957BFC644.TMP"
        146⤵
        
        PID:4544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        145⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        145⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkqw3i2d\rkqw3i2d.cmdline"
        146⤵
        
        PID:904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAADC.tmp" "c:\Users\Admin\AppData\Local\Temp\rkqw3i2d\CSC4583A96CB98A40D7BAD96EA9CDF758B5.TMP"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        146⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        146⤵
        
        PID:3464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1wqbdnq3\1wqbdnq3.cmdline"
        147⤵
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACA1.tmp" "c:\Users\Admin\AppData\Local\Temp\1wqbdnq3\CSCB4AE01A8115F4D368E7BFD1D2A43B2B3.TMP"
        148⤵
        
        PID:1084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        147⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        147⤵
        
        PID:4968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1c4cs0yb\1c4cs0yb.cmdline"
        148⤵
        
        PID:5020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE18.tmp" "c:\Users\Admin\AppData\Local\Temp\1c4cs0yb\CSC1CFBDC5529F045C3867B144DA0B2D4A.TMP"
        149⤵
        
        PID:4228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        148⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        148⤵
        
        PID:396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        148⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        148⤵
        
        PID:4472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umppwthp\umppwthp.cmdline"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFAF.tmp" "c:\Users\Admin\AppData\Local\Temp\umppwthp\CSC84CBEE132CF2436EAB7726625766C5.TMP"
        150⤵
        
        PID:4748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        149⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        149⤵
        
        PID:744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xphr33tp\xphr33tp.cmdline"
        150⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB155.tmp" "c:\Users\Admin\AppData\Local\Temp\xphr33tp\CSC902E6CD9F674DA0AB789F9F15157B1F.TMP"
        151⤵
        
        PID:1432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        150⤵
        
        PID:5108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        150⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        150⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xie4bc4m\xie4bc4m.cmdline"
        151⤵
        
        PID:808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2FA.tmp" "c:\Users\Admin\AppData\Local\Temp\xie4bc4m\CSC6813506731594718958D7E11EDE7EEB8.TMP"
        152⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        151⤵
        
        PID:1768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        151⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        151⤵
        Checks computer location settings
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l4c4gan1\l4c4gan1.cmdline"
        152⤵
        
        PID:904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4DF.tmp" "c:\Users\Admin\AppData\Local\Temp\l4c4gan1\CSCE648107FAA3E49098DBEF71F4276.TMP"
        153⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        152⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        152⤵
        
        PID:1524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ufsnagg\2ufsnagg.cmdline"
        153⤵
        
        PID:3112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB675.tmp" "c:\Users\Admin\AppData\Local\Temp\2ufsnagg\CSC78173C87D45F4306B1FA913F6619328.TMP"
        154⤵
        
        PID:1652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        153⤵
        
        PID:5100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        153⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        153⤵
        Checks computer location settings
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vozikldb\vozikldb.cmdline"
        154⤵
        
        PID:1544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7FC.tmp" "c:\Users\Admin\AppData\Local\Temp\vozikldb\CSC8DDE7D356057479EA822D8EF9DD5037.TMP"
        155⤵
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        154⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        154⤵
        Checks computer location settings
        
        PID:532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0fc3e3p\w0fc3e3p.cmdline"
        155⤵
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        
        PID:4512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9FF.tmp" "c:\Users\Admin\AppData\Local\Temp\w0fc3e3p\CSCAA3673A190D54E1285E1F4DFE2DB3DC9.TMP"
        156⤵
        
        PID:3464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        155⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        155⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykxx1wlk\ykxx1wlk.cmdline"
        156⤵
        
        PID:224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB96.tmp" "c:\Users\Admin\AppData\Local\Temp\ykxx1wlk\CSCC44852E1C724F26872CD826ECF8D155.TMP"
        157⤵
        
        PID:708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        156⤵
        
        PID:3844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        156⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        156⤵
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anduqhwv\anduqhwv.cmdline"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD1C.tmp" "c:\Users\Admin\AppData\Local\Temp\anduqhwv\CSC3BA7297B58B04FA385F36F4C89E6DC8.TMP"
        158⤵
        
        PID:4472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        157⤵
        
        PID:5088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        157⤵
        
        PID:688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        157⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hdsuhdh5\hdsuhdh5.cmdline"
        158⤵
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEA3.tmp" "c:\Users\Admin\AppData\Local\Temp\hdsuhdh5\CSCCBB6F93FE547B39C4FBB52BE9B5F9B.TMP"
        159⤵
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        158⤵
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        158⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        158⤵
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvtssso1\vvtssso1.cmdline"
        159⤵
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC00A.tmp" "c:\Users\Admin\AppData\Local\Temp\vvtssso1\CSC67A83C943684A49985E2D67B47CD86.TMP"
        160⤵
        
        PID:1212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        159⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        159⤵
        
        PID:5100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zt50urwj\zt50urwj.cmdline"
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC172.tmp" "c:\Users\Admin\AppData\Local\Temp\zt50urwj\CSCD93B6D518FA749D69D42C412EF2EA187.TMP"
        161⤵
        
        PID:864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        160⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        160⤵
        Checks computer location settings
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cm42lchm\cm42lchm.cmdline"
        161⤵
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2F8.tmp" "c:\Users\Admin\AppData\Local\Temp\cm42lchm\CSC5E6E8A5F1B94247BBAAF8FB877CCF.TMP"
        162⤵
        
        PID:3288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        161⤵
        
        PID:1532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        161⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        161⤵
        
        PID:4580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zrkrmzaf\zrkrmzaf.cmdline"
        162⤵
        
        PID:3776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC46F.tmp" "c:\Users\Admin\AppData\Local\Temp\zrkrmzaf\CSCCA5A28E6585E4B809094B37214D6D3D4.TMP"
        163⤵
        
        PID:1432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        162⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        162⤵
        
        PID:4184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jl0ltsv1\jl0ltsv1.cmdline"
        163⤵
        
        PID:4488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC692.tmp" "c:\Users\Admin\AppData\Local\Temp\jl0ltsv1\CSC9557AFF2797048FAAE62751A9C34DE25.TMP"
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        163⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        163⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\33qfwphn\33qfwphn.cmdline"
        164⤵
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA3C.tmp" "c:\Users\Admin\AppData\Local\Temp\33qfwphn\CSCF12AC1A0CC8F4B1499F27164AE17561C.TMP"
        165⤵
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        164⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        164⤵
        
        PID:5088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4fcpxfg4\4fcpxfg4.cmdline"
        165⤵
        
        PID:4804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD97.tmp" "c:\Users\Admin\AppData\Local\Temp\4fcpxfg4\CSC5929705293FE4B91A4FF7C4E5CA2F0BC.TMP"
        166⤵
        
        PID:3952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        165⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wkkykrwy\wkkykrwy.cmdline"
        166⤵
        
