nanocore | 2437c4e083c09345250b2311dcbfad2fe82621af546731d0f42daabbe39388c3

Analysis

max time kernel
132s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Size

1.5MB
MD5

58174d87903175d3435b0797c5cbca72
SHA1

e42c5a98a75fc6ffc480d719556fba3265f7b031
SHA256

2437c4e083c09345250b2311dcbfad2fe82621af546731d0f42daabbe39388c3
SHA512

0adb71645c9de03f63dc356ba2edb31ea6985dbefa97f2c1171261c865024cb7044ef18c49a529b3fb91589543d021e9a7d19d6b9c0e69872175c2ed9e2c93ea
SSDEEP

12288:W2qwfRCYMBclU/wuAnJ+RPVSHqiXZcsTswguUGK/dCg1dz50TROAc7nPEBHXg/FB:aeMq+GD7GH1V/Eqj6w3gsZlkQ

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.244.30.251:1122

meeti.hopto.org:1122

Mutex

dda54657-0c32-4980-b0be-517d79e7c1a9

Attributes

activate_away_mode
true
backup_connection_host
meeti.hopto.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-09-13T04:25:33.342614336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1122
default_group
1mb Hanging
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
dda54657-0c32-4980-b0be-517d79e7c1a9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.30.251
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

description	pid	process	target process
PID 2132 set thread context of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 set thread context of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1828 set thread context of 1852	1828	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2436 set thread context of 2820	2436	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2280 set thread context of 1092	2280	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2736 set thread context of 1524	2736	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1632 set thread context of 3044	1632	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1236 set thread context of 2080	1236	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2004 set thread context of 2628	2004	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2640 set thread context of 1708	2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1508 set thread context of 2896	1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1076 set thread context of 1828	1076	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1124 set thread context of 3016	1124	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 292 set thread context of 2884	292	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2120 set thread context of 2216	2120	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2872 set thread context of 2572	2872	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 376 set thread context of 2764	376	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2664 set thread context of 1260	2664	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2060 set thread context of 2944	2060	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1984 set thread context of 1996	1984	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1508 set thread context of 1312	1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2888 set thread context of 2312	2888	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1636 set thread context of 884	1636	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1224 set thread context of 1720	1224	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2760 set thread context of 1728	2760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2556 set thread context of 2228	2556	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 760 set thread context of 952	760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1252 set thread context of 1776	1252	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 656 set thread context of 688	656	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1508 set thread context of 1524	1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 336 set thread context of 1976	336	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2776 set thread context of 1760	2776	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1860 set thread context of 2300	1860	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2628 set thread context of 1092	2628	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1984 set thread context of 1184	1984	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2472 set thread context of 2740	2472	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2980 set thread context of 2440	2980	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 812 set thread context of 2984	812	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 844 set thread context of 2904	844	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2796 set thread context of 2020	2796	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1528 set thread context of 2604	1528	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2316 set thread context of 1644	2316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1244 set thread context of 1496	1244	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2704 set thread context of 2972	2704	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3032 set thread context of 1580	3032	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2592 set thread context of 656	2592	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2164 set thread context of 1476	2164	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1308 set thread context of 3016	1308	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 684 set thread context of 1720	684	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 344 set thread context of 376	344	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3060 set thread context of 3020	3060	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1620 set thread context of 2784	1620	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1336 set thread context of 1676	1336	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1316 set thread context of 1860	1316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2420 set thread context of 2068	2420	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2404 set thread context of 2708	2404	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1300 set thread context of 2684	1300	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1356 set thread context of 2184	1356	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2300 set thread context of 2968	2300	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1768 set thread context of 300	1768	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 628 set thread context of 1968	628	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 752 set thread context of 2976	752	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1616 set thread context of 2816	1616	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2088 set thread context of 572	2088	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Host\arphost.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\ARP Host\arphost.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

pid	process
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2520 RegAsm.exe

pid	process
2520	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1828	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1828	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2436	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2436	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2436	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2436	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2280	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2280	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2736	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2736	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1632	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1632	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1632	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1632	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1236	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2004	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2004	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1076	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1124	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1124	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1124	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
292	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2120	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2120	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2872	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2872	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2872	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2872	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
376	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2664	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2060	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1984	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2888	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1636	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1224	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2556	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2556	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2556	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1252	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1252	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
656	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exeRegAsm.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2520	RegAsm.exe
Token: SeDebugPrivilege	1828	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2436	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1632	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1236	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2640	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1076	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1124	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	292	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2120	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2872	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	376	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2664	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2060	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1984	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2888	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1636	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1224	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2556	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	760	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1252	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	656	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1508	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	336	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2776	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1860	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2628	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1984	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2472	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2980	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	812	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	844	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2796	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1528	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1244	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2704	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3032	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2592	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2164	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1308	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	684	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	344	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3060	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1620	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1336	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2420	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2404	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1300	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1356	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2300	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1768	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	628	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	752	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1616	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58174d87903175d3435b0797c5cbca72_JaffaCakes118.execsc.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.execsc.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

