agenttesla | 627f8214e9589ca767888fd3a4ad42ad7d0aa1dd422f5006538ed5e422c21f38

Analysis

max time kernel
72s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Size

1.3MB
MD5

e55fedd6c22acd3a7f5952c827f1dd3c
SHA1

0571e0f30bca6b88d569f035097600de639c6a44
SHA256

627f8214e9589ca767888fd3a4ad42ad7d0aa1dd422f5006538ed5e422c21f38
SHA512

8adb9faf3aae6c0dce6d90af0f64017ce3de698f4a40b7159fba6b6eca5cec40df3e29f56a2a04a65f596028324801c5946df2e5ed176d5659a2e17a2eedce1c
SSDEEP

12288:+ALF+FEkNXkH62mgZ6qO23a0c1LD33T38Iu65nDz4o5LePnR1HvH9nc+Hoq:ZsEkNMmB3L4WI15lvKkoq

Score

10^/10

agenttesla agilenet collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/684-5-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3356-2-0x00000000052D0000-0x000000000533E000-memory.dmp	agile_net

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 12 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroApp = "C:\\Users\\Admin\\AppData\\Roaming\\MicroApp\\MicroApp.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroApp = "C:\\Users\\Admin\\AppData\\Roaming\\MicroApp\\MicroApp.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroApp = "C:\\Users\\Admin\\AppData\\Roaming\\MicroApp\\MicroApp.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroApp = "C:\\Users\\Admin\\AppData\\Roaming\\MicroApp\\MicroApp.exe"	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3356 set thread context of 684	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	82
PID 2264 set thread context of 3148	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	85
PID 1952 set thread context of 2572	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	87
PID 3976 set thread context of 3092	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	89
PID 996 set thread context of 1816	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	91
PID 2096 set thread context of 4772	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	93
PID 3692 set thread context of 4360	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	97
PID 528 set thread context of 1056	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	100
PID 1724 set thread context of 4280	1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	108
PID 4304 set thread context of 4076	4304	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	110
PID 1184 set thread context of 2296	1184	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	114
PID 216 set thread context of 3252	216	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	117
PID 1988 set thread context of 4352	1988	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	120
PID 4980 set thread context of 532	4980	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	122
PID 2028 set thread context of 3840	2028	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	124
PID 828 set thread context of 1776	828	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	127
PID 3536 set thread context of 2576	3536	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	129
PID 956 set thread context of 3152	956	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	131
PID 3100 set thread context of 3340	3100	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	134
PID 2112 set thread context of 3824	2112	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	136
PID 3524 set thread context of 4232	3524	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	138
PID 312 set thread context of 3976	312	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	143
PID 4996 set thread context of 3416	4996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	146
PID 1576 set thread context of 4800	1576	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	149
PID 1696 set thread context of 5080	1696	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	153
PID 1624 set thread context of 4996	1624	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	155
PID 5200 set thread context of 5244	5200	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	158
PID 5328 set thread context of 5356	5328	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	160
PID 5452 set thread context of 5488	5452	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	197
PID 5600 set thread context of 5648	5600	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	166
PID 5720 set thread context of 5812	5720	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	168
PID 5948 set thread context of 5992	5948	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	172
PID 6068 set thread context of 6124	6068	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	175
PID 4120 set thread context of 216	4120	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	177
PID 5236 set thread context of 1624	5236	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	179
PID 4236 set thread context of 5296	4236	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	181
PID 5528 set thread context of 3432	5528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	184
PID 5516 set thread context of 5020	5516	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	187
PID 456 set thread context of 5196	456	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	189
PID 3720 set thread context of 2972	3720	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	193
PID 2420 set thread context of 3916	2420	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	196
PID 5488 set thread context of 1364	5488	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	198
PID 3608 set thread context of 5248	3608	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	324
PID 1844 set thread context of 3848	1844	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	309
PID 5372 set thread context of 2284	5372	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	205
PID 4352 set thread context of 4364	4352	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	207
PID 228 set thread context of 836	228	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	209
PID 1944 set thread context of 4360	1944	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	211
PID 3928 set thread context of 5652	3928	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	216
PID 5884 set thread context of 5712	5884	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	219
PID 904 set thread context of 5968	904	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	222
PID 4824 set thread context of 5252	4824	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	226
PID 1328 set thread context of 5496	1328	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	228
PID 4244 set thread context of 5096	4244	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	286
PID 3192 set thread context of 5140	3192	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	232
PID 4048 set thread context of 2112	4048	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	332
PID 3228 set thread context of 1088	3228	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	273
PID 1748 set thread context of 1448	1748	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	390
PID 3152 set thread context of 392	3152	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	241
PID 868 set thread context of 3300	868	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	243
PID 4404 set thread context of 5596	4404	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	245
PID 5876 set thread context of 2276	5876	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	247
PID 2444 set thread context of 64	2444	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	428
PID 448 set thread context of 940	448	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	251