        PID:4776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD315.tmp" "c:\Users\Admin\AppData\Local\Temp\wkkykrwy\CSCD6CCC4B513E844F3A14EAF2B3D13CE1.TMP"
        167⤵
        
        PID:3808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        166⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        166⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p2bmdpyz\p2bmdpyz.cmdline"
        167⤵
        
        PID:4828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD632.tmp" "c:\Users\Admin\AppData\Local\Temp\p2bmdpyz\CSC24C6133BA3940EBB5BEAA3F5147DA1D.TMP"
        168⤵
        
        PID:3288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        167⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        167⤵
        
        PID:4688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\emuvycpy\emuvycpy.cmdline"
        168⤵
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9EB.tmp" "c:\Users\Admin\AppData\Local\Temp\emuvycpy\CSC5BDD098EEFC94A38BB801F6DEFAEC42.TMP"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        168⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        168⤵
        Checks computer location settings
        
        PID:1804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kx3leh0c\kx3leh0c.cmdline"
        169⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDE3.tmp" "c:\Users\Admin\AppData\Local\Temp\kx3leh0c\CSC104B8586DDEA43E1BDBEEC49A7D3E0DD.TMP"
        170⤵
        
        PID:4576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        169⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        169⤵
        Checks computer location settings
        
        PID:4472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xufpsdmx\xufpsdmx.cmdline"
        170⤵
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0A2.tmp" "c:\Users\Admin\AppData\Local\Temp\xufpsdmx\CSCF6A383CC9E6645BB94E0439B5D4ABDE1.TMP"
        171⤵
        
        PID:3168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        170⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        170⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e1l0xamv\e1l0xamv.cmdline"
        171⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:1128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3FD.tmp" "c:\Users\Admin\AppData\Local\Temp\e1l0xamv\CSCDFAF6D82D55E4AE9A46BDB6AC1B757D.TMP"
        172⤵
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        171⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        171⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        171⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        171⤵
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qikuurfi\qikuurfi.cmdline"
        172⤵
        
        PID:5108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE862.tmp" "c:\Users\Admin\AppData\Local\Temp\qikuurfi\CSC80BA1AD81E8348588A2383E4D08AB5AF.TMP"
        173⤵
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        172⤵
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        172⤵
        
        PID:4956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        172⤵
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        172⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        172⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1sfio33j\1sfio33j.cmdline"
        173⤵
        
        PID:904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC2B.tmp" "c:\Users\Admin\AppData\Local\Temp\1sfio33j\CSCCDDC4E213C1E490EAB7256E0463B578.TMP"
        174⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        173⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        173⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ry33ffhi\ry33ffhi.cmdline"
        174⤵
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFD5.tmp" "c:\Users\Admin\AppData\Local\Temp\ry33ffhi\CSCCB6DBB293CE447889E4DF454C720B1D7.TMP"
        175⤵
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        174⤵
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        174⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5npuhlmf\5npuhlmf.cmdline"
        175⤵
        
        PID:3368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF459.tmp" "c:\Users\Admin\AppData\Local\Temp\5npuhlmf\CSC6A6796956478452AB663C7CD70FBEA.TMP"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        175⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        175⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mxuf4x3b\mxuf4x3b.cmdline"
        176⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8DD.tmp" "c:\Users\Admin\AppData\Local\Temp\mxuf4x3b\CSC8EF79A3E504343B291DDC36A12F6F1E9.TMP"
        177⤵
        
        PID:3632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        176⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        176⤵
        Checks computer location settings
        
        PID:3416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hguyqvl0\hguyqvl0.cmdline"
        177⤵
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA6.tmp" "c:\Users\Admin\AppData\Local\Temp\hguyqvl0\CSC14879CE3524A4FB196B4DAF2AFCA5542.TMP"
        178⤵
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        177⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        177⤵
        
        PID:4500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        177⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        177⤵
        
        PID:1804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oznguh5p\oznguh5p.cmdline"
        178⤵
        
        PID:4236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D.tmp" "c:\Users\Admin\AppData\Local\Temp\oznguh5p\CSC71ED63C62549349EF87E97203830.TMP"
        179⤵
        
        PID:4800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        178⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        178⤵
        
        PID:4228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z45yd3ul\z45yd3ul.cmdline"
        179⤵
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BA.tmp" "c:\Users\Admin\AppData\Local\Temp\z45yd3ul\CSCFF1E26E2DF644AA9943157D923BF454.TMP"
        180⤵
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        179⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        179⤵
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e4pgveb5\e4pgveb5.cmdline"
        180⤵
        
        PID:1932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A8.tmp" "c:\Users\Admin\AppData\Local\Temp\e4pgveb5\CSCE03B012CCDD4044BC424A5E14B0B838.TMP"
        181⤵
        
        PID:2648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        180⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        180⤵
        
        PID:4812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cmv25e0f\cmv25e0f.cmdline"
        181⤵
        
        PID:376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8A.tmp" "c:\Users\Admin\AppData\Local\Temp\cmv25e0f\CSCC6F1533D7ED743839D3544F31A2E5F.TMP"
        182⤵
        
        PID:3528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        181⤵
        
        PID:4324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        181⤵
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        181⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        181⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kj0peews\kj0peews.cmdline"
        182⤵
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEC.tmp" "c:\Users\Admin\AppData\Local\Temp\kj0peews\CSC586CA3FC22DC4493ABD6A420ACD54FF5.TMP"
        183⤵
        
        PID:4356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        182⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        182⤵
        
        PID:4512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqly5re3\cqly5re3.cmdline"
        183⤵
        
        PID:3712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES129F.tmp" "c:\Users\Admin\AppData\Local\Temp\cqly5re3\CSC2191C0DF891E46419774E082894E1582.TMP"
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        183⤵
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        183⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        183⤵
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c0bvvdfw\c0bvvdfw.cmdline"
        184⤵
        
        PID:3244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES156E.tmp" "c:\Users\Admin\AppData\Local\Temp\c0bvvdfw\CSC9F8F4D9349474DA9B6FA5C504AE3A6E6.TMP"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        184⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        184⤵
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tle1vdw4\tle1vdw4.cmdline"
        185⤵
        
        PID:4236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17BF.tmp" "c:\Users\Admin\AppData\Local\Temp\tle1vdw4\CSCA69361B1EBC6419C9534D4D1246C14B.TMP"
        186⤵
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        185⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        185⤵
        Checks computer location settings
        
        PID:1276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\np24u01m\np24u01m.cmdline"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1ACD.tmp" "c:\Users\Admin\AppData\Local\Temp\np24u01m\CSC22EDEB94CF8D47C5A557ABEB6FD34.TMP"
        187⤵
        
        PID:4688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        186⤵
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        186⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        186⤵
        Checks computer location settings
        
        PID:2648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\asvat150\asvat150.cmdline"
        187⤵
        