description	pid	process	target process
PID 2132 wrote to memory of 2836	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2132 wrote to memory of 2836	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2132 wrote to memory of 2836	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2132 wrote to memory of 2836	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2836 wrote to memory of 3052	2836	csc.exe	cvtres.exe
PID 2836 wrote to memory of 3052	2836	csc.exe	cvtres.exe
PID 2836 wrote to memory of 3052	2836	csc.exe	cvtres.exe
PID 2836 wrote to memory of 3052	2836	csc.exe	cvtres.exe
PID 2132 wrote to memory of 2660	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2660	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2660	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2660	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2660	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2660	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2660	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2760	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2760	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2760	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2760	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2760	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2760	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2760	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2776	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2776	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2776	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2776	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2776	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2776	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2776	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2780	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2132 wrote to memory of 2840	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2132 wrote to memory of 2840	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2132 wrote to memory of 2840	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2132 wrote to memory of 2840	2132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2840 wrote to memory of 2296	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2840 wrote to memory of 2296	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2840 wrote to memory of 2296	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2840 wrote to memory of 2296	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2296 wrote to memory of 2680	2296	csc.exe	cvtres.exe
PID 2296 wrote to memory of 2680	2296	csc.exe	cvtres.exe
PID 2296 wrote to memory of 2680	2296	csc.exe	cvtres.exe
PID 2296 wrote to memory of 2680	2296	csc.exe	cvtres.exe
PID 2840 wrote to memory of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 wrote to memory of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 wrote to memory of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 wrote to memory of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 wrote to memory of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 wrote to memory of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 wrote to memory of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 wrote to memory of 2520	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2840 wrote to memory of 1828	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2840 wrote to memory of 1828	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2840 wrote to memory of 1828	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2840 wrote to memory of 1828	2840	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 1828 wrote to memory of 1608	1828	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 1828 wrote to memory of 1608	1828	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 1828 wrote to memory of 1608	1828	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmltmjot\jmltmjot.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2108.tmp" "c:\Users\Admin\AppData\Local\Temp\jmltmjot\CSCC703CA0A8B624A2092B4A27A81AEE23.TMP"
3⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rtqk1qrv\rtqk1qrv.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23F5.tmp" "c:\Users\Admin\AppData\Local\Temp\rtqk1qrv\CSCED9F6F2B9F74892BF7E26EC16C4BF13.TMP"
4⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rbvin2x0\rbvin2x0.cmdline"
4⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES278D.tmp" "c:\Users\Admin\AppData\Local\Temp\rbvin2x0\CSC15B017D68F814E2490D699749436FFA0.TMP"
5⤵
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y1btixp5\y1btixp5.cmdline"
5⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AE7.tmp" "c:\Users\Admin\AppData\Local\Temp\y1btixp5\CSCB3741DE0835245508EA264C16538199.TMP"
6⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2bufnzue\2bufnzue.cmdline"
6⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D76.tmp" "c:\Users\Admin\AppData\Local\Temp\2bufnzue\CSC73882813913A422392EBE1548DAAC543.TMP"
7⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\to0zmow3\to0zmow3.cmdline"
7⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FF6.tmp" "c:\Users\Admin\AppData\Local\Temp\to0zmow3\CSC48944E81E51A4BEF9D817CB1905730F.TMP"
8⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tdtvn2ph\tdtvn2ph.cmdline"
8⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32B4.tmp" "c:\Users\Admin\AppData\Local\Temp\tdtvn2ph\CSCE4707B00C65F436B83EF95B2D525EABF.TMP"
9⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwpzfxcn\jwpzfxcn.cmdline"
9⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES367B.tmp" "c:\Users\Admin\AppData\Local\Temp\jwpzfxcn\CSC15B5007980C64D168420D49589D4A77.TMP"
10⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnxovd54\tnxovd54.cmdline"
10⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES387E.tmp" "c:\Users\Admin\AppData\Local\Temp\tnxovd54\CSC884A9E055DD8446DA5711C3E32ED4D85.TMP"
11⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e4kkd2dn\e4kkd2dn.cmdline"
11⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A62.tmp" "c:\Users\Admin\AppData\Local\Temp\e4kkd2dn\CSC61662FF4C9B0495BB172EA3BD7D4D12B.TMP"
12⤵
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yysp0pf\4yysp0pf.cmdline"
12⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CD2.tmp" "c:\Users\Admin\AppData\Local\Temp\4yysp0pf\CSC6B854E7BBFA34C0C9C94C35BD92CD662.TMP"
13⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e342g3ef\e342g3ef.cmdline"
13⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EB5.tmp" "c:\Users\Admin\AppData\Local\Temp\e342g3ef\CSC869C17F8B63C457FA1C1B0543FD4BA1.TMP"
14⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\robt3q0d\robt3q0d.cmdline"
14⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES400C.tmp" "c:\Users\Admin\AppData\Local\Temp\robt3q0d\CSC7EDBC2F432094DED8CF9BDA25E29FA38.TMP"
15⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ekebdb2s\ekebdb2s.cmdline"
15⤵
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42BB.tmp" "c:\Users\Admin\AppData\Local\Temp\ekebdb2s\CSCE5636C943CC1495E86D6AFEB83F139A.TMP"
16⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avj5nzya\avj5nzya.cmdline"
16⤵
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4441.tmp" "c:\Users\Admin\AppData\Local\Temp\avj5nzya\CSCB63572CF13A0469A962C98B616A4CE0.TMP"
17⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3gnh5sqw\3gnh5sqw.cmdline"
17⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45B7.tmp" "c:\Users\Admin\AppData\Local\Temp\3gnh5sqw\CSC5E2FAEFD2C004E159974A0696740EB8.TMP"
18⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p1uoxdr5\p1uoxdr5.cmdline"
18⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES476C.tmp" "c:\Users\Admin\AppData\Local\Temp\p1uoxdr5\CSC13B22883EE3A4D1AA888409329C69697.TMP"
19⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pykrlpl5\pykrlpl5.cmdline"
19⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4950.tmp" "c:\Users\Admin\AppData\Local\Temp\pykrlpl5\CSCDEC115633FD2432384CD6BF1B3EF3EEB.TMP"
20⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cq0irfpb\cq0irfpb.cmdline"
20⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AC6.tmp" "c:\Users\Admin\AppData\Local\Temp\cq0irfpb\CSCCEFDC3BD484C40B39F62349355ED6EA.TMP"
21⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kvuy40lq\kvuy40lq.cmdline"
21⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D94.tmp" "c:\Users\Admin\AppData\Local\Temp\kvuy40lq\CSC8CC3B9B177DD4D5A97DC239DAE98CCD8.TMP"
22⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y4ybjaac\y4ybjaac.cmdline"
22⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EFA.tmp" "c:\Users\Admin\AppData\Local\Temp\y4ybjaac\CSC2E50687FD0FB4D01B424B26DCF6BF4C8.TMP"
23⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5hpgzfiz\5hpgzfiz.cmdline"
23⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5071.tmp" "c:\Users\Admin\AppData\Local\Temp\5hpgzfiz\CSCF6663585322C4E0BB91572A3F2F6662F.TMP"
24⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x01helfs\x01helfs.cmdline"
24⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5283.tmp" "c:\Users\Admin\AppData\Local\Temp\x01helfs\CSC32C60296FCF146A7AA1217B7DFD7ED7.TMP"
25⤵
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nx5hgisl\nx5hgisl.cmdline"
25⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53FA.tmp" "c:\Users\Admin\AppData\Local\Temp\nx5hgisl\CSCDB71DB218412448EBCE0D315936861.TMP"
26⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\orluzwvk\orluzwvk.cmdline"
26⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES562B.tmp" "c:\Users\Admin\AppData\Local\Temp\orluzwvk\CSCCB670D9042594E07B0194ACA213795.TMP"
27⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjaxtqf3\kjaxtqf3.cmdline"
27⤵
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES580F.tmp" "c:\Users\Admin\AppData\Local\Temp\kjaxtqf3\CSCBBFE5C327C040638A731998D98D5E17.TMP"
28⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eic2fky2\eic2fky2.cmdline"
28⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5985.tmp" "c:\Users\Admin\AppData\Local\Temp\eic2fky2\CSC363DD341E2DB459E967F11C56E5EB2.TMP"
29⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r4asud51\r4asud51.cmdline"
29⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B3A.tmp" "c:\Users\Admin\AppData\Local\Temp\r4asud51\CSCDDDE7F25F8F0483194454E8C9A78AA1A.TMP"
30⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\se4ofhso\se4ofhso.cmdline"
30⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E17.tmp" "c:\Users\Admin\AppData\Local\Temp\se4ofhso\CSCAB90DBEA574D49ED8EF095F71524B0A4.TMP"
31⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b0xhwtak\b0xhwtak.cmdline"
31⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FAD.tmp" "c:\Users\Admin\AppData\Local\Temp\b0xhwtak\CSCB3472D6CDEB2432AAA2A6E9D15E56026.TMP"
32⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4sptnds\x4sptnds.cmdline"
32⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6114.tmp" "c:\Users\Admin\AppData\Local\Temp\x4sptnds\CSC1BF46F05F45D45B0893BDFEACF3D94FE.TMP"
33⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cbnwfodr\cbnwfodr.cmdline"
33⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62D8.tmp" "c:\Users\Admin\AppData\Local\Temp\cbnwfodr\CSC6AD13C8C2C33412BA946DDC8BB1BF0.TMP"
34⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xnotbjj\0xnotbjj.cmdline"
34⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES643F.tmp" "c:\Users\Admin\AppData\Local\Temp\0xnotbjj\CSCCAC59AF3B194B41913FC7A76BDCE7AC.TMP"
35⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uy3ctj1s\uy3ctj1s.cmdline"
35⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6680.tmp" "c:\Users\Admin\AppData\Local\Temp\uy3ctj1s\CSC90FFEA0074A549159E14667D55D5EDEF.TMP"
36⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvjbvwq1\zvjbvwq1.cmdline"
36⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6806.tmp" "c:\Users\Admin\AppData\Local\Temp\zvjbvwq1\CSC49DD6F80C7F14170AEE26C2D2EA142F5.TMP"
37⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qomxrqto\qomxrqto.cmdline"
37⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES694E.tmp" "c:\Users\Admin\AppData\Local\Temp\qomxrqto\CSCE4D274E19D054E9D8A5E83E726A6413.TMP"
38⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xkyeh1xt\xkyeh1xt.cmdline"
38⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B22.tmp" "c:\Users\Admin\AppData\Local\Temp\xkyeh1xt\CSCC960CCD110334D238C1B77DD7019212.TMP"
39⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lphhybl4\lphhybl4.cmdline"
39⤵
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D15.tmp" "c:\Users\Admin\AppData\Local\Temp\lphhybl4\CSC12C8749E16C1487B8531305DFCB15325.TMP"
40⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w5ajwsuh\w5ajwsuh.cmdline"
40⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F08.tmp" "c:\Users\Admin\AppData\Local\Temp\w5ajwsuh\CSC5F22BBAA924341DE89E6B24C7A53877E.TMP"
41⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tvlxdupg\tvlxdupg.cmdline"
41⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES707F.tmp" "c:\Users\Admin\AppData\Local\Temp\tvlxdupg\CSC385F93B838A441F8A7368087AAB3F18B.TMP"
42⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hik02dby\hik02dby.cmdline"
42⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7272.tmp" "c:\Users\Admin\AppData\Local\Temp\hik02dby\CSC409D72E21C842B185B7A9909CD550F5.TMP"
43⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqed0g4k\wqed0g4k.cmdline"
43⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7465.tmp" "c:\Users\Admin\AppData\Local\Temp\wqed0g4k\CSCD24975E96EEA4D6CA7B2B4829FE4CC1C.TMP"
44⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o3043xkh\o3043xkh.cmdline"
44⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76D5.tmp" "c:\Users\Admin\AppData\Local\Temp\o3043xkh\CSC2E9FACD281A44288D695A4470193C1A.TMP"
45⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qibkdgff\qibkdgff.cmdline"
45⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78B9.tmp" "c:\Users\Admin\AppData\Local\Temp\qibkdgff\CSC4D52A75EE9AD4D7ABA4F3F88F4393E7B.TMP"
46⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e3hzurwr\e3hzurwr.cmdline"
46⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A7D.tmp" "c:\Users\Admin\AppData\Local\Temp\e3hzurwr\CSC82A4A9BC6BF94FA0902184AAA322B0.TMP"
47⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p1tme2bz\p1tme2bz.cmdline"
47⤵
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C13.tmp" "c:\Users\Admin\AppData\Local\Temp\p1tme2bz\CSC830C2EEF92094EA987CFB14187A9D8.TMP"
48⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5ncqvut\s5ncqvut.cmdline"
48⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DA8.tmp" "c:\Users\Admin\AppData\Local\Temp\s5ncqvut\CSCB248D22B8D77468FBF32CC8733B6B94.TMP"
49⤵
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4effk4pv\4effk4pv.cmdline"
49⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EF0.tmp" "c:\Users\Admin\AppData\Local\Temp\4effk4pv\CSC8075D48178314FBE86DEE89C5CB1294.TMP"
50⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v31z4fk3\v31z4fk3.cmdline"
50⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80A5.tmp" "c:\Users\Admin\AppData\Local\Temp\v31z4fk3\CSC2BBAE9324DB345CC9FAF7669108490.TMP"
51⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cc33vdjn\cc33vdjn.cmdline"
51⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8353.tmp" "c:\Users\Admin\AppData\Local\Temp\cc33vdjn\CSC665532E1E28A4E6C90369E4D1C65FE.TMP"
52⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rc3qpmue\rc3qpmue.cmdline"
52⤵
PID:572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84BA.tmp" "c:\Users\Admin\AppData\Local\Temp\rc3qpmue\CSC4CA5B5EEB62B4F129FA1C99465C76FA.TMP"
53⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\40mf5wpn\40mf5wpn.cmdline"
53⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES866F.tmp" "c:\Users\Admin\AppData\Local\Temp\40mf5wpn\CSC8ECF47A7532A4FDAA7FD1FC5E7968EB.TMP"
54⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lt1o0lqn\lt1o0lqn.cmdline"
54⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87C6.tmp" "c:\Users\Admin\AppData\Local\Temp\lt1o0lqn\CSCF5B0682300046D881916EE080F0A8C8.TMP"
55⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krgibcvx\krgibcvx.cmdline"
55⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES896B.tmp" "c:\Users\Admin\AppData\Local\Temp\krgibcvx\CSC1C6C5CF6DB5C45FB846EA3BDD153565.TMP"
56⤵
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\okq1br25\okq1br25.cmdline"
56⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B3F.tmp" "c:\Users\Admin\AppData\Local\Temp\okq1br25\CSC292D7F2F5678484F9489F56B26C2E3CB.TMP"
57⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1kyurm21\1kyurm21.cmdline"
57⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D51.tmp" "c:\Users\Admin\AppData\Local\Temp\1kyurm21\CSCAEFCB258A0DE4596B819A19D4424F587.TMP"
58⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvdpfwrc\yvdpfwrc.cmdline"
58⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F83.tmp" "c:\Users\Admin\AppData\Local\Temp\yvdpfwrc\CSC6070EA2A9C8A4B0CBF4D8A28434E1AC.TMP"
59⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e11jxng0\e11jxng0.cmdline"
59⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9241.tmp" "c:\Users\Admin\AppData\Local\Temp\e11jxng0\CSC5AC85AD3D4274C639371B7C9EDEAB90.TMP"
60⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\caoelcgk\caoelcgk.cmdline"
60⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9379.tmp" "c:\Users\Admin\AppData\Local\Temp\caoelcgk\CSC250C752ABC60435287C3D552D82D4D8A.TMP"
61⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qsprkbuk\qsprkbuk.cmdline"
61⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94A1.tmp" "c:\Users\Admin\AppData\Local\Temp\qsprkbuk\CSCA5AE99D82BE14C79B4B6274878A65D39.TMP"
62⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:300