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
4304	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1184	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
216	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
216	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1988	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
4980	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
2028	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
828	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
828	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3536	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
956	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3100	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
2112	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3524	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
312	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
312	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
312	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
312	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
4996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1576	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1696	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1696	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1696	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
1624	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5200	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5200	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5328	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5452	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5600	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5600	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5600	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5720	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5948	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5948	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5948	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
6068	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
6068	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
4120	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5236	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
4236	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5516	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
5516	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
456	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
3720	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1724	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4304	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1184	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	216	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1988	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4980	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	2028	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	828	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3536	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	956	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3100	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	2112	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3524	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	312	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1576	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1696	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1624	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5200	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5328	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5452	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5600	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	684	RegAsm.exe
Token: SeDebugPrivilege	5720	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5948	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	6068	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4120	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5236	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4236	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5516	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	456	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3720	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	2420	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5488	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3608	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1844	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5372	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4352	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	228	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1944	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3928	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5884	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	904	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4824	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1328	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4244	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3192	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4048	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3228	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	1748	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3152	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5812	RegAsm.exe
Token: SeDebugPrivilege	868	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4404	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
Token: SeDebugPrivilege	5876	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 684	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	82
PID 3356 wrote to memory of 684	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	82
PID 3356 wrote to memory of 684	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	82
PID 3356 wrote to memory of 684	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	82
PID 3356 wrote to memory of 2264	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	84
PID 3356 wrote to memory of 2264	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	84
PID 3356 wrote to memory of 2264	3356	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	84
PID 2264 wrote to memory of 3148	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	85
PID 2264 wrote to memory of 3148	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	85
PID 2264 wrote to memory of 3148	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	85
PID 2264 wrote to memory of 3148	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	85
PID 2264 wrote to memory of 1952	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	86
PID 2264 wrote to memory of 1952	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	86
PID 2264 wrote to memory of 1952	2264	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	86
PID 1952 wrote to memory of 2572	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	87
PID 1952 wrote to memory of 2572	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	87
PID 1952 wrote to memory of 2572	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	87
PID 1952 wrote to memory of 2572	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	87
PID 1952 wrote to memory of 3976	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	88
PID 1952 wrote to memory of 3976	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	88
PID 1952 wrote to memory of 3976	1952	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	88
PID 3976 wrote to memory of 3092	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	89
PID 3976 wrote to memory of 3092	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	89
PID 3976 wrote to memory of 3092	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	89
PID 3976 wrote to memory of 3092	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	89
PID 3976 wrote to memory of 996	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	90
PID 3976 wrote to memory of 996	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	90
PID 3976 wrote to memory of 996	3976	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	90
PID 996 wrote to memory of 1816	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	91
PID 996 wrote to memory of 1816	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	91
PID 996 wrote to memory of 1816	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	91
PID 996 wrote to memory of 1816	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	91
PID 996 wrote to memory of 2096	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	92
PID 996 wrote to memory of 2096	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	92
PID 996 wrote to memory of 2096	996	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	92
PID 2096 wrote to memory of 4772	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	93
PID 2096 wrote to memory of 4772	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	93
PID 2096 wrote to memory of 4772	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	93
PID 2096 wrote to memory of 4772	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	93
PID 2096 wrote to memory of 3692	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	94
PID 2096 wrote to memory of 3692	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	94
PID 2096 wrote to memory of 3692	2096	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	94
PID 3692 wrote to memory of 3864	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	95
PID 3692 wrote to memory of 3864	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	95
PID 3692 wrote to memory of 3864	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	95
PID 3692 wrote to memory of 3536	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	128
PID 3692 wrote to memory of 3536	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	128
PID 3692 wrote to memory of 3536	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	128
PID 3692 wrote to memory of 4360	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	97
PID 3692 wrote to memory of 4360	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	97
PID 3692 wrote to memory of 4360	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	97
PID 3692 wrote to memory of 4360	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	97
PID 3692 wrote to memory of 528	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	98
PID 3692 wrote to memory of 528	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	98
PID 3692 wrote to memory of 528	3692	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	98
PID 528 wrote to memory of 4492	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	99
PID 528 wrote to memory of 4492	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	99
PID 528 wrote to memory of 4492	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	99
PID 528 wrote to memory of 1056	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	100
PID 528 wrote to memory of 1056	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	100
PID 528 wrote to memory of 1056	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	100
PID 528 wrote to memory of 1056	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	100
PID 528 wrote to memory of 1724	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	101
PID 528 wrote to memory of 1724	528	e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe	101