        PID:532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D0F.tmp" "c:\Users\Admin\AppData\Local\Temp\asvat150\CSC1EE0089881F7475ABF1C4EA9E06DF0E7.TMP"
        188⤵
        
        PID:3212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        187⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        187⤵
        
        PID:4308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rua1y4vr\rua1y4vr.cmdline"
        188⤵
        
        PID:3868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES200C.tmp" "c:\Users\Admin\AppData\Local\Temp\rua1y4vr\CSC5A4314075188465CBFAF4C8DCB2E29BF.TMP"
        189⤵
        
        PID:4508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        188⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eagdbrji\eagdbrji.cmdline"
        189⤵
        
        PID:3168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22AC.tmp" "c:\Users\Admin\AppData\Local\Temp\eagdbrji\CSCBD2460033F6C40EC8475662961A63170.TMP"
        190⤵
        
        PID:4336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        189⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        189⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwn25ilg\nwn25ilg.cmdline"
        190⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES254C.tmp" "c:\Users\Admin\AppData\Local\Temp\nwn25ilg\CSCC939099E58364C84A3A5F123279ACD8C.TMP"
        191⤵
        
        PID:4924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        190⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        190⤵
        
        PID:436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\isi05vzq\isi05vzq.cmdline"
        191⤵
        
        PID:4436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES283A.tmp" "c:\Users\Admin\AppData\Local\Temp\isi05vzq\CSC1FD4CA4E39704874826D93E17897C85.TMP"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        191⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        191⤵
        Checks computer location settings
        
        PID:4288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\onrafu4q\onrafu4q.cmdline"
        192⤵
        
        PID:3464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2ABB.tmp" "c:\Users\Admin\AppData\Local\Temp\onrafu4q\CSC63E74CC740D64763AE6CDA422AED151.TMP"
        193⤵
        
        PID:1304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        192⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        192⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jffvrobw\jffvrobw.cmdline"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D2C.tmp" "c:\Users\Admin\AppData\Local\Temp\jffvrobw\CSCB3F9EABEFBC841948FF74359D9B813C3.TMP"
        194⤵
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        193⤵
        
        PID:3808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        193⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        193⤵
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iz1zh2k4\iz1zh2k4.cmdline"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES301A.tmp" "c:\Users\Admin\AppData\Local\Temp\iz1zh2k4\CSCDC9A718675D540738EB84DCB1670E948.TMP"
        195⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        194⤵
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        194⤵
        
        PID:1300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        194⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        194⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        194⤵
        
        PID:3640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kiatpsxx\kiatpsxx.cmdline"
        195⤵
        
        PID:376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3317.tmp" "c:\Users\Admin\AppData\Local\Temp\kiatpsxx\CSC5608F01ED5F54EE7AA928D5717217B4.TMP"
        196⤵
        
        PID:5088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        195⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        195⤵
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yevomkc2\yevomkc2.cmdline"
        196⤵
        
        PID:1792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES352B.tmp" "c:\Users\Admin\AppData\Local\Temp\yevomkc2\CSC38874F75D18E40B5ACE395A513837F3.TMP"
        197⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        196⤵
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        196⤵
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        196⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        196⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\spq0sio3\spq0sio3.cmdline"
        197⤵
        
        PID:3412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3838.tmp" "c:\Users\Admin\AppData\Local\Temp\spq0sio3\CSC910CB7D02F2A4A80BAFEFC193C1D44A.TMP"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        197⤵
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        197⤵
        
        PID:1788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        197⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        197⤵
        Checks computer location settings
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfq2efoa\mfq2efoa.cmdline"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B26.tmp" "c:\Users\Admin\AppData\Local\Temp\mfq2efoa\CSC305DB448DA84B96ADCE3AD5D6D1F9F.TMP"
        199⤵
        
        PID:5112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        198⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44ymk1xs\44ymk1xs.cmdline"
        199⤵
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DD5.tmp" "c:\Users\Admin\AppData\Local\Temp\44ymk1xs\CSC614371BEC2EE4362AED38BD87AEA1F.TMP"
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        199⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        199⤵
        Checks computer location settings
        
        PID:5048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cg0a4dtb\cg0a4dtb.cmdline"
        200⤵
        
        PID:392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40A4.tmp" "c:\Users\Admin\AppData\Local\Temp\cg0a4dtb\CSC644E662E29B34470B97857E7CDD2053.TMP"
        201⤵
        
        PID:408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        200⤵
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        200⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        200⤵
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hc01f2td\hc01f2td.cmdline"
        201⤵
        
        PID:2900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42F6.tmp" "c:\Users\Admin\AppData\Local\Temp\hc01f2td\CSC9D90C0ACBC18433193C93559ABC1297C.TMP"
        202⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        201⤵
        
        PID:1360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        201⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        201⤵
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2eqeum3f\2eqeum3f.cmdline"
        202⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44AB.tmp" "c:\Users\Admin\AppData\Local\Temp\2eqeum3f\CSC3E3359D120524082A5E08210892A4FD.TMP"
        203⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        202⤵
        
        PID:3952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        202⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        202⤵
        
        PID:1128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mqtzspnz\mqtzspnz.cmdline"
        203⤵
        
        PID:3540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4622.tmp" "c:\Users\Admin\AppData\Local\Temp\mqtzspnz\CSC90579B759C941EEA6FC95557BC04E.TMP"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        203⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        203⤵
        
        PID:3640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zavdrjky\zavdrjky.cmdline"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES477A.tmp" "c:\Users\Admin\AppData\Local\Temp\zavdrjky\CSC5E3C4593CC49499298CDF39FE34860B2.TMP"
        205⤵
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        204⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        204⤵
        Checks computer location settings
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xaotj3dz\xaotj3dz.cmdline"
        205⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48D2.tmp" "c:\Users\Admin\AppData\Local\Temp\xaotj3dz\CSC320ED9CD80B74D0393485A4C47F4DB.TMP"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        205⤵
        
        PID:4688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        205⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        205⤵
        Checks computer location settings
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnoatvmp\qnoatvmp.cmdline"
        206⤵
        
        PID:4020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A49.tmp" "c:\Users\Admin\AppData\Local\Temp\qnoatvmp\CSC994BD9931D6944B39B826A21FC744294.TMP"
        207⤵
        
        PID:4296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        206⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\samu2tpt\samu2tpt.cmdline"
        207⤵
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BB0.tmp" "c:\Users\Admin\AppData\Local\Temp\samu2tpt\CSCFE537D4EA50B4A04925DC44235DE6253.TMP"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        207⤵
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        207⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        207⤵
        
        PID:4872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\il4jroe0\il4jroe0.cmdline"
        208⤵
        
        PID:552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp" "c:\Users\Admin\AppData\Local\Temp\il4jroe0\CSCF85167B6CDE04EACB02C26178F112146.TMP"
        209⤵
        
        PID:3520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        208⤵
        
        PID:3212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        208⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        208⤵
        