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gmglrkau\gmglrkau.cmdline"
62⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9627.tmp" "c:\Users\Admin\AppData\Local\Temp\gmglrkau\CSC4A666A0C33754858A7E5CA4FA85E499.TMP"
63⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqlo3zbt\aqlo3zbt.cmdline"
63⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97FB.tmp" "c:\Users\Admin\AppData\Local\Temp\aqlo3zbt\CSC339FF4C0DC8741AE8976318D5B817621.TMP"
64⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
63⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zn1oelyu\zn1oelyu.cmdline"
64⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A0E.tmp" "c:\Users\Admin\AppData\Local\Temp\zn1oelyu\CSC8AE08D909E1C4782A515BD76212F3190.TMP"
65⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
64⤵
- Suspicious use of SetThreadContext
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5t1km5a\s5t1km5a.cmdline"
65⤵
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B94.tmp" "c:\Users\Admin\AppData\Local\Temp\s5t1km5a\CSC9AC16B8ECB864C3E8E936C72C4DD69E.TMP"
66⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
65⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rbfficgs\rbfficgs.cmdline"
66⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D68.tmp" "c:\Users\Admin\AppData\Local\Temp\rbfficgs\CSC23463ED1D15240E0B8528ADD6FDA71CF.TMP"
67⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
66⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\525t3zfb\525t3zfb.cmdline"
67⤵
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F99.tmp" "c:\Users\Admin\AppData\Local\Temp\525t3zfb\CSC340FE75535E6445D9FCC70187EC2EDDB.TMP"
68⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
67⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wejfvsyx\wejfvsyx.cmdline"
68⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA13F.tmp" "c:\Users\Admin\AppData\Local\Temp\wejfvsyx\CSC5EF312ADCAA348F7BFA74965C9D4341.TMP"
69⤵
PID:876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
68⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kiqjitnp\kiqjitnp.cmdline"
69⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C5.tmp" "c:\Users\Admin\AppData\Local\Temp\kiqjitnp\CSCBD7648E5E84041DE9C7F9B8182C86A3B.TMP"
70⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
69⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\igaostdl\igaostdl.cmdline"
70⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4A8.tmp" "c:\Users\Admin\AppData\Local\Temp\igaostdl\CSC71336EDC53D54EF3995B70BFF997B652.TMP"
71⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
70⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cl3dtuf1\cl3dtuf1.cmdline"
71⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA66D.tmp" "c:\Users\Admin\AppData\Local\Temp\cl3dtuf1\CSC3328671D6D7945D2AC6D98D3DD2ED4B1.TMP"
72⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
71⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\omsbjtkj\omsbjtkj.cmdline"
72⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA88F.tmp" "c:\Users\Admin\AppData\Local\Temp\omsbjtkj\CSC72E31594F16C4E2DA7A7419983997CCC.TMP"
73⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
72⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xurnyywa\xurnyywa.cmdline"
73⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA63.tmp" "c:\Users\Admin\AppData\Local\Temp\xurnyywa\CSCA0EE951CF43342C6BDF57ED90B95818.TMP"
74⤵
PID:344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
73⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mldg1wdw\mldg1wdw.cmdline"
74⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC37.tmp" "c:\Users\Admin\AppData\Local\Temp\mldg1wdw\CSC555E3D8436D6455B816ED81FCBB78CAF.TMP"
75⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
74⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rw4e1qxj\rw4e1qxj.cmdline"
75⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE97.tmp" "c:\Users\Admin\AppData\Local\Temp\rw4e1qxj\CSCF3B0F92220014F87BF554D297D92F23.TMP"
76⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
75⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t2bdpij5\t2bdpij5.cmdline"
76⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB06B.tmp" "c:\Users\Admin\AppData\Local\Temp\t2bdpij5\CSC348FB66A8CE47C18A39453A1335914.TMP"
77⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
76⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amq0g2ek\amq0g2ek.cmdline"
77⤵
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2EB.tmp" "c:\Users\Admin\AppData\Local\Temp\amq0g2ek\CSCD200BAAFB4DC49E6A3EA2CFF30DBA7F7.TMP"
78⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
77⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tglkdrdq\tglkdrdq.cmdline"
78⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB480.tmp" "c:\Users\Admin\AppData\Local\Temp\tglkdrdq\CSC90C37786BCF34D8CB7CCC6CF219D5FD3.TMP"
79⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
78⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sah5xsyq\sah5xsyq.cmdline"
79⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB683.tmp" "c:\Users\Admin\AppData\Local\Temp\sah5xsyq\CSC1EC9D81E11494285A5683C94DC7771F.TMP"
80⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
79⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wkgiiohw\wkgiiohw.cmdline"
80⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB960.tmp" "c:\Users\Admin\AppData\Local\Temp\wkgiiohw\CSC3ABD40F476F4483AA117912780127050.TMP"
81⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
80⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sy5zjfeo\sy5zjfeo.cmdline"
81⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB15.tmp" "c:\Users\Admin\AppData\Local\Temp\sy5zjfeo\CSCEEBA8F7969442B19545FBB6CD83A8FF.TMP"
82⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
81⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3vvc14g\n3vvc14g.cmdline"
82⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCF9.tmp" "c:\Users\Admin\AppData\Local\Temp\n3vvc14g\CSCC3EE9A838F274B6BBBD93DB031E2AEBD.TMP"
83⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
82⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbqb4ifx\hbqb4ifx.cmdline"
83⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE6F.tmp" "c:\Users\Admin\AppData\Local\Temp\hbqb4ifx\CSC87DD024B24D14AF18548281A5C6A48A.TMP"
84⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
83⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p2trjcnq\p2trjcnq.cmdline"
84⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC033.tmp" "c:\Users\Admin\AppData\Local\Temp\p2trjcnq\CSC9FECF54C3ED14704BFAEE44143432C1E.TMP"
85⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
84⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wyvznjue\wyvznjue.cmdline"
85⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC16B.tmp" "c:\Users\Admin\AppData\Local\Temp\wyvznjue\CSCDAB03469D67A4D85A99C8FE5666EAF74.TMP"
86⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
85⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\esntgm1l\esntgm1l.cmdline"
86⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38D.tmp" "c:\Users\Admin\AppData\Local\Temp\esntgm1l\CSCB0E942E8C67E416C9499792521A4FDCB.TMP"
87⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
86⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04p0k5cv\04p0k5cv.cmdline"
87⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC552.tmp" "c:\Users\Admin\AppData\Local\Temp\04p0k5cv\CSC31BE8FB39FE4D2A9B5147F1F61C53A0.TMP"
88⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
87⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vw1zl4et\vw1zl4et.cmdline"
88⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC793.tmp" "c:\Users\Admin\AppData\Local\Temp\vw1zl4et\CSC5363B11E6B54A73A5FEB7454E8661D.TMP"
89⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
88⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzz0lgla\uzz0lgla.cmdline"
89⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC909.tmp" "c:\Users\Admin\AppData\Local\Temp\uzz0lgla\CSC191E499A16AF4CB18F9ADCBE11AB98F.TMP"
90⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
89⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wnzc2fu2\wnzc2fu2.cmdline"
90⤵
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCADD.tmp" "c:\Users\Admin\AppData\Local\Temp\wnzc2fu2\CSC5C8C9DCEA7545B299DF23B5623BD3EA.TMP"
91⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
90⤵
PID:484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qh1xji3m\qh1xji3m.cmdline"
91⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCFF.tmp" "c:\Users\Admin\AppData\Local\Temp\qh1xji3m\CSC3E4197FD2FDB4CF0B7DBAF55EE92E.TMP"
92⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
91⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v5twyltb\v5twyltb.cmdline"
92⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE85.tmp" "c:\Users\Admin\AppData\Local\Temp\v5twyltb\CSC3BA4CDDB1112472BB7DDC3F1952054DD.TMP"
93⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
92⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yo3ol3jq\yo3ol3jq.cmdline"
93⤵
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0A7.tmp" "c:\Users\Admin\AppData\Local\Temp\yo3ol3jq\CSC5683F5463A4D46AFA454F8122BF4DE7C.TMP"
94⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
93⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvjbo14w\nvjbo14w.cmdline"
94⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2BA.tmp" "c:\Users\Admin\AppData\Local\Temp\nvjbo14w\CSC2A418DE2396C4232ADC4CACBC35C892F.TMP"
95⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
94⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dqyb51z5\dqyb51z5.cmdline"
95⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD421.tmp" "c:\Users\Admin\AppData\Local\Temp\dqyb51z5\CSC260E4DE756E745FEA0BE64BA8967DC0.TMP"
96⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
95⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qu1z4sxu\qu1z4sxu.cmdline"
96⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD623.tmp" "c:\Users\Admin\AppData\Local\Temp\qu1z4sxu\CSC74A9962655D04281A8F622C1578DD9B.TMP"
97⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
96⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bzhwawdd\bzhwawdd.cmdline"
97⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8C2.tmp" "c:\Users\Admin\AppData\Local\Temp\bzhwawdd\CSC7CC94E3FAFEA457A873541A5F2AA5D6A.TMP"
98⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
97⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\330oup40\330oup40.cmdline"
98⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA0A.tmp" "c:\Users\Admin\AppData\Local\Temp\330oup40\CSC4B02AF6DA7B410A8CA83377185E202.TMP"
99⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
98⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvfwivpf\uvfwivpf.cmdline"
99⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB71.tmp" "c:\Users\Admin\AppData\Local\Temp\uvfwivpf\CSC20DE6AA53F446878855D1524EC2466.TMP"
100⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
99⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h2vacbgw\h2vacbgw.cmdline"
100⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD45.tmp" "c:\Users\Admin\AppData\Local\Temp\h2vacbgw\CSC971F820E3B824F7587DD1531CBA9C7E5.TMP"
101⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
100⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nbhoqjql\nbhoqjql.cmdline"
101⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEBB.tmp" "c:\Users\Admin\AppData\Local\Temp\nbhoqjql\CSC674596A1EE2146CB8FB3E5FE9943FFC.TMP"
102⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
101⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3t3b2x4\g3t3b2x4.cmdline"
102⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE09F.tmp" "c:\Users\Admin\AppData\Local\Temp\g3t3b2x4\CSCB0E30085D2D430797F75680F85A79DB.TMP"
103⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
102⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mtlhfiwg\mtlhfiwg.cmdline"
103⤵
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2B1.tmp" "c:\Users\Admin\AppData\Local\Temp\mtlhfiwg\CSCA39B6489BE3041C2B1ABE0414C54C44.TMP"
104⤵
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
103⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uum1p0qe\uum1p0qe.cmdline"
104⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE466.tmp" "c:\Users\Admin\AppData\Local\Temp\uum1p0qe\CSCA2A69C1C1B95497EBB79F3F18EFA4E2.TMP"
105⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
104⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mgo54hi3\mgo54hi3.cmdline"
105⤵
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5FC.tmp" "c:\Users\Admin\AppData\Local\Temp\mgo54hi3\CSC7C27D3FD42244FDC9EDDE5B1B6B04C43.TMP"
106⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
105⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbnld2ow\bbnld2ow.cmdline"
106⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE82D.tmp" "c:\Users\Admin\AppData\Local\Temp\bbnld2ow\CSC9FD97F0C8E7745609A9569CC6F01EA.TMP"
107⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
106⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3swc1ghq\3swc1ghq.cmdline"
107⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D2.tmp" "c:\Users\Admin\AppData\Local\Temp\3swc1ghq\CSC1D55402FC1D0491596FA23B0569D145A.TMP"
108⤵
PID:884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
107⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yphzpgq1\yphzpgq1.cmdline"
108⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBC6.tmp" "c:\Users\Admin\AppData\Local\Temp\yphzpgq1\CSC76C33C105D8F4FD9867F64E72AA4E6A2.TMP"
109⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
108⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5wanhdy0\5wanhdy0.cmdline"
109⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED4C.tmp" "c:\Users\Admin\AppData\Local\Temp\5wanhdy0\CSC8BD84108F8E4FED9A5DF4FE4565E90.TMP"
110⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
109⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vhtcq1xq\vhtcq1xq.cmdline"
110⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF20.tmp" "c:\Users\Admin\AppData\Local\Temp\vhtcq1xq\CSC1132F7D580974ABFB47BD913E6B3313.TMP"
111⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
110⤵
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzc53x2m\uzc53x2m.cmdline"
111⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF170.tmp" "c:\Users\Admin\AppData\Local\Temp\uzc53x2m\CSCCF9BC1C14D6E48EF8343E098E33E1CA.TMP"
112⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
111⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ghltg0nz\ghltg0nz.cmdline"
112⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2B8.tmp" "c:\Users\Admin\AppData\Local\Temp\ghltg0nz\CSC4B598112C3043FCA679FA794E886F.TMP"
113⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
112⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ygya50qx\ygya50qx.cmdline"
113⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF46D.tmp" "c:\Users\Admin\AppData\Local\Temp\ygya50qx\CSC14BFB676D9A4F508533C1817B42F916.TMP"
114⤵
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
113⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2wdkjkjc\2wdkjkjc.cmdline"
114⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF670.tmp" "c:\Users\Admin\AppData\Local\Temp\2wdkjkjc\CSC72D876DEBCF947039C937C48DBBF9D7.TMP"
115⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
114⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w4m20rwq\w4m20rwq.cmdline"
115⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7D6.tmp" "c:\Users\Admin\AppData\Local\Temp\w4m20rwq\CSC4B6FCD511BD446178A46B4E43487724.TMP"
116⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
115⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3lj5cx5x\3lj5cx5x.cmdline"
116⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF98B.tmp" "c:\Users\Admin\AppData\Local\Temp\3lj5cx5x\CSCFFF1FDD419054DB5ACD8FAD9B32C6B.TMP"
117⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
116⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fbcgaa2k\fbcgaa2k.cmdline"
117⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB5F.tmp" "c:\Users\Admin\AppData\Local\Temp\fbcgaa2k\CSC5BE4A28B861841CEA9949E11976BF7F4.TMP"
118⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
117⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pl5narus\pl5narus.cmdline"
118⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCB6.tmp" "c:\Users\Admin\AppData\Local\Temp\pl5narus\CSCB48C20C4BEDD4EBEA3FC3425B281897E.TMP"
119⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
118⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wmgloxi4\wmgloxi4.cmdline"
119⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE7B.tmp" "c:\Users\Admin\AppData\Local\Temp\wmgloxi4\CSC93E2530C61F4A508750F43015DEFB88.TMP"
120⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
119⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwamn1ip\xwamn1ip.cmdline"
120⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFD2.tmp" "c:\Users\Admin\AppData\Local\Temp\xwamn1ip\CSCA9D272CB838A4CA5BAD2AD86666588.TMP"
121⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
120⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\42hlrmej\42hlrmej.cmdline"
121⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES177.tmp" "c:\Users\Admin\AppData\Local\Temp\42hlrmej\CSC823BE1FF37F14A66A2BB47754FDD263D.TMP"
122⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
121⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xkpjdp1\4xkpjdp1.cmdline"
122⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30D.tmp" "c:\Users\Admin\AppData\Local\Temp\4xkpjdp1\CSCC8D51F18B50A4319B0E519211D9FB390.TMP"
123⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
122⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z2jjshkx\z2jjshkx.cmdline"
123⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A2.tmp" "c:\Users\Admin\AppData\Local\Temp\z2jjshkx\CSC4B7E7994FAE94BC7907B3DC5220EEBC.TMP"
124⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
123⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oem35d0e\oem35d0e.cmdline"
124⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A5.tmp" "c:\Users\Admin\AppData\Local\Temp\oem35d0e\CSCD377B2F03F844B4F8C5979DB49CC26B5.TMP"
125⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
124⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ljrmufqw\ljrmufqw.cmdline"
125⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES898.tmp" "c:\Users\Admin\AppData\Local\Temp\ljrmufqw\CSC99A1A101B99D43428E8B4ED95979DDF0.TMP"
126⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
125⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3tboyeim\3tboyeim.cmdline"
126⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FF.tmp" "c:\Users\Admin\AppData\Local\Temp\3tboyeim\CSC1C07CD21718144AC84A02EA216BD9C21.TMP"
127⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
126⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oe0yq4x4\oe0yq4x4.cmdline"
127⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD3.tmp" "c:\Users\Admin\AppData\Local\Temp\oe0yq4x4\CSC738F4DB1939A4BF9A35C5BAE98FD1B1A.TMP"
128⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
127⤵
PID:572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p2qtmmpv\p2qtmmpv.cmdline"
128⤵
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59.tmp" "c:\Users\Admin\AppData\Local\Temp\p2qtmmpv\CSC8A159469EC8548018DD6B2C0DE5D1FB9.TMP"
129⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
128⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5u41mfoq\5u41mfoq.cmdline"
129⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7B.tmp" "c:\Users\Admin\AppData\Local\Temp\5u41mfoq\CSCBB923D42A0A241F19434EDCC61CB58.TMP"
130⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
129⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvjbtvnm\nvjbtvnm.cmdline"
130⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1140.tmp" "c:\Users\Admin\AppData\Local\Temp\nvjbtvnm\CSC134FC3AB3A6E474EAE7E3BBFA44169B4.TMP"
131⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
130⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\513tnqob\513tnqob.cmdline"
131⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13B0.tmp" "c:\Users\Admin\AppData\Local\Temp\513tnqob\CSCF7A8D78AE5BC485588A26DEE19FB7542.TMP"
132⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
131⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1rpfdsun\1rpfdsun.cmdline"
132⤵
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1564.tmp" "c:\Users\Admin\AppData\Local\Temp\1rpfdsun\CSCDB0762E8798346A984CB88CB489ADD85.TMP"
133⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
132⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r2bvdr5f\r2bvdr5f.cmdline"
133⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1738.tmp" "c:\Users\Admin\AppData\Local\Temp\r2bvdr5f\CSCF8970C51B273465D9EBF166ED8A18BD9.TMP"
134⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
133⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gfpj4hxo\gfpj4hxo.cmdline"
134⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1989.tmp" "c:\Users\Admin\AppData\Local\Temp\gfpj4hxo\CSCAB5AD8D25137405AACD9881D773A125C.TMP"
135⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
134⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wroxonp1\wroxonp1.cmdline"
135⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AF0.tmp" "c:\Users\Admin\AppData\Local\Temp\wroxonp1\CSC24A18262F4F9465BB44848323716DC3F.TMP"
136⤵
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
135⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k5wsklda\k5wsklda.cmdline"
136⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D02.tmp" "c:\Users\Admin\AppData\Local\Temp\k5wsklda\CSCE3A573E1E92540B38A99A09DAA1FE9D.TMP"
137⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
136⤵
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1zay3mqo\1zay3mqo.cmdline"
137⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F72.tmp" "c:\Users\Admin\AppData\Local\Temp\1zay3mqo\CSC6A3A5D5C7E3B4C738A5E71177C78C178.TMP"
138⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
137⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pc0f4vfa\pc0f4vfa.cmdline"
138⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2118.tmp" "c:\Users\Admin\AppData\Local\Temp\pc0f4vfa\CSC2A7B44C1C22048C7813C26F4C3C74B96.TMP"
139⤵
PID:484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
138⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jo2rpy2h\jo2rpy2h.cmdline"
139⤵
PID:532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2397.tmp" "c:\Users\Admin\AppData\Local\Temp\jo2rpy2h\CSC6AA3C029C7844F8F9C9CB5DA49A1DFC5.TMP"
140⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:292