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3148
- - C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        7⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        8⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:5028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:1684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:3416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        10⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        11⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:4832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        13⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        14⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:4972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        17⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        18⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        20⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        21⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        22⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:4120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:4980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        24⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:3524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:4824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        27⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:5236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        28⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:5632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:5640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        Accesses Microsoft Outlook profiles
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:5976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:5984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        33⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:6116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        34⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        35⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        36⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        37⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:4836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        38⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        39⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        40⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:5272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        41⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:3912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        42⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        43⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        44⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:2476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        45⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        46⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        47⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        48⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        49⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:5796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:5820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:5632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        50⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:5704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        51⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        52⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        53⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        54⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        56⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:5136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        57⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        58⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        59⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        60⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        Accesses Microsoft Outlook profiles
        Adds Run key to start application
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        61⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        62⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        63⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:2444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        65⤵
        Checks computer location settings
        
        PID:5660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        67⤵
        
        PID:5576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:5432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        68⤵
        
        PID:5456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:4344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        69⤵
        Checks computer location settings
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:6100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        72⤵
        Checks computer location settings
        
        PID:636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        73⤵
        
        PID:1320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        74⤵
        
        PID:4016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:4132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:4936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:5384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        78⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        79⤵
        Checks computer location settings
        
        PID:4708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        80⤵
        
        PID:228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        81⤵
        Checks computer location settings
        
        PID:5700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        82⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        85⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        86⤵
        
        PID:5908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        87⤵
        Checks computer location settings
        
        PID:660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        88⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        89⤵
        Checks computer location settings
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        90⤵
        Checks computer location settings
        
        PID:5524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        Accesses Microsoft Outlook profiles
        Adds Run key to start application
        outlook_office_path
        outlook_win_path
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        91⤵
        Checks computer location settings
        
        PID:216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        92⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        93⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        94⤵
        Checks computer location settings
        
        PID:5256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        95⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        95⤵
        
        PID:5780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        96⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        97⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        97⤵
        Checks computer location settings
        
        PID:6032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        99⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        100⤵
        
        PID:5504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        
        PID:5152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        101⤵
        
        PID:3984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        102⤵
        
        PID:5440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        103⤵
        Checks computer location settings
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        104⤵
        Checks computer location settings
        
        PID:1332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        105⤵
        
        PID:4104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        106⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        107⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        107⤵
        Checks computer location settings
        
        PID:604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        108⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        108⤵
        Checks computer location settings
        
        PID:3720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        109⤵
        Checks computer location settings
        
        PID:5512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        110⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        111⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        112⤵
        
        PID:1948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        112⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        112⤵
        Checks computer location settings
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        113⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        
        PID:4128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        115⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        115⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        116⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        116⤵
        Checks computer location settings
        
        PID:4332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        117⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        117⤵
        