        PID:744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nc31hcif\nc31hcif.cmdline"
        209⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F2B.tmp" "c:\Users\Admin\AppData\Local\Temp\nc31hcif\CSC26586F07EA264D699D0A466641B91D6.TMP"
        210⤵
        
        PID:2860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        209⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        209⤵
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3rex1arp\3rex1arp.cmdline"
        210⤵
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5219.tmp" "c:\Users\Admin\AppData\Local\Temp\3rex1arp\CSC561B58E94F554F04B4616B4E1A109194.TMP"
        211⤵
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        210⤵
        
        PID:624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        210⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        210⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkdscown\gkdscown.cmdline"
        211⤵
        
        PID:3292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5516.tmp" "c:\Users\Admin\AppData\Local\Temp\gkdscown\CSC6B5649F6A14E49A79C3DA08AC0AAAA54.TMP"
        212⤵
        
        PID:4512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        211⤵
        
        PID:4592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        211⤵
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        211⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        211⤵
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5fuun23b\5fuun23b.cmdline"
        212⤵
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES594D.tmp" "c:\Users\Admin\AppData\Local\Temp\5fuun23b\CSC1DA8B3DDDBCA417E8A47553F39E94DFF.TMP"
        213⤵
        
        PID:60
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        212⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118.exe"
        212⤵
        
        PID:1112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\konn3ksv\konn3ksv.cmdline"
        213⤵
        
        PID:1956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BFC.tmp" "c:\Users\Admin\AppData\Local\Temp\konn3ksv\CSCDB69AF1ADAA14E00B4A097ADB48EAA9B.TMP"
        214⤵
        
        PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DictionaryToMapAdapter

Filesize
564KB

MD5
d86193a6ff3c76df08572915ee80f976

SHA1
44c9cf2894de5acb2b6f834de04335dffa061427

SHA256
4930ff20d7aadc7d93eee99e582a8ab83129e26aee6607a1a205a0ec8dbe242b

SHA512
5d3b3533f4ac7c0da4f4068fad3c568edf808479d0269046765cb57e8133591a6d6bfbbf7d6628ec8d66c6beda81343b3dd58fbecd4bf0c2a4260abc81edd067

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qiual5e\3qiual5e.dll

Filesize
379KB

MD5
3f247483e48acc7e6dcbce655bcacead

SHA1
1764118041e761659a41633f459f6fc16f989fd1

SHA256
498dc5e4556ea03a351979ff2dd2fda44bfdef354786241cf932422f15623573

SHA512
6435ec3cea3add787d6fc59ee3639d601b086f5b74ca4cd842298c41e533b9f0740004fa8e78f81de3eb5f1e6fbf30494b6cc1b17faacfadca404fa4685d6e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fmnoe3w\5fmnoe3w.dll

Filesize
379KB

MD5
938c6b13962a29b2e0fb95f2e13ef15a

SHA1
c0e77c9ba7620938e1956cd0a4ce7969f5b68a8c

SHA256
8642851db598ef8a379a4d2d812fe939aea750dd7a59c081db79d78118ee0c24

SHA512
445819db7ad7add1c3f8e30a0818f945d41478181333bf06d6c163985c512a2d10d0ab7171179767082c6c8d39a5fd19044aaa1999959b297100ba1ad595f67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1587.tmp

Filesize
1KB

MD5
6e5a04aacdd2d795dde6612392818a1e

SHA1
0272c7a909210a3df7b25cf7cb41aec2c2d52f96

SHA256
e14fbf7f39210ca98d291d70d2bb83154d50cc9cd59a203091f6d11af53e9864

SHA512
3d12af9d9d45e5d655f19606aa0f6f249c61bbec780c166bd32d96ec75c80ad87667dca5c20694cc3159b575e71f42b9d391c213fd7fc23f2b0049289b5edbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DF3.tmp

Filesize
1KB

MD5
ee86da7faf728fa5b4cbc27622eabad0

SHA1
41c305c235e7d5d0539b9a0c6c370264e3dee9ae

SHA256
be487cb4cf3923037db6181ce18b37caa876aee73d0ddf01a7f84440c0d2b6be

SHA512
206b05be437cc68ceb06df948610bc50731869b2c33e36f8bc385787396b51bf87e7e6679124ae05696327be5498748140b205e3e3f03b177b2dd32865e68f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES24D9.tmp

Filesize
1KB

MD5
b3c21ebbc5e083d7933d6b2aee68bafa

SHA1
0d2f06e231d62c26503073d1f2e27d77525bae0f

SHA256
92abc4409b6ffc5447ff9474583ddcc338061fe47270a75ddd1ed664dfceedad

SHA512
0bfcee0589b92f01a2208e00c1aeee341c21e3a41d5c17ed3c482e4b223798313e4715f58d50d179abc0e1e7a71040aece54707192048c9099e4451674cbc984

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES26AD.tmp

Filesize
1KB

MD5
769b6355e0e2cc85f94c34643e3e9a23

SHA1
e9b9ff758858d5ae275307eb8f9b8c332062e52b

SHA256
3818acce34991b4967ea4616aa44a76df8b3b9e557f314e52bbface0d41aa619

SHA512
dbf4da15a5f98bf5fa5c2434b1a445730df9682767c56dbf741b6f58ee14ba4899282efda80f10e43f969e309b01086672a76f6cdbfd73d633db2900c71e0788

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES292E.tmp

Filesize
1KB

MD5
7887402f09f12edc3030f06bab41857f

SHA1
e766c77f6993bbadb08d742421d054765357a91f

SHA256
dbc30a3ccedaaaf7df3e9fd8df1eec611d1e61c680f3371b75146b532ca1550e

SHA512
f2a258cad92675e5e3cdf4dd12a1f8fba3647a1583a11be12479abf800f3b1db7441da60db14b500300adcf602ef43b7ade3eae6f4a50ef1223caea5bfb03d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2BCE.tmp

Filesize
1KB

MD5
9161c577b3d9c8f1c1193417b25f2380

SHA1
1e65d26a092c40cfa7e8173f6c321d7d78f47451

SHA256
6f3097b316eec8d6f341833ce8675464d1d3f37706263f41db804d3d8a251904

SHA512
8b3844d775aa84d64f4d90e6b4545efa61abe9414790ad83f89effbc9cc5030c6892674d896ada4ace2eb4a98b57c02eae60d310abcd6729fd35563616ef6142

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2DF1.tmp

Filesize
1KB

MD5
0519a5a4bcf2547365db07feb3ecfd78

SHA1
3912a994f6971a0a40ce1f4bf6dc53c6874e637e

SHA256
71857a6bbb500a261a2692e0c8b2dd18f4c4dc3c682073d825439151d1c883cb

SHA512
90f20d91ee64ee1fd4e0d39ce495d36ce0336f7da4f39da43ccd2723d0d26b72bd3c59071a1b54413c4b4cb967ebc6a665e7cd9994b153e201e8126e22daa719