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
139⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\efpjqn4i\efpjqn4i.cmdline"
140⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES252D.tmp" "c:\Users\Admin\AppData\Local\Temp\efpjqn4i\CSC3317FB3122C9408BBA6C34E97E64652E.TMP"
141⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
140⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ux1n43us\ux1n43us.cmdline"
141⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2730.tmp" "c:\Users\Admin\AppData\Local\Temp\ux1n43us\CSCB171214C4D074F62B4B0C8B5C7A485D0.TMP"
142⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
141⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dbjbj5dc\dbjbj5dc.cmdline"
142⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28E4.tmp" "c:\Users\Admin\AppData\Local\Temp\dbjbj5dc\CSCDE96F4DB49D84B8ABDEDA851B89533E6.TMP"
143⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
142⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfhkktjd\xfhkktjd.cmdline"
143⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AC8.tmp" "c:\Users\Admin\AppData\Local\Temp\xfhkktjd\CSC57AB1D4332CB48C6B3B3D5D8D68FCF0.TMP"
144⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
143⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ivipj5u1\ivipj5u1.cmdline"
144⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C2F.tmp" "c:\Users\Admin\AppData\Local\Temp\ivipj5u1\CSCB41F5D7B454B4A639BB022408D1F572A.TMP"
145⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
144⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y2jejojc\y2jejojc.cmdline"
145⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E80.tmp" "c:\Users\Admin\AppData\Local\Temp\y2jejojc\CSC99163F278947379A6787F1AA63382C.TMP"
146⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
145⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etuuf0s2\etuuf0s2.cmdline"
146⤵
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3073.tmp" "c:\Users\Admin\AppData\Local\Temp\etuuf0s2\CSC5EE4E03FDA9145C799C1F03C24761C71.TMP"
147⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
146⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ohrrb1ph\ohrrb1ph.cmdline"
147⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31DA.tmp" "c:\Users\Admin\AppData\Local\Temp\ohrrb1ph\CSCD48D3FA16C048E8AFF376C52DAC7E7.TMP"
148⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
147⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gzo2ta1p\gzo2ta1p.cmdline"
148⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33CD.tmp" "c:\Users\Admin\AppData\Local\Temp\gzo2ta1p\CSC907B09CAE3D74EA992A23FF5AD1652C5.TMP"
149⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
148⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zbldtaz\5zbldtaz.cmdline"
149⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35C0.tmp" "c:\Users\Admin\AppData\Local\Temp\5zbldtaz\CSC46FF8380B2F34615A99CAF5D0E0E9B2.TMP"
150⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
149⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtz0nj0o\jtz0nj0o.cmdline"
150⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3746.tmp" "c:\Users\Admin\AppData\Local\Temp\jtz0nj0o\CSC583E7115BD4453887F2B81F31FF905F.TMP"
151⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
150⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44mjvf5e\44mjvf5e.cmdline"
151⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3968.tmp" "c:\Users\Admin\AppData\Local\Temp\44mjvf5e\CSC72E6D45BB7594FA8B4A82FEDDEDAF8F0.TMP"
152⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
151⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tzq2yyo5\tzq2yyo5.cmdline"
152⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B0D.tmp" "c:\Users\Admin\AppData\Local\Temp\tzq2yyo5\CSC350464F5F91B4139AE743EF745438C63.TMP"
153⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
152⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jobiujp\5jobiujp.cmdline"
153⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CE1.tmp" "c:\Users\Admin\AppData\Local\Temp\5jobiujp\CSC3DF5E76675C74D7490F64A7B464A39DD.TMP"
154⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
153⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qeqr3gzi\qeqr3gzi.cmdline"
154⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E96.tmp" "c:\Users\Admin\AppData\Local\Temp\qeqr3gzi\CSCE1CAF01F654F4E5F941AF6AE9A6EF3F2.TMP"
155⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
154⤵
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ir4pdmsz\ir4pdmsz.cmdline"
155⤵
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES404B.tmp" "c:\Users\Admin\AppData\Local\Temp\ir4pdmsz\CSCEB83663538CE4F63926133CFEBF2684.TMP"
156⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
155⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zlfmtp3l\zlfmtp3l.cmdline"
156⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41D1.tmp" "c:\Users\Admin\AppData\Local\Temp\zlfmtp3l\CSC30CA17C0A47A4D8E80A7B8EA9D8DC8.TMP"
157⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
156⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2wavjken\2wavjken.cmdline"
157⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43A5.tmp" "c:\Users\Admin\AppData\Local\Temp\2wavjken\CSCEB1C890359DB44A79EE7E48BE37D395D.TMP"
158⤵
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
157⤵
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5nxoqct4\5nxoqct4.cmdline"
158⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES451B.tmp" "c:\Users\Admin\AppData\Local\Temp\5nxoqct4\CSC60469997AA624115BDDF96DC8C7D3FD3.TMP"
159⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
158⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0onxbbw\z0onxbbw.cmdline"
159⤵
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES472E.tmp" "c:\Users\Admin\AppData\Local\Temp\z0onxbbw\CSC766C2734C48C42A6A255961CFFAAC2D5.TMP"
160⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
159⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v2ei1ouo\v2ei1ouo.cmdline"
160⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4902.tmp" "c:\Users\Admin\AppData\Local\Temp\v2ei1ouo\CSC96F2DBC085024B92889ED0FD302AD4A8.TMP"
161⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
160⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o3yaac11\o3yaac11.cmdline"
161⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B52.tmp" "c:\Users\Admin\AppData\Local\Temp\o3yaac11\CSC922BBCB9BACD4F719B73F491903DD04C.TMP"
162⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
161⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0szbegkm\0szbegkm.cmdline"
162⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D46.tmp" "c:\Users\Admin\AppData\Local\Temp\0szbegkm\CSCE2A01D78266D471184C56A7329729088.TMP"
163⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
162⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqiqf2h5\wqiqf2h5.cmdline"
163⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EDB.tmp" "c:\Users\Admin\AppData\Local\Temp\wqiqf2h5\CSC819538888707495B902092D5B362F552.TMP"
164⤵
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
163⤵
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vnnnbs52\vnnnbs52.cmdline"
164⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50EE.tmp" "c:\Users\Admin\AppData\Local\Temp\vnnnbs52\CSC58711645D1A749A49763977480943ABA.TMP"
165⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
164⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2detaug0\2detaug0.cmdline"
165⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5293.tmp" "c:\Users\Admin\AppData\Local\Temp\2detaug0\CSC4E536D9537E54A17B8F1EF7B75795C8C.TMP"
166⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
165⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aawfqt4u\aawfqt4u.cmdline"
166⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5512.tmp" "c:\Users\Admin\AppData\Local\Temp\aawfqt4u\CSCF0A04D3F9FB8479BB09B4FFDAB8C52A2.TMP"
167⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
166⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\poomualp\poomualp.cmdline"
167⤵
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES564A.tmp" "c:\Users\Admin\AppData\Local\Temp\poomualp\CSC37E25DC5D62A4EBCB88D46F5609E581F.TMP"
168⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
167⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5prl4yu\b5prl4yu.cmdline"
168⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES587C.tmp" "c:\Users\Admin\AppData\Local\Temp\b5prl4yu\CSC8E770BEE1B754685B67AC6607D316D13.TMP"
169⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
168⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lpjn2t11\lpjn2t11.cmdline"
169⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E3.tmp" "c:\Users\Admin\AppData\Local\Temp\lpjn2t11\CSC17954915A8564C57ABBDE213225B4E0.TMP"
170⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
169⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kdmmnnfc\kdmmnnfc.cmdline"
170⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B3A.tmp" "c:\Users\Admin\AppData\Local\Temp\kdmmnnfc\CSC1944C2F761594C1D8034699142EC7078.TMP"
171⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
170⤵
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fbrfjzib\fbrfjzib.cmdline"
171⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D5C.tmp" "c:\Users\Admin\AppData\Local\Temp\fbrfjzib\CSC4174155F6B8745C7B22AC511276BB671.TMP"
172⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
171⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eexuu5ml\eexuu5ml.cmdline"
172⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F21.tmp" "c:\Users\Admin\AppData\Local\Temp\eexuu5ml\CSC699FF2E446914ABDAFC6923083609A20.TMP"
173⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
172⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqklepfl\aqklepfl.cmdline"
173⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60C6.tmp" "c:\Users\Admin\AppData\Local\Temp\aqklepfl\CSC8E8A7D7C4AC54432B731BABF482D9E86.TMP"
174⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
173⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xx1ltdsm\xx1ltdsm.cmdline"
174⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6365.tmp" "c:\Users\Admin\AppData\Local\Temp\xx1ltdsm\CSCADF4E8D54D234625B3D989CDE1653F5E.TMP"
175⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
174⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0hfkmw1y\0hfkmw1y.cmdline"
175⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6519.tmp" "c:\Users\Admin\AppData\Local\Temp\0hfkmw1y\CSC2A1BB5B4A2ED4B149AA8CD6088FA3F1E.TMP"
176⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
175⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qo53xpln\qo53xpln.cmdline"
176⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6671.tmp" "c:\Users\Admin\AppData\Local\Temp\qo53xpln\CSC4A030184C5C64BB4AA37F6126E8DFFB5.TMP"
177⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
176⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y4n1j1qe\y4n1j1qe.cmdline"
177⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6835.tmp" "c:\Users\Admin\AppData\Local\Temp\y4n1j1qe\CSC612B0886B70495D9C991B92913084B8.TMP"
178⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
177⤵
PID:352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4sulfulo\4sulfulo.cmdline"
178⤵
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES696D.tmp" "c:\Users\Admin\AppData\Local\Temp\4sulfulo\CSC7B33DCD626C4F4A8FFEA61D7F871483.TMP"
179⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
178⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t3mjzynp\t3mjzynp.cmdline"
179⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BBE.tmp" "c:\Users\Admin\AppData\Local\Temp\t3mjzynp\CSC24ED86AF2D0E4A63ACD3AA4DC6C441A7.TMP"
180⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
179⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qcjyq2ex\qcjyq2ex.cmdline"
180⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D05.tmp" "c:\Users\Admin\AppData\Local\Temp\qcjyq2ex\CSC8C4247ADAD5C457DA0958A129BF53B64.TMP"
181⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
180⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rdktvv3d\rdktvv3d.cmdline"
181⤵
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6ED9.tmp" "c:\Users\Admin\AppData\Local\Temp\rdktvv3d\CSC502954C9C655427080A7653B05BBE16.TMP"
182⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
181⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ojarjlmk\ojarjlmk.cmdline"
182⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7031.tmp" "c:\Users\Admin\AppData\Local\Temp\ojarjlmk\CSC20A46A75DB4949C796514F5FE7CF1BA3.TMP"
183⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
182⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t5i1ltyo\t5i1ltyo.cmdline"
183⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7214.tmp" "c:\Users\Admin\AppData\Local\Temp\t5i1ltyo\CSC8F22A79B1A1B4F06B987A41FF897EC0.TMP"
184⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
183⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0tnhmbbp\0tnhmbbp.cmdline"
184⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES735C.tmp" "c:\Users\Admin\AppData\Local\Temp\0tnhmbbp\CSCFFFADF731D4647E7A419611E334A3BB0.TMP"
185⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
184⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1tzn15rh\1tzn15rh.cmdline"
185⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7501.tmp" "c:\Users\Admin\AppData\Local\Temp\1tzn15rh\CSC2F2E78798A6492583F550641C585171.TMP"
186⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1896403770-1191418589-375360378-1073107174114438597214213305361876971425447311441"
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "158796884611612127251970830815843305371532689960374439564-1747749125-1661372386"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7493551171106326255633561059-989549401-18717964081654729377-1976584264-107374000"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1748683053172953945773920507-823667611-1434221275-951241015484005941836524854"
1⤵
PID:1368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "41279695-388768684-170597166-4857657441655791491631594693-341934588-481054424"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1511399798-1925719532762726239-832436986-19058685911041270189-1391666800-788744467"
1⤵
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1906574426-80929924-1919923751848904231-21390848511092706724211778591-981384287"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "301954891619585741-524065849166104127317129104484118962881354473212230659510"
1⤵
PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-461075638-195485992517065259631969470649-16257823849375832391388197903-179030229"
1⤵
PID:1076