        PID:5240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        118⤵
        Checks computer location settings
        
        PID:5068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        119⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        119⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        120⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        120⤵
        Checks computer location settings
        
        PID:904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        121⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        122⤵
        
        PID:3264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:4936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:5496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        123⤵
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        124⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        124⤵
        
        PID:5580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        125⤵
        
        PID:4356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        126⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        126⤵
        
        PID:4032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        127⤵
        
        PID:1940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        127⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        127⤵
        
        PID:3572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        128⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        128⤵
        
        PID:3780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        129⤵
        
        PID:3724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        129⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        129⤵
        
        PID:5188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        130⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        130⤵
        
        PID:4132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        131⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        131⤵
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        132⤵
        
        PID:4760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        133⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        133⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        134⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        134⤵
        
        PID:1920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        135⤵
        
        PID:3188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        135⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        135⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        136⤵
        
        PID:1812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        137⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        137⤵
        
        PID:340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        138⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        138⤵
        
        PID:1844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        139⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        139⤵
        
        PID:4124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        140⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        140⤵
        
        PID:2576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        141⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        141⤵
        
        PID:1100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        142⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        142⤵
        
        PID:6092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        143⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        143⤵
        
        PID:3316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        144⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        144⤵
        
        PID:312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:1940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        145⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        145⤵
        
        PID:1980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        146⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        146⤵
        
        PID:3572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        147⤵
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        147⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        147⤵
        
        PID:5188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        148⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        148⤵
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        149⤵
        
        PID:4396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        150⤵
        
        PID:3524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:5036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        151⤵
        
        PID:1668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        152⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        153⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        153⤵
        
        PID:5528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        154⤵
        
        PID:4936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        155⤵
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        156⤵
        
        PID:5428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        156⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        156⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        157⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        157⤵
        
        PID:3572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        158⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        158⤵
        
        PID:3096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        159⤵
        
        PID:5460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        160⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        160⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        160⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        161⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        162⤵
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        163⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        163⤵
        
        PID:1932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        164⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        164⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        165⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        165⤵
        
        PID:4804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        166⤵
        
        PID:5700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        167⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        167⤵
        
        PID:3720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        168⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        168⤵
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        169⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        169⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        170⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        170⤵
        
        PID:4836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:3700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        171⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        171⤵
        
        PID:5264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        172⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        172⤵
        
        PID:1152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        173⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        173⤵
        
        PID:1684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        174⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        174⤵
        
        PID:6008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        175⤵
        
        PID:3180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        175⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        175⤵
        
        PID:3708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        176⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        176⤵
        
        PID:6016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        177⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        177⤵
        
        PID:320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        178⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        178⤵
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        179⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        179⤵
        
        PID:5824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        180⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        180⤵
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        181⤵
        
        PID:3052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        181⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        181⤵
        
        PID:1912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        182⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        182⤵
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        183⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        183⤵
        
        PID:6100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        184⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        184⤵
        
        PID:3636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        185⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        185⤵
        
        PID:4836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        186⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        186⤵
        
        PID:3996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        187⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        187⤵
        
        PID:5232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        188⤵
        
        PID:4400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        188⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        188⤵
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        189⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        189⤵
        
        PID:320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        190⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        190⤵
        
        PID:5320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        191⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        191⤵
        
        PID:4708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        192⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        192⤵
        
        PID:5692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        193⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        193⤵
        
        PID:4516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        194⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        194⤵
        
        PID:3724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        195⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        195⤵
        
        PID:5580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        196⤵
        
        PID:1532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        196⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        196⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        197⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        197⤵
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        198⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        198⤵
        
        PID:3824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        199⤵
        
        PID:3252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        199⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        199⤵
        
        PID:6132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        200⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        200⤵
        
        PID:5980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        201⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        201⤵
        
        PID:648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        202⤵
        
        PID:4796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        202⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        202⤵
        
        PID:5352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        203⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        203⤵
        
        PID:4616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        204⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        204⤵
        
        PID:5340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        205⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        205⤵
        
        PID:6076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        206⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        206⤵
        
        PID:1896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:5448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        207⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        207⤵
        