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3023.tmp

Filesize
1KB

MD5
8b54f35338a24532517206a05dadff60

SHA1
bbd664ed29f0732f251b312305df3f1def517089

SHA256
a7c9a9b8cb040f349db9efe1cb402dbb5c83fd1882678e8ffb3502023cefb345

SHA512
f6015a7715ff852b896d555100dc8e4ef29657e9bc444ae64c77ba6aba3827b6e19bf69411b006611836dbd53c547d968ea36239528d1513efa681fe954311a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES335F.tmp

Filesize
1KB

MD5
43967412eef4be90476211f527184eef

SHA1
2ffd0f44413479f5d6721e37bf044cdf2e568930

SHA256
1fd2af11a8d26bc83e0f4675e697c6f46005321d47ea9e46bd66f926d0ec41dc

SHA512
534015268987a63ed7e79421a009d8fb0b80d65543b982c2df7a0ac3b58bb379959c8658e44c554d1a82a9300ffc4454eafbced237ae86d5e122cb2d1af2f1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3582.tmp

Filesize
1KB

MD5
b534f7dd87509f5f7c2bbb21df8849a2

SHA1
07ab16538f76fd380148bd4aa4bc12b4f5532570

SHA256
2af6065f189068a1613a172f1a87faaf9257b304eac3d55b153a2d6c2fede3dc

SHA512
7d801f1e5adcc5a95600eaac7adc4ec01be29cda329cf9adf996a8c8555c20c309f63f943822c41ed5cae83768615b99d8149b015118acfd1e77d8bef63657b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d51w3gkb\d51w3gkb.dll

Filesize
379KB

MD5
3d0d068245e6b2063eef712b8f60f447

SHA1
0c19ba8410120da3ca373ca1bd9489464d7a4b43

SHA256
bf9db7bdb4505c35813f0515acbb146fe19f862ca9e2d00fb8a4d89128989afa

SHA512
c96f6089c893470506a752fab0ece7ef013de25e771de3936049d778906c39a6d83494c49c311be05d23edddd46474349464264f8cb676199c54f76f91d943dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnsn1ngj\fnsn1ngj.dll

Filesize
379KB

MD5
b90ff857c90dd3d2c54ad5ca40c99e56

SHA1
9bff5ad9671995624e6f5b97f891262a280e8650

SHA256
021b30bed81cce616639732173216713f063c25a44792fa7e972cea1fec4ac64

SHA512
5f603e05c0d3f0d5fc7b847f64cae69d119a6d226ac537d4fc6cdc9463752f4cd2b23dd2ad489e209d1b55ea019ee70a7fe3fee1f08eadd79ccbb5852f1707d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nf3me02c\nf3me02c.dll

Filesize
379KB

MD5
7c4e9a2103d4688aaab8b40bc29c49bb

SHA1
44d4c58d6f9a5774b805bd122b30ce539ef13a02

SHA256
a05176e8aef0fc2dde7f73715a26a3dda9aa7933a9c584ce71be7e0ae513a26f

SHA512
9e633725d46b305d0ece84a54cb4348be5e914944ce5d4856140a0bb77ec989c5968c7d89da21495c891bcd1523400257f93d2921af87e47f8bfa7149a33a1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qktpqfds\qktpqfds.dll

Filesize
379KB

MD5
d8d817395bca49e25b9615d9ec5cd847

SHA1
4cc778c3ba8c087afdbd6ecc0408fb8edd844b19

SHA256
8985ab1f109370e12e0be30c8e9ba27a86fc40c49c6c4f0fc365607eff7847c7

SHA512
dc3a5dc159d4dd1cbcd713c6867bdf007cf7f6b8ae1e0d1076c8eda3e1347b6648445ee90d882ca14180f5875350c138950879a600da915cefe5d173eecd4a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdhgm1iv\wdhgm1iv.dll

Filesize
379KB

MD5
3d1e80576e5b06008d9fedf629d6bb17

SHA1
ae9f7c3a6498cddc8e7b8da0a2eeed4ed8107afb

SHA256
d52afddb3b38f633d331ddbe44974272d8df0ef13da0511f8838e39e64b47ef9

SHA512
7efc48ba505896e8a74ab20aa50bd7862307092b2a9b01977503a9e24eb99162b01f931547eeb0e534888afeec2f95d22c9e91d1e286415e4f2091ca0273efa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwcks2r2\wwcks2r2.dll

Filesize
379KB

MD5
68301f89b1ecf85265fdb3c4f3ee79d0

SHA1
db6111d85ffb55227954c05e1ef0a7a8962c0abd

SHA256
6a826fafb3a1b44527a10c08657dba1c2b6d10d0e653ebeda122f1dc85a81270

SHA512
1d61a1b4dd27af2350e2d61f97374e8f91f9419928cdb6e7700ad0e149cc0c20a1815b505dc48b43b46375e1c486274193d1ba0892bc0853f3457c0b58ee5fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4cam23t\x4cam23t.dll

Filesize
379KB

MD5
b313a421133e0dda4faca0ddcb38286e

SHA1
3ffb9f3a3a4386a09a188250632b889335e4a78c

SHA256
3d6be682e9a04092a84331ae175ef67b77f1efcd01e892774d75ae17c76d674b

SHA512
cc0596c7cb5b937207a28febfff25c8c915608ffe9a0b06c519864cd877b2a7120ca5c43287aee9f94e87a8e11796db862d0285d73734c3ab7efd3f6d6ffc5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zp5m1nf1\zp5m1nf1.dll

Filesize
379KB

MD5
fff6e776596e08c63917e09b61a46d19

SHA1
142d1a79c2a57f0ee5dc5be4a4dcb4bd52f26dd1

SHA256
9a4d3b69b274aa0dfe2fb695b087288238fe476c415fde80857c8aa6851fed64

SHA512
bd4e0d8a5a15e13cdc328a11be6f79e94c4d79c25f481b1b1633a2196d33778b43e79e36124fcdaa6b3fb5ac31151019b4791d707c6c50a485ba9fc9e97bf5d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\0f5007522459c86e95ffcc62f32308f1_a53bb4ca-6113-48bb-9609-441860fdd0d7

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\0f5007522459c86e95ffcc62f32308f1_a53bb4ca-6113-48bb-9609-441860fdd0d7

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Filesize
460KB

MD5
cb41ab7f417be462a34754b5f862cbf6

SHA1
d03c1f82c582d9824b06d284225785432e976057

SHA256
e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70

SHA512
668403a2856073173a95787c63adb9c435494dab41be0c3d04ab3386474182b3cd2e1f1397046b82203b88cd1c8ec004b6a8b3df89aa437f62f5738024d7a9b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3qiual5e\3qiual5e.cmdline