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "810803000-9112999414863505381093647839598663609-29199257-21433877921062976952"
1⤵
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1284164147-1283210151-592098230-117473740-12559053516509030261351210660788237323"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2030383507-918499241590972502367325927-4756084611438788477639695060-1683145508"
1⤵
PID:348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1100704584-2230408198255148905134635-5074481791293475449-1009890996752370324"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11333512622111435359-1059111909-989128613-1107320466-2066806342-151009436522640299"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1128994544352741536-1678619970-544922059593311243875281619-905662913-963085166"
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1823599726-51933885619738676681190014229197038035293051879428172691370696783"
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "417686301750419513995820611-720160805-19093228542046902089-1029311542-1157522902"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8980042441151841446374728281628181831853460432987305742-13274186481237015605"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6489554081216052728181334096-404888671-93831361912783352196019475371252617916"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17334356822640799111460448327143584547-2065991426-237790737-1024909525289372494"
1⤵
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-193038059819783608121619176718-18361266001759028251701509531-1367160602-203854390"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-388728106-1928318279-892487517-16019595321250157620-793526008-1750256021-336362451"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4479466681311391589-11790736991318732120-17297471751673057302-4796794101920065636"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20436592181485934761875870899240228072-1386066774-191337824619400458291058592149"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "465046893-5129954941199720382-15802884971763571459-17405665501084079102-1778594665"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1479739836-275986382-1237573380-10827739761246274311-557683387664169299-1600775180"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "25698108372153423561344499734740348983744994486623595714177125751100402135"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-976200473141565256972546380-20739923712602486615373644351173352740-1259996432"
1⤵
PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1964367147-1678720939-2004565240-991593356414587745-1155390841296334843-159639400"
1⤵
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2bufnzue\2bufnzue.dll
Filesize
1.4MB