        PID:6008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        208⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        208⤵
        
        PID:1752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        209⤵
        
        PID:5388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        209⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        209⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        210⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        210⤵
        
        PID:4064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        211⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        211⤵
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        212⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        212⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        213⤵
        
        PID:4828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        213⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        213⤵
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        214⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        214⤵
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        215⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        215⤵
        
        PID:5944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        216⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        216⤵
        
        PID:900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        217⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        217⤵
        
        PID:2572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        218⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        218⤵
        
        PID:4388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        219⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        219⤵
        
        PID:3560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        220⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        220⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        221⤵
        
        PID:4768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        221⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        221⤵
        
        PID:5652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        222⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        222⤵
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        223⤵
        
        PID:5292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        223⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        223⤵
        
        PID:5936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        224⤵
        
        PID:3232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        224⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        224⤵
        
        PID:5324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        225⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        225⤵
        
        PID:2196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        226⤵
        
        PID:6048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        226⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        226⤵
        
        PID:4620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        227⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        227⤵
        
        PID:1188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        228⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        228⤵
        
        PID:5504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        229⤵
        
        PID:3728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        229⤵
        
        PID:6012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        229⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        229⤵
        
        PID:1604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        230⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        230⤵
        
        PID:5964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        231⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        231⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        232⤵
        
        PID:3300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        232⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        232⤵
        
        PID:5240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        233⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        233⤵
        
        PID:412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        234⤵
        
        PID:340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        234⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        234⤵
        
        PID:5212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        235⤵
        
        PID:3620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        235⤵
        
        PID:5008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        235⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        235⤵
        
        PID:3672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        236⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        236⤵
        
        PID:4236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        237⤵
        
        PID:5900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        237⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        237⤵
        
        PID:5340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        238⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        238⤵
        
        PID:3572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        239⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        239⤵
        
        PID:1404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        240⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        240⤵
        
        PID:5824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        241⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        241⤵
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        242⤵
        
        PID:3284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        242⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        242⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        243⤵
        
        PID:3340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        243⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        243⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        244⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        244⤵
        
        PID:5516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        245⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        245⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        246⤵
        
        PID:6052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        246⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        246⤵
        
        PID:4164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        247⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        247⤵
        
        PID:5688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        248⤵
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        248⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        248⤵
        
        PID:544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        249⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        249⤵
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        250⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        250⤵
        
        PID:5992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        251⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        251⤵
        
        PID:5604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        252⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        252⤵
        
        PID:5808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        253⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        253⤵
        
        PID:5056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        254⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        254⤵
        
        PID:5352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        255⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        255⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        256⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        256⤵
        
        PID:4152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        257⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        257⤵
        
        PID:5224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        258⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        258⤵
        
        PID:3592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        259⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        259⤵
        
        PID:4388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        260⤵
        
        PID:260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        260⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118.exe"
        260⤵
        
        PID:3452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        261⤵
        
        PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MicroApp\MicroApp.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/684-31-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/684-83-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/684-11-0x0000000005A90000-0x0000000005B2C000-memory.dmp

Filesize
624KB

Download
memory/684-12-0x00000000059E0000-0x00000000059F8000-memory.dmp

Filesize
96KB

Download
memory/684-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/684-53-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/684-7-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/684-8-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/684-9-0x0000000006040000-0x00000000065E4000-memory.dmp

Filesize
5.6MB

Download
memory/684-51-0x0000000006FF0000-0x0000000007040000-memory.dmp

Filesize
320KB

Download
memory/684-49-0x0000000006010000-0x000000000601A000-memory.dmp

Filesize
40KB

Download
memory/684-15-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/684-10-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2264-14-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2264-19-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/2264-13-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3356-2-0x00000000052D0000-0x000000000533E000-memory.dmp

Filesize
440KB

Download
memory/3356-17-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3356-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/3356-3-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3356-6-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3356-1-0x00000000008C0000-0x0000000000A14000-memory.dmp

Filesize
1.3MB

Download
memory/3356-4-0x0000000002C90000-0x0000000002CE8000-memory.dmp

Filesize
352KB

Download