Filesize
302B

MD5
fe96d016275c3ca6d2094ce6d73501ba

SHA1
99d9d15b506210a3ca2d7e2fadc72b91b28fb72a

SHA256
a6d3a0c536d331130dd77ddcbca21a38d1b4d2706baca0595c122c0e97a9fff5

SHA512
41a586c316d125e74042eb797db5f21d24c1bd2f9f75f0ce72aaa10f0698f655d1de9a43aaaea4f7b725d64f17d41915b33441f813ea94d40946e6511861c42f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3qiual5e\CSC1AC2964737A74EA6BB151B23D3E4A51.TMP

Filesize
652B

MD5
506d3e6239668dbc2afc37cbd285940a

SHA1
f21604e035534b89e76384c2609c36589740883b

SHA256
bd297673d79b3fa138ef8b04024e79b0566dee1df2987f44de15ce5534a2f852

SHA512
a2e6b99482afd699df54a3c1d15cf9cb25c182734d58b2366ccb746c97ab1c368bae87500ea584bc4d4a880c090757412cc1cb8def9771074ba52449cb926946

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5fmnoe3w\5fmnoe3w.cmdline

Filesize
302B

MD5
a7680773571bfa81a8037b03f812f64a

SHA1
86a95842425300d27026807603d9dbdff8e5b054

SHA256
4af9dbf6f7985ce08b7df3a3d9bc826e0c6ed9e50873b492ec70cfdaa868b680

SHA512
e0d1b97f7489c22bdb35d4a23907eab958cb1c6b2bf5a48c479c5cf8929fce5dd031db2d445e886c9e6b5121e43785c98788c440f1b0b7c3c3bb8a0dfc4d5c96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5fmnoe3w\CSC8C65C6E2FA0A440A9E7332A43CF6A92.TMP

Filesize
652B

MD5
e096d151491dd61e9fb90821870666f0

SHA1
2bae901e4c25109821a369c79a51fad0a7de9997

SHA256
386c81ada5684000a68a5db59059961b2eb75cb0a09f09d3b82221df1070ad24

SHA512
b234da227b6b8ace96dbafc4dfd57b46c05a6747dbee9d3df509a0ef9f7ba8b7379c4a10042d9ed06459802606b62ec17e6cc994ec928b76c9d6fd597bc4cc96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bgukukb4\CSC94DB2C1133834911B6323C8C4F45E886.TMP

Filesize
652B

MD5
271b45a7fa964546e9b9356a148c9928

SHA1
4a8d0beca982724567efc34129d1024504815ce8

SHA256
dd249355d88105052338cb5954fd5c9585b2cbd6629199269b3f03668b30e73b

SHA512
1662ee9123775402c432a1b09e66d707a82f5a8a83af798746ee9840d978814b9b694b58a450d2d92c0894a57f457da3743fff2a7b930e0185c40396ad998298

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bgukukb4\bgukukb4.cmdline

Filesize
302B

MD5
655f04b639e3d5f3ab4840a799a0f6f2

SHA1
5c93e5a06dfcbb8c80d4cd492213b21292bbabf8

SHA256
64e301c9965aa06c3daf21d1abebe77cdeac76529e0e534a41bba90f0dc87438

SHA512
3e9cba0e6585e2910c7e08087d6c6de0f47eb06e4545fd045d58a6c2a4797f509904e95bbc37a9e9992f6d32be6fff775461f02edb3255ea83e9d2d409d07e39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d51w3gkb\CSC35B0E8C22D5B4588B4B23962686D76E3.TMP

Filesize
652B

MD5
4e404cadc5d284441d976a5a21fd14fb

SHA1
3596b5879b464a34738d7b4cd3af9426e5dd05b4

SHA256
12c7171b4ad8bc80c0c04678b25a13ff1c2cbbcd2bc5e5415d69dd01cfe11464

SHA512
edc1fed0f423dd6db8403b04941ad1bdc310922e86a55f7ebcb46f132afddd2b16854e51e0c3918ad169fbb8e884ec10b63d181d8d14622685368ccd5b2d1b88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d51w3gkb\d51w3gkb.cmdline

Filesize
302B

MD5
89239adfc7fbcdb10effcf0b30c62384

SHA1
cd0ff13357ab982845fa4058c6817fadee231c7e

SHA256
cf867044109737aa05792dbddc1da632e458b4a09e41c8449dae4ab2f37480a5

SHA512
3ec951cc48b2133c3999bf7afd33461be13248a62ead72575ad13482c4d07e70345027208a92842359e06a80aaf2254d0667401537ede348299e1f12e70a52cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fnsn1ngj\CSC85D70B238D8046EFA8A8BAC98999A9AD.TMP

Filesize
652B

MD5
ee8b9d5282d27471c34d7cd743116f35

SHA1
5e6ae58dcf156bdea1ebea90dcd6d8738f8111bc

SHA256
c282a3692cc048abe970f5c0b5e2239b62db2c96c3f7bb28bcd85dbffa1571d2

SHA512
f8baef42d3045ca4b4de965aa65b11291159f218b616c8068794665205565a06ed2347b5f838ae5d392e01b2d7f5b3a3c64779cb9c9c30d67e1bbc2a1d4c91db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fnsn1ngj\fnsn1ngj.cmdline

Filesize
302B

MD5
1c8ce48ee94a9de22c910efe62eae003

SHA1
1e97112994ebea3eae58e5ee6ae166ee9653afbe

SHA256
838350cd651ac11f16fede7cf46a25286a51198b2756991c985eb11b806bcbbf

SHA512
e339dd16c5c14e9bec63e64db72873d0dc0b5698d9838a042b22098792fc0f5f44156643ffadaac50db077229e2ebafe1487ef7164543624f8fd13a07b319387

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nf3me02c\CSC4F568DF8A2C548ACB6ECB4757CBBDA6.TMP

Filesize
652B

MD5
a96d288ee719e93b0d4383f43183c8b8

SHA1
b6a114b51c1886f12ddcc86ce5f944720154f352

SHA256
dc6aa302409cc6bd0f6b543076e7adb34db027d60ce168f01763b17e22a05ee4

SHA512
62c5739729a80ec8b90608f84abcce3031d4b1399a727933fa394555ac3b29c695352efafe2474da84ae6a00193d26362e8b7e9269cea0f743935fd3ad95bf0d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nf3me02c\nf3me02c.cmdline

Filesize
302B

MD5
cd6e1b76333439247bf5aceff45b97ce

SHA1
260acdeb4f0d8c8a8126a536d0c4881ebb612287

SHA256
05e2fb0f4c647e9de40dd03f061dc3be87b9c8a9580234b65261f3e187159196

SHA512
b5a043ed918fd8854738f1c2fca72f31dcbbccd9f5b607d3dfe65df829c9c1485d3e25c362fa1cd6ae103423f73ac4f2ae237532a8c3d680d5ec7d927e1cd1f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qktpqfds\CSC8422A786B3064B9DBD1AF2B01917250.TMP