MD5
6e485d8053621760b238054af7a4529e

SHA1
f5d858e40756891f5ca298ca9da390061b68f855

SHA256
1c76cfc8ae049a3a25cb6f744c6f6e7bf5c5cd59eb1f2a7b5cb5764a82d06588

SHA512
94d38d627fff357dae3d98b0a5508f29ef108f7b4b1d190e53957f313d42796a95606d7e5e27990bf761739158786a0fce58cbbd21e491b5c2c7ed2be16e011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2108.tmp
Filesize
1KB

MD5
224c8c07c81de7211b678b27bd53a6be

SHA1
2c6208573f20f98af2259c9ecb474f35aa0dc0d6

SHA256
6ac018c8fe38657e34da55041ce76fc1600745963b15d62b9d65b1d2a00d7495

SHA512
78d3bb330c9b7f97a451426ac8d422afd7741992e0defb85c085da80136cfa554366a631b84ec653f32e4b35ec9c161c58f9e9d8d7942d989f89271c171f4b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES23F5.tmp
Filesize
1KB

MD5
3a4878a9154cbb61f9974782525ae6e8

SHA1
9b762c4125984e5f20790727619d4d1b58eae1d0

SHA256
1fe231c87dd59307a241f4c9554b4024acc73e20447ffc0df6a15d9c419f808a

SHA512
5847543acc147468bcd1d87559303bcfa08a28c42c3911ae73806e1a87c6fb80af5bdf8675afa5ca2b8da521d067a4723c038b142bd10c7ac146136b4ada04ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES278D.tmp
Filesize
1KB

MD5
ed579c6fbe089ec69fc72e2db852e6d7

SHA1
60c885ef7dbc020d55751dece265572f436f0a79

SHA256
8643869b94e676c90f52b8158d558732ee4d44e914fce56469e7d1698f7f10d2

SHA512
83b60a2ef3ff0e028615214ec4e853f5fc1a510de8d268efded92be3fad4ffe76be5f8f8794f13fbf2c95e6f0336afcd6004d6a62fe3377d9c48b1c00f358460

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2AE7.tmp
Filesize
1KB

MD5
b0e426d70258b06a44e91e35802d139e

SHA1
cd7f0a87ded2d2ae7f758a46383c95d9a60962b4

SHA256
4c7367e6fab96fcbb74addb2ee986079f65e010526ce2f63aaaceda35f2de1ad

SHA512
12c1616d82553756682f81ad6c379107a7df9b756d8a1d99dba1ade36992e7be38ceacf515d0f3720a50b7a26dbbf04bb905cc1856b496dc2a995fd59b4b9388

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D76.tmp
Filesize
1KB

MD5
32f0d02bad80b9130a740b097dc076b7

SHA1
d7cfcde9fb5077c8fd4c8315c8a899aad153db5b

SHA256
e05aa409873c6bf5e9c9dfbda603568c37c1f621115041e1cbf5e3efcdca3a22

SHA512
7bcf5271191f5882aee758db0b8926fa72906a56f521c59b9cddf36aefadae9d5f30dcefcf8e4bbc911020d8c911e10d9cd1619753e5ae09994b1f24d47c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2FF6.tmp
Filesize
1KB

MD5
2d34300d6d2efad8c23ff1ce66fcccc4

SHA1
cba41135228d0ed4fd87654f8e5b55fef7c2ac17

SHA256
f37d7178cb3b303c08c3b22ec481a7ce8721192c11ca74b7206e02d512a7c2f1

SHA512
7b92f19e64784bda360b8e72e7f2747bdb1ce06bf50f0596ee390cbea205d89fee9b0861f427b460c94efa7a27ecf3e155bd01af53a8e1e275ee6cbdb25e8940

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES32B4.tmp
Filesize
1KB

MD5
95896bb85226ed9b4f68f6a83178562d

SHA1
8db5459600ef2ae016c326f803a9e8ab14ac3e5c

SHA256
535f813ce94ff8c4650e34c27119cdd618c5df0e88116a636355a338e85c6173

SHA512
f2871a447d1dbc669b555964d2d00ad89f5ed9d716fb0719afdb5d8653253cd672f9f7d1e724f7eeacbd22f47961ddaa2e67d5b6dbadafb1974940c3e4aa04e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES367B.tmp
Filesize
1KB

MD5
1b596c9aafd0645c1d0ef994248da8ae

SHA1
0d38c43bf0017b54db00fc888700fa6c39104b01

SHA256
c615b9efbd5e64d689dfde666cf693acedf518dfdde454c0bc85a1b282b348a5

SHA512
a2d7c923c3e470bfe917f422dfdaa02b974f7c30c3afcaabb6df768bdf2627b045bf771909ad6110bd19feb9c0064e6388761b8b68f77f97b83dbb1af5fd81c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES387E.tmp
Filesize
1KB

MD5
6e3a200558fe5a1a70248bac6ff45572

SHA1
ac7a0bfeb66428d5f536d66caf9e49d118280856

SHA256
1b8273063a6b7607fdc5279bc81a21f93ffc38ea06302fcb8d9a0bc8e011e575

SHA512
64305ba2d49d31516b2e8b159aeb7ab48e3d340a350ce5568792eae68fdacda2e1d3354c70fba731099476fe10ef58b33fac11381ed0c6bcb83f7d5a15c42be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A62.tmp
Filesize
1KB

MD5
cd981be58bbf084a5b1452f8718a6910

SHA1
a0d735ae448f24be46bcde3c6994e3fd854732a9

SHA256
f26d59f15ff2428052c4d3411f18840f46d2350c041a82ddefc9804689fe0dd6

SHA512
c13a920ed8f1385db80f7dd1fa79e83b0d430a08ab2688106ab5b3dc1f633ef90802e8fc359769d4f3dabafbc0e88cc7cc31877beaed8ecca99c07f25eda334b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3CD2.tmp
Filesize
1KB

MD5
656c88b198550ab80957f1dbada1f85d

SHA1
afbfc90f05af7fb814dc4df3948753f1b82fc8bf

SHA256
a76e0baca0fda4332ecb45bf215439848b3438760f0917428c480fef97d61741

SHA512
18f7eba154ccd0546d580681c12e881938e826c9f7ec9b2aef4524e680313b872d313d5fc46e11b422597b4f450783ec1c514ebec4fe3e5980f38fb83dcb99ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4kkd2dn\e4kkd2dn.dll
Filesize
1.4MB

MD5
f5620f634d1d7854cb874d0f0b6c11cd

SHA1
5a18cb30f279c6c1c139e965aba947ba783fba41

SHA256
49cb17fe798c9d7f440aa06eee99b9f91f473837aa9b3ef07bbbe0be674cccab

SHA512
12060cf50de759671dcf5e876fcca1f9b2bddf8d7d2cd9b581e8d88e0dcad58111eae7a53ff46cf42656f523bb9337f4337a4fa73adafaeaf71a90689d943ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmltmjot\jmltmjot.dll
Filesize
1.4MB

MD5
64567af81ee45fbacc6070bc5bac25bd

SHA1
a32b352af48c4a374cf0a3967b299f967aad2f38

SHA256
b84acd116fff44427e55356e542d825bd2f75f533767b5c41e163f873d5da2e6

SHA512
8d5b9d561fdbfbae35097903c6a9f5995922c18ee603f48b36d1da5ea1e499e45bf6935efebed317ecb1a7fc973ed37b062342df6604400ab3d1b38a34d1b51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwpzfxcn\jwpzfxcn.dll
Filesize
1.4MB

MD5
37b3c64a00c3b652db6afafe9e489038

SHA1
aea71ada3e90db1c86833b505e2e226259b0d713

SHA256
ff737b8c1f99b3181f0d18d281538500662b7848eb319bc55b19d5ae4e995d11

SHA512
8b724111cffdd4bcb8fffcc157fc45103f769f09f28fc40bdad9569aac8985610b562a26858b4f5bf48534ae7eac6bb1b289b59495c556dcd382571295103cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbvin2x0\rbvin2x0.dll
Filesize
1.4MB

MD5
06354eb32a34505f94e45b26968c966c

SHA1
b098343576acfd9449b4f36c5cd9f9c2413fd7ee

SHA256
136116b757cdd1fcda26ea0dc658f73b7b5e87505e8496fbab9849174af869b0

SHA512
6d7243a4db19f249697a3b7b42189617eb3747841c083313a8708820ba20e96c786f34c1347a38fceb719c0f508055f0945249e3cfea3a13440e623c35214344

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtqk1qrv\rtqk1qrv.dll
Filesize
1.4MB

MD5
f2ece0a4b38f6aaf495c393144351646

SHA1
6fb8fcc174d2ea27f53ce4dcbf17f27bd3737970

SHA256
7224046a4c8f14b065178ec8082b1cdc54d47c5f86eeee2a3ff7c8f2b84c252b

SHA512
f4ef7640c694fec1403be09c08f818d9268160785e4b2fd6eea2c18cb628917956249919f66e5b7de0cdbcf0893170a1ff00ced5fb8e85cd9148bb8fd84d0f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdtvn2ph\tdtvn2ph.dll
Filesize
1.4MB

MD5
284b95e1f734d9849fc53e8bfee8f951

SHA1
33702f4d00b6f2862beb56843df22b8d8884c626

SHA256
0580229f70f1db636aaeb83ca3a256b9734f736a1be2d82eecd73b2bf91c7d6e

SHA512
481efa908bdf22e8228e6ae14573d58990eed0c11875b1c36ebb8178fe1717c5b1a88f3b248e4899f0a3d2be209d7ad6965746e4f6806b7e85fff2679446a8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnxovd54\tnxovd54.dll
Filesize
1.4MB

MD5
60fd8bbe0d21673795d3d2a3a657dd75

SHA1
c1ad4f3304900ee209eedd7fbfe02f77b9640435

SHA256
338b5f5164c6ba570ebdb91c21f07d0ad16dc809cf3c37d556a6dd94e5a216a7

SHA512
2b9fafbbd7b04be7d8f68168cfa55037f311222e25606d68425c96c5cdc265ec1a7a1bafd9084c6d3082e764d888d98c656b77ff7ff0051e873656bcd71df2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\to0zmow3\to0zmow3.dll
Filesize
1.4MB

MD5
a8f71a376aa92bb14cdbe7574be7a406

SHA1
37483b50d856f9f4b1e802feaead742794c01a56

SHA256
3be89a3f36b3a295a671b1dacb7ab0340b227429ca58429fb0d93d41914f6bae

SHA512
b11fe5618b91e93273edf65d5584e9aa2f86a4e7d4fadd48f20b67b5e69dc51af62c5c7f971c69706612eb449d6f1910c7b8ad68efb89ac63f206fe35e96ef3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1btixp5\y1btixp5.dll
Filesize
1.4MB

MD5
2bca0973083c9353f2549a887314e777

SHA1
a7978516d16c49750302c5b04c4169f2e17dc820

SHA256
27f935f67ef452a1fbb89090881dbbd8e5b2d92e6b73e2856ad89790d8a94837

SHA512
abe81341945d28cf92bbefc96ffeef38fca5618519ce9ce85b0a8888662ae1091bd8753fde2aaf29025c9ac7474203c1c752e65f4edef772c95a77ea18c1bad0

Download Submit
C:\Users\Admin\DocumentsWebSocketCloseStatus.txt
Filesize
2.0MB

MD5
d510225b94b0ebe2d5414699b2a89771

SHA1
3e79f1ea8c96ed35a27247227c533c5c4dd6010a

SHA256
01d57933cac2d50b0b439e322323f20b0083302f1ae80263ff151f3390f4be24

SHA512
dc28498c4b43efcbe4969e65cf6f509a352fb2221905a1eeb43b955bab2ed55852e8167d13f9dc83b736c8b0ddd6b270d8d7c120720fb6406279c17aaa43e399

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2bufnzue\2bufnzue.cmdline
Filesize
301B

MD5
0677a1ec17594c54ff9efb9bf6047634

SHA1
62ec8b0e3254ebd3b51a35fc749825018aa9f8e5

SHA256
41f5d33c3bbbeab4d4f964446f6a01658c72910cdb8aecd10a947df2e64498ae

SHA512
6703816c579feeab87957c0dd48438eb22259a852e72f6d3529649f52314dd43821c450fe40ff50dff7309da44381aacbba34d4c54cc0c4a9dc28ad74305a06b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2bufnzue\CSC73882813913A422392EBE1548DAAC543.TMP
Filesize
1KB

MD5
7b81e328e7ea3bb5353009c8eef44dc0

SHA1
ca48e75d109d57324c00676b9893c113d85fda3e

SHA256
cde2289e581bd8929c0d5caf2fff3e7bb45bff601cb9edcf5de1400d186f9469

SHA512
dd162c9db3629f7ab062abc76289d7c6b6ed6ae7ceb506b753d35aa74f86fbd1417e14784420f14c3678834a240dd7d46576440eedeea83abda5b81e42f62143

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4yysp0pf\4yysp0pf.cmdline
Filesize
301B

MD5
bd816539ddf10347c61cc6cf8178f336

SHA1
b52d8f80375c659c69677ee255eb37a43655ccaa

SHA256
8572ce0488390115ae9fe1b96882b95b52a8c97adb9a0c7f0efb3c2752e6ac16

SHA512
ca31977708b08b1eaac4e9d6789f78d4c3827d91c983733abc3ac698e9eb41f35d19af09730a19c6fac02fc9fc4be47421636ae3808469ba5c24deab607543ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4yysp0pf\CSC6B854E7BBFA34C0C9C94C35BD92CD662.TMP
Filesize
1KB

MD5
801db19718f69e40eb60bd2513b0e660

SHA1
3bcdd898282c19de66a076ea61c1d1e984c0433f

SHA256
9b0cc758ce5472eafc5bd2fa6fd333b3cfb4eb68eab1fab988be6e0cbe2ba899

SHA512
f9eb44e51085906c4a92e84b4d82475d94c1a327398f90645e9f4fe630994e53e2d7dc40e924da0c2948ed1945a334df0e33c28f88f2a5f8e76c4225a163edfc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e4kkd2dn\CSC61662FF4C9B0495BB172EA3BD7D4D12B.TMP
Filesize
1KB

MD5
2f363ea342881632ef4f475e350fc0e3

SHA1
19a6d670dad5e61ad81c3f55068a1c21ff297a98

SHA256
f9e5fc542c2bcdcc6cd69102f9e8bffd3cb3705214906cd4459333f7b188ef54

SHA512
2ae071809da5706c0d8ba0ec9048eba31e15accd82b38533ae7ba44dc7ee23a852625419c0f812e0310ead4c9b2948e5e7b7a0d215db0a22129b8951bb0010a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e4kkd2dn\e4kkd2dn.cmdline
Filesize
301B

MD5
8232f9ed31ce0f4cd03d01d21f574dd8

SHA1
661fed34b645962c3b2ee5bea13b373b6e245dff

SHA256
ceff95cc2bdd90f9e1ea26d9ef536a02875741756d4a26b0f9bb6b6a4eafea56

SHA512
6840a60b47539f8602f07d1fbf3b88472595ac55ee98fb5ca71dbbb0e7cebdf4aeef4bb7092451330ec2408fa4b1b843947c3a89cee6eac3ca100f82ebfaf606

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jmltmjot\CSCC703CA0A8B624A2092B4A27A81AEE23.TMP
Filesize
1KB

MD5
99b0abe0e9d48ba902287f4557e25388

SHA1
5d51595846a32cd8a822145a08115208425b2051

SHA256
091123f15c4b2781bb61537ec45b8ff0b68745b3547e0492134e9c6988b86255

SHA512
c2b9946f41cad47ab26c51be16a5d10be4f0645f459388ccd60651237bc76d59f2fc1aa924c076300b53f7fea711e1b3c53ccec945cfb9dbdaf0af8f30f47a16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jmltmjot\jmltmjot.0.cs
Filesize
2.0MB

MD5
3add63d70f7cf265c31ad4493b45a28d

SHA1
b125041f6d712116143020fe3b4c0deaab678143

SHA256
f20c56aaf9f9f21eb0e5cd84d863176f442d8bb0a59ec2ae4f91c928a4754bda

SHA512
e4614a662da9db59e126885ea8e7c42e605438e3a09dd7a71b4a5ea8a0182bf8a2a4f6c0fefa5761bb24527940cddb6644a1e27537afac9231fcddbc297b4a9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jmltmjot\jmltmjot.cmdline
Filesize
301B

MD5
858c4c35ed7995bf9ee9ada9b86fd756

SHA1
2713ae3628b12483d1c750a3f2448e36f4c22360

SHA256
16078e98ff4b5ddd3f908fe2398670570e813a4816c6866cc456e1fb245904b4

SHA512
8a58f5747b2d69e03b5b995fc6a095223ac89087d8435c67913e131200ce093dc6cb25914e1ebfaad7c0b000085fbcc0893e3ca90f0a991e75a75bdc0bf3a66a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwpzfxcn\CSC15B5007980C64D168420D49589D4A77.TMP
Filesize
1KB

MD5
7dafd5cad3c1d1bfeedfb0d861a5fb87

SHA1
9062dba9da0a5f606aecdc55c77976c88fb7c2ca

SHA256
0a004a4e6bf096674b82bd3f00cee28e0ead089a4191d123b5d9548ae82fbce7

SHA512
317e60d5304ef92b416a8f7af5f37efb12cb83899b46d691e06ed84280c7df47531bd802c6380a38c34bbb91213be9437bef20b769dcf85b5b2a48784eefff77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwpzfxcn\jwpzfxcn.cmdline
Filesize
301B

MD5
cc9d20d33f96bd55cc7983485d7a79f1

SHA1
c8bce2569607133febb5f40041d4c25317f51804

SHA256
89fd6d864c09dd7b2a3247eb9bbd2f518d69166aea46294935c3bda957cec8db

SHA512
dec6d429b72ad44c1c3165fb6237d5506620e4017e8c39def7bf1a2a3bfc238bb7c0c31d4edd95261523e5bdc4da84063b0224512e57bc1c50d4f958917225f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rbvin2x0\CSC15B017D68F814E2490D699749436FFA0.TMP
Filesize
1KB

MD5
77fbb8894049bd7c026e95f27374aae5

SHA1
6e646a261f3e18d0a9a629cd45abe434aaf7559c

SHA256
d18cc3912e87633f2a304bf34f7c76f3d6365df7d53150c9e15bb49d654e6982

SHA512
d33c1cd18181240b381c6792dcad9edd9545a1647b3ae2b6070ca52e202b021f2d2e3db973f2ec4c2914aaec6b4988cd05e715f170fb7ddd75e1965905dc8edc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rbvin2x0\rbvin2x0.cmdline
Filesize
301B

MD5
2974dcc0b6eb4b0805b853abfbe9dead

SHA1
b0bd54b8454896d625bdfa01ee67ab190f0709f3

SHA256
8fccdef71e5babbbf5d324bf7eac602d4fe51fdbba549cd08d2ae4117d41a84e

SHA512
58c31fceb87acb8d789b44305761656b47fc3349047b8db27abbaedd6c3895b06b533756387428b4d49ee29fd61f14e15de86bdc6a382912b96ba419ff872435

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rtqk1qrv\CSCED9F6F2B9F74892BF7E26EC16C4BF13.TMP
Filesize
1KB

MD5
81f1ac7daad826c045dbac131a798879

SHA1
4b394a51b55cb856bac692e2a4859ae7e8eff51a

SHA256
f1e85cb990f7c61e973c9cf27dfb87138a7b1776c626f7370145e06d2a792ba8

SHA512
d63b53853a4a5406565579482716db6f43239baebd2448b8bb12c9289c434b428a0759ca7905c820af4750ccb8da72c1273d04ba935de6451c89f5add7fe21d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rtqk1qrv\rtqk1qrv.cmdline
Filesize
301B

MD5
657c902b7d7bfa757855eb7ade9d5321

SHA1
76d35a87bcbbbd11d880b95eeb851e18a27ba426

SHA256
4f777d2ecb5b592563da11fcc765a7cf6df0197e56b7d992cf1f69b267df3520

SHA512
0e833fee7719dd5a88fc62226f87d9bd60fc909a010ff692ace0dba8839380d29fd826dabdf44bfbcd3051d83ec42f4f62d751c79a4bc37d059c20750e488849

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tdtvn2ph\CSCE4707B00C65F436B83EF95B2D525EABF.TMP
Filesize
1KB

MD5
b97b9731b74991f1e6d73e81b23ffba9

SHA1
b4a78f790d6aa8b0af29e6b8fb9470d4f464a1ae

SHA256
14d9792af87a7880a2fa3c5236268d9a551a7bfd3289442e95432534150eac30

SHA512
c9d1f0b1b861d6208539b9d20391629a43f62b7be306213fb7e87ff57943a1b396dc7588ac2517e59b11c05d36b5dddb1a0277b4ebe03ee66f8b5ae91042ca0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tdtvn2ph\tdtvn2ph.cmdline
Filesize
301B

MD5
0408b0e20aa7073364075a4cb79f7c5e

SHA1
263fb6c7227c214c70f43e85ea008589e834b281

SHA256
9669fb3be0fca22dbdeab95341839ac612df8276ea55cf0d6ab6d69ffc64e4c1

SHA512
1c556999887aafacf75a4c3b2df0c455f831e4a13225ff93b574797b9ea495ae832ae99adbbce769c8e40115d13dc63c7460e1c50074340ae760529ac4cff6d9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tnxovd54\CSC884A9E055DD8446DA5711C3E32ED4D85.TMP
Filesize
1KB