Filesize
652B

MD5
7a541a33e8e1cca3d1b0b4049d03cb5e

SHA1
7db5d5a0da97a12e6db8b10b0e63a563e6b648bf

SHA256
fa48ccc8ab650a8d96d0aab36a6c3cac01ecba2065c7a908483814efab1a3cbc

SHA512
0f279d3d517906cafedd0b3e2a3ffec248dec05500db2261ecdb7420b27d372b740bbec36e67f849b00c982a83d5e6b0ec2cf595d47495754252abbab774a0bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qktpqfds\qktpqfds.cmdline

Filesize
302B

MD5
3a42a0ab2d78a26267a9bd5b55d0d6e1

SHA1
d108a1f53c60bd3f357bddfd19bcdcfbc0769c41

SHA256
5a06fe72f842597612d54dad2446bddf6e9b73c6c27ef878db9f8c5404d0d502

SHA512
9bbcd0bff873c9284a84895e1cb88a1fb4ad040ff73ab7d1a35a03a8d0455037a3b8b90e27a76a17de9e17f59a965d8170d73b643c659b36618cdb8f97f1bbc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wdhgm1iv\CSC51773776F75C42B98D53C16C6E979DDA.TMP

Filesize
652B

MD5
fbf03af5b69aaeba51f59a0182977da5

SHA1
547cd401c90803e3299338309e7b6669de2cd3df

SHA256
8029a16d0e43521f8a3de3b67f50fb2fbabb6c2986455f30437f3d3eedd414b6

SHA512
cf582a40a0fc2e1db905ff6d08dcc319cac4c7670f05d94bafb0ce3f9cf53854cf7337ff2fb9523698f697dbe77fdf7741ac225d759545d25f338c76eb2bf07f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wdhgm1iv\wdhgm1iv.0.cs

Filesize
564KB

MD5
51efd210d3488390f723d0ab82c87698

SHA1
5aea69461249d93a0b9786eddd8cd414f09368c8

SHA256
21079b3584758cd5b87dd69ef99fe2dfe1b342794c40bab22d45cfd3a37329ad

SHA512
131e0fc1a6f0c19c216015864f50b293ff108f7cf96b1f19bb49fb38ceb6c9b279d617f66277983f9f1f45284d16b6b9e30c98fc8d9cd94fa06b3a9a8b4142fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wdhgm1iv\wdhgm1iv.cmdline

Filesize
302B

MD5
445e6989449d2a909a9faa5c0441084b

SHA1
795b56447788dd2189c69c153f6d9f29fb7ee724

SHA256
ee2c715e284638cd045d2e77c97e034d2cb5f9121d345252eda204499831dde5

SHA512
dd8d08dcff7e26c4f90fe5b09437ee6742828f7704464ef326b13bdaa31f6cfd8191e2975347b32161f77e3cad9b36aee98669943809f4a559b9496356c03729

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwcks2r2\CSCA1787902EDE441AC8DCD9998F8B056BE.TMP

Filesize
652B

MD5
1906f0e8e243f59c13526980cfac77f7

SHA1
87a0b05fc096226d25d52058cd6b71772236318f

SHA256
5c4f340618533f309c2959c78ded77dcc52230bdd0275b048c8ad58569449f43

SHA512
9541f049279688fe2521355dd2ae28099ea07f339f76be534c76c1a87ca8b9a6eb7fd9d5849b66d7c802ce99271f695c34975090f2c13958ece9e4aa969537ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwcks2r2\wwcks2r2.cmdline

Filesize
302B

MD5
652457d572b95539edd857f0329274f2

SHA1
e75e94d9bbc71d042ea27a889a92b18787296ab8

SHA256
62f54ba6f9241e0cdfe29091544ba5ebe968f32cea1e3fbd67993ad598ac7f32

SHA512
ed12b1f997a8bd4c13384b46c5859a3b39b898db22705c04f398e80b95cfab42e73fecd3ceca7e712c08a5de225d2c0ca0bbb33bfd0a875f15717b27425338bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4cam23t\CSCD456412147704757A5548F53251A33B.TMP

Filesize
652B

MD5
a293424d537f446bd54eb1bc6399c312

SHA1
72004ca160ecf1870f24a28813e5807ae8b1c643

SHA256
5136e1664bbedea8ef2b2023af1d2daef0520e3c18094eeba1ea2e4f6e8a5e65

SHA512
4406042a5580b7f6500d19a6ea635d6324b46af8abcd0b44a4452ddd5cc2ca483d3aa48d57642a7e418a92d6be1aebaa116c9a06da991f1c436cd2fa8b8be469

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4cam23t\x4cam23t.cmdline

Filesize
302B

MD5
83ae5ea0e66ac5a87075b5152afe8729

SHA1
e639dfa9623a4e9b20b7618450addd8abdaa9f49

SHA256
b0eebd5b61e0717c7bd12203d4ea7e4b3e8c01c46a0561eec36d1dd09ca9f799

SHA512
e2d31370767fcb6677f030a58817dd6123187c5325ef2e1b74acb53162a5099cc5099d560e6199a84c56a452efbbee6290b406936b3a16511f77031aa69f4429

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zp5m1nf1\CSC200CFC30D1CA47629C2C564A2629CF39.TMP

Filesize
652B

MD5
7181b8788202982f53da488cb9e697d5

SHA1
1b19670b73b698e1f480cbc0e13b81a9bbc3d95c

SHA256
1d2b6b53902b55d7fa36e868ff7ffdabc7819d6f238d942d3f21dfd6760da10c

SHA512
e92e54e42ba172b94a2b46086435cf8680ab7fa6a9194c4bf9c4c99b53b625dfb971f56e404cf17ef61b5c42a2837f2f1305e1ca925a385570a1e3a2e075a198

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zp5m1nf1\zp5m1nf1.cmdline

Filesize
302B

MD5
a1eb523a09be675ff1010f9a89787e3b

SHA1
07b8ac573431e682fbd6ff0f33bcc4d1480d61a7

SHA256
0aa60ddbf624a3b1ce2d9b0ce3250b9caf37927237b87ee80a13e5400f980553

SHA512
f34dafe960f6f14e63d44c8ebec86ad07d467835cac74e55e6db9a4d7dbd238bb025a968c97fbe1d75a4e2096bb03e7097d42c28a3a80d7fbdf0b927486c7ae6

Download Submit
memory/212-790-0x0000000004DC0000-0x0000000004E26000-memory.dmp

Filesize
408KB

Download
memory/376-647-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/412-182-0x0000000003480000-0x00000000034E6000-memory.dmp

Filesize
408KB

Download
memory/532-1050-0x0000000004AD0000-0x0000000004B36000-memory.dmp

Filesize
408KB

Download
memory/540-1011-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/552-556-0x0000000004C90000-0x0000000004CF6000-memory.dmp

Filesize
408KB

Download
memory/552-998-0x0000000004CB0000-0x0000000004D16000-memory.dmp

Filesize
408KB

Download
memory/716-881-0x0000000004920000-0x0000000004986000-memory.dmp

Filesize
408KB

Download
memory/808-1167-0x0000000002730000-0x0000000002796000-memory.dmp

Filesize
408KB

Download
memory/856-738-0x0000000004A80000-0x0000000004AE6000-memory.dmp

Filesize
408KB

Download
memory/1004-686-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/1080-842-0x0000000003480000-0x00000000034E6000-memory.dmp

Filesize
408KB

Download
memory/1248-660-0x0000000004820000-0x0000000004886000-memory.dmp

Filesize
408KB

Download
memory/1300-1154-0x0000000002750000-0x00000000027B6000-memory.dmp

Filesize
408KB

Download
memory/1308-105-0x00000000010C0000-0x0000000001126000-memory.dmp

Filesize
408KB

Download
memory/1360-777-0x0000000004F00000-0x0000000004F66000-memory.dmp

Filesize
408KB

Download
memory/1468-25-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1468-17-0x0000000004C60000-0x0000000004CC6000-memory.dmp

Filesize
408KB

Download
memory/1468-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/1468-89-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1468-1-0x0000000000320000-0x0000000000398000-memory.dmp

Filesize
480KB

Download
memory/1468-19-0x0000000004CC0000-0x0000000004CEA000-memory.dmp

Filesize
168KB

Download
memory/1468-7-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1468-21-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1544-673-0x0000000002E00000-0x0000000002E66000-memory.dmp

Filesize
408KB

Download
memory/1612-972-0x0000000002A70000-0x0000000002AD6000-memory.dmp

Filesize
408KB

Download
memory/1628-374-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/1632-595-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/1636-1219-0x0000000002D60000-0x0000000002DC6000-memory.dmp

Filesize
408KB

Download
memory/1660-220-0x0000000002BD0000-0x0000000002C36000-memory.dmp

Filesize
408KB

Download
memory/1748-304-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1748-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1748-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1748-22-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-42-0x0000000005030000-0x0000000005096000-memory.dmp

Filesize
408KB

Download
memory/1892-920-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/1932-1102-0x0000000004A30000-0x0000000004A96000-memory.dmp

Filesize
408KB

Download
memory/1956-907-0x0000000005020000-0x0000000005086000-memory.dmp

Filesize
408KB

Download
memory/1980-201-0x0000000004B30000-0x0000000004B96000-memory.dmp

Filesize
408KB

Download
memory/2056-413-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download
memory/2072-816-0x00000000028C0000-0x0000000002926000-memory.dmp

Filesize
408KB

Download
memory/2168-959-0x0000000004BE0000-0x0000000004C46000-memory.dmp

Filesize
408KB

Download
memory/2188-400-0x0000000002730000-0x0000000002796000-memory.dmp

Filesize
408KB

Download
memory/2188-1141-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/2252-387-0x0000000004AD0000-0x0000000004B36000-memory.dmp

Filesize
408KB

Download
memory/2348-1037-0x0000000004970000-0x00000000049D6000-memory.dmp

Filesize
408KB

Download
memory/2452-764-0x00000000030E0000-0x0000000003146000-memory.dmp

Filesize
408KB

Download
memory/2452-582-0x0000000004D60000-0x0000000004DC6000-memory.dmp

Filesize
408KB

Download
memory/2480-335-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/2492-426-0x0000000005060000-0x00000000050C6000-memory.dmp

Filesize
408KB

Download
memory/2568-322-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/2592-1115-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/2624-491-0x0000000004870000-0x00000000048D6000-memory.dmp

Filesize
408KB

Download
memory/2784-1180-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/2840-894-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/3016-144-0x0000000001870000-0x00000000018D6000-memory.dmp

Filesize
408KB

Download
memory/3120-348-0x0000000005020000-0x0000000005086000-memory.dmp

Filesize
408KB

Download
memory/3144-634-0x00000000032B0000-0x0000000003316000-memory.dmp

Filesize
408KB

Download
memory/3176-125-0x00000000029E0000-0x0000000002A46000-memory.dmp

Filesize
408KB

Download
memory/3220-855-0x0000000004A30000-0x0000000004A96000-memory.dmp

Filesize
408KB

Download
memory/3224-309-0x0000000004A80000-0x0000000004AE6000-memory.dmp

Filesize
408KB

Download
memory/3236-725-0x0000000004FD0000-0x0000000005036000-memory.dmp

Filesize
408KB

Download
memory/3360-439-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/3384-269-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/3464-1024-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/3480-621-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/3512-868-0x0000000004D60000-0x0000000004DC6000-memory.dmp

Filesize
408KB

Download
memory/3524-465-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/3528-1193-0x0000000001E60000-0x0000000001EC6000-memory.dmp

Filesize
408KB

Download
memory/3632-452-0x00000000028C0000-0x0000000002926000-memory.dmp

Filesize
408KB

Download
memory/3836-504-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/3940-569-0x0000000003100000-0x0000000003166000-memory.dmp

Filesize
408KB

Download
memory/4008-530-0x0000000004810000-0x0000000004876000-memory.dmp

Filesize
408KB

Download
memory/4080-751-0x0000000004B50000-0x0000000004BB6000-memory.dmp

Filesize
408KB

Download
memory/4184-295-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/4208-256-0x0000000002330000-0x0000000002396000-memory.dmp

Filesize
408KB

Download
memory/4296-1257-0x0000000004820000-0x0000000004886000-memory.dmp

Filesize
408KB

Download
memory/4312-1206-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/4324-239-0x0000000005160000-0x00000000051C6000-memory.dmp

Filesize
408KB

Download
memory/4344-946-0x0000000001AC0000-0x0000000001B26000-memory.dmp

Filesize
408KB

Download
memory/4380-361-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/4428-699-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/4436-1063-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/4444-517-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/4460-829-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/4476-933-0x0000000004CE0000-0x0000000004D46000-memory.dmp

Filesize
408KB

Download
memory/4484-282-0x0000000002790000-0x00000000027F6000-memory.dmp

Filesize
408KB

Download
memory/4500-803-0x00000000049F0000-0x0000000004A56000-memory.dmp

Filesize
408KB

Download
memory/4748-985-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/4816-478-0x0000000005190000-0x00000000051F6000-memory.dmp

Filesize
408KB

Download
memory/4828-1232-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/4868-543-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/4920-608-0x0000000002630000-0x0000000002696000-memory.dmp

Filesize
408KB

Download
memory/4956-1128-0x00000000027C0000-0x0000000002826000-memory.dmp

Filesize
408KB

Download
memory/5020-712-0x00000000048D0000-0x0000000004936000-memory.dmp

Filesize
408KB

Download
memory/5028-1076-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/5032-1089-0x0000000004A50000-0x0000000004AB6000-memory.dmp

Filesize
408KB

Download
memory/5064-163-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download