MD5
691048a3f89872f86aecaaf04230c46d

SHA1
11ef9a613fd566b70a39a2d7ba38a07899a7d421

SHA256
c3199ef3fd03163e82ab1ab986b593dfd1f13796f25ca60f76c6e33b98dd0cc1

SHA512
fce6e4730d2c4a7baa1c159fdd65b5933c67e20ee32b7a7c2cafd096dfddb5b6ef22fda384ce6c2bf5ac6fb665073d523ecd54a08fcf75f1ed1face9c3dd77a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tnxovd54\tnxovd54.cmdline
Filesize
301B

MD5
af5884e31c7e07bafb5a1c6dae257cd5

SHA1
6322b161410b277d79238e16fc6e68280c7207ba

SHA256
2a44b8f1ad12060f29f5e1db4d16f3143cde33c8b97313e609e2e075d77cb798

SHA512
f59ff5ac391dca9a91d31ddc349f06887a1393def4393621fec8bac54f6f49ade5f02a9ab52d00ff933e3f82db5e575b9668cace896b746da6eb29f9433349e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to0zmow3\CSC48944E81E51A4BEF9D817CB1905730F.TMP
Filesize
1KB

MD5
da201473967e03b6a37afd69c8eff170

SHA1
cd7ad8c7bc0b506778fff39ad2f2eb01ccae5df6

SHA256
9cfc4c8ce37d226b44b2c19d15c26f6c257ef16650de3513a4ab9a21438d2005

SHA512
3e7ca7efd387caf32bc7a99581edca69fbca0a0419a2c4bd2b8360cffc332dcfa2605bd5d31a3c0c1badd209978eaec0db81b6ce99a52fec6825f75990d07651

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to0zmow3\to0zmow3.cmdline
Filesize
301B

MD5
a2b4afdd0a40b553eff5ee8f01c8edb0

SHA1
daa00ed5e489bbabc23ff12221fcafd5fffb1877

SHA256
226f4af9c415ebd08043b5ada8c701018d2eca46a24e78d5b491a4525b2b5bc2

SHA512
e1a4be3440981137005dfc29a987ed2f224b87930974e24822b0f48746fd5e8681bf3707a015de476d045cfffc4769a4d69fab0922090f754575c750704ba8a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y1btixp5\CSCB3741DE0835245508EA264C16538199.TMP
Filesize
1KB

MD5
6730393c7a6796697a1d29f95879664e

SHA1
b5310c62d38fe4df6dc0066218e68cc804ee8342

SHA256
c5e249f06810bbadb62b0f5af611de6032dc9cf31b779dc238f49e322734dff0

SHA512
5be5739b3ccaf2968b27d49fd55c909ed16ae2cbe61fd30a939eead0df46d9ca0a2e84a6d821e6737ffceef8a063456ad53ec115f011c528a02712ba5f4420b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y1btixp5\y1btixp5.cmdline
Filesize
301B

MD5
9339827ae2eb01d069d3f653963570a9

SHA1
8ae883fdf90aaa80163dce96290f680301aef00b

SHA256
53d8320f42fde5044755280402ad7d43f118de6cdce92a165650fae8571dfd22

SHA512
5226464a83c0e93868cae72431e8ef240d6944efc4ac17dd5da2100d7bf37ddad8136de46d11f9a0a5ce0fad046211272324c73edbcd2cf43fde7564f6b80117

Download Submit
memory/292-275-0x00000000050D0000-0x0000000005230000-memory.dmp

Filesize
1.4MB

Download
memory/336-513-0x00000000048B0000-0x0000000004A10000-memory.dmp

Filesize
1.4MB

Download
memory/344-779-0x0000000004F20000-0x0000000005080000-memory.dmp

Filesize
1.4MB

Download
memory/376-317-0x0000000004D30000-0x0000000004E90000-memory.dmp

Filesize
1.4MB

Download
memory/568-1017-0x0000000004DF0000-0x0000000004F50000-memory.dmp

Filesize
1.4MB

Download
memory/628-933-0x0000000004F70000-0x00000000050D0000-memory.dmp

Filesize
1.4MB

Download
memory/656-485-0x0000000004E80000-0x0000000004FE0000-memory.dmp

Filesize
1.4MB

Download
memory/684-765-0x0000000004DA0000-0x0000000004F00000-memory.dmp

Filesize
1.4MB

Download
memory/752-947-0x0000000000CC0000-0x0000000000E20000-memory.dmp

Filesize
1.4MB

Download
memory/760-457-0x0000000004DB0000-0x0000000004F10000-memory.dmp

Filesize
1.4MB

Download
memory/812-611-0x0000000004F10000-0x0000000005070000-memory.dmp

Filesize
1.4MB

Download
memory/844-625-0x0000000004BE0000-0x0000000004D40000-memory.dmp

Filesize
1.4MB

Download
memory/868-1171-0x0000000004FC0000-0x0000000005120000-memory.dmp

Filesize
1.4MB

Download
memory/1076-247-0x0000000004610000-0x0000000004770000-memory.dmp

Filesize
1.4MB

Download
memory/1076-1199-0x0000000004FA0000-0x0000000005100000-memory.dmp

Filesize
1.4MB

Download
memory/1124-261-0x0000000004DE0000-0x0000000004F40000-memory.dmp

Filesize
1.4MB

Download
memory/1224-415-0x0000000004F30000-0x0000000005090000-memory.dmp

Filesize
1.4MB

Download
memory/1236-174-0x00000000023F0000-0x0000000002550000-memory.dmp

Filesize
1.4MB

Download
memory/1244-681-0x0000000004E40000-0x0000000004FA0000-memory.dmp

Filesize
1.4MB

Download
memory/1252-471-0x0000000004A40000-0x0000000004BA0000-memory.dmp

Filesize
1.4MB

Download
memory/1300-877-0x0000000004F80000-0x00000000050E0000-memory.dmp

Filesize
1.4MB

Download
memory/1308-751-0x0000000004D50000-0x0000000004EB0000-memory.dmp

Filesize
1.4MB

Download
memory/1316-835-0x0000000004DA0000-0x0000000004F00000-memory.dmp

Filesize
1.4MB

Download
memory/1336-821-0x0000000004E50000-0x0000000004FB0000-memory.dmp

Filesize
1.4MB

Download
memory/1356-891-0x00000000048E0000-0x0000000004A40000-memory.dmp

Filesize
1.4MB

Download
memory/1432-1031-0x0000000004E50000-0x0000000004FB0000-memory.dmp

Filesize
1.4MB

Download
memory/1508-499-0x0000000004EE0000-0x0000000005040000-memory.dmp

Filesize
1.4MB

Download
memory/1508-373-0x0000000004EC0000-0x0000000005020000-memory.dmp

Filesize
1.4MB

Download
memory/1508-233-0x0000000004E90000-0x0000000004FF0000-memory.dmp

Filesize
1.4MB

Download
memory/1528-653-0x0000000004DB0000-0x0000000004F10000-memory.dmp

Filesize
1.4MB

Download
memory/1592-1101-0x0000000004C40000-0x0000000004DA0000-memory.dmp

Filesize
1.4MB

Download
memory/1616-961-0x0000000004D70000-0x0000000004ED0000-memory.dmp

Filesize
1.4MB

Download
memory/1620-807-0x0000000004E80000-0x0000000004FE0000-memory.dmp

Filesize
1.4MB

Download
memory/1632-154-0x0000000004D80000-0x0000000004EE0000-memory.dmp

Filesize
1.4MB

Download
memory/1636-401-0x0000000004E60000-0x0000000004FC0000-memory.dmp

Filesize
1.4MB

Download
memory/1644-1045-0x00000000045F0000-0x0000000004750000-memory.dmp

Filesize
1.4MB

Download
memory/1768-919-0x0000000004DF0000-0x0000000004F50000-memory.dmp

Filesize
1.4MB

Download
memory/1768-1143-0x0000000004DE0000-0x0000000004F40000-memory.dmp

Filesize
1.4MB

Download
memory/1784-1157-0x0000000004F60000-0x00000000050C0000-memory.dmp

Filesize
1.4MB

Download
memory/1828-72-0x0000000004DC0000-0x0000000004F20000-memory.dmp

Filesize
1.4MB

Download
memory/1860-541-0x0000000004E00000-0x0000000004F60000-memory.dmp

Filesize
1.4MB

Download
memory/1984-569-0x0000000004FA0000-0x0000000005100000-memory.dmp

Filesize
1.4MB

Download
memory/1984-359-0x0000000004E50000-0x0000000004FB0000-memory.dmp

Filesize
1.4MB

Download
memory/2004-194-0x0000000004C40000-0x0000000004DA0000-memory.dmp

Filesize
1.4MB

Download
memory/2060-1185-0x0000000004CC0000-0x0000000004E20000-memory.dmp

Filesize
1.4MB

Download
memory/2060-345-0x0000000004D60000-0x0000000004EC0000-memory.dmp

Filesize
1.4MB

Download
memory/2088-975-0x0000000004DB0000-0x0000000004F10000-memory.dmp

Filesize
1.4MB

Download
memory/2120-289-0x0000000004E90000-0x0000000004FF0000-memory.dmp

Filesize
1.4MB

Download
memory/2124-1087-0x0000000004DC0000-0x0000000004F20000-memory.dmp

Filesize
1.4MB

Download
memory/2132-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2132-19-0x0000000000DB0000-0x0000000000E38000-memory.dmp

Filesize
544KB

Download
memory/2132-25-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-46-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-1-0x0000000000E60000-0x0000000000FE6000-memory.dmp

Filesize
1.5MB

Download
memory/2132-7-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-17-0x0000000004E80000-0x0000000004FE0000-memory.dmp

Filesize
1.4MB

Download
memory/2164-737-0x0000000004DB0000-0x0000000004F10000-memory.dmp

Filesize
1.4MB

Download
memory/2232-1059-0x0000000004870000-0x00000000049D0000-memory.dmp

Filesize
1.4MB

Download
memory/2280-114-0x00000000051D0000-0x0000000005330000-memory.dmp

Filesize
1.4MB

Download
memory/2300-905-0x0000000004DD0000-0x0000000004F30000-memory.dmp

Filesize
1.4MB

Download
memory/2316-667-0x0000000004E10000-0x0000000004F70000-memory.dmp

Filesize
1.4MB

Download
memory/2320-989-0x0000000004E50000-0x0000000004FB0000-memory.dmp

Filesize
1.4MB

Download
memory/2368-1115-0x0000000004DF0000-0x0000000004F50000-memory.dmp

Filesize
1.4MB

Download
memory/2404-863-0x0000000004E50000-0x0000000004FB0000-memory.dmp

Filesize
1.4MB

Download
memory/2420-849-0x0000000004FB0000-0x0000000005110000-memory.dmp

Filesize
1.4MB

Download
memory/2436-94-0x0000000004F10000-0x0000000005070000-memory.dmp

Filesize
1.4MB

Download
memory/2472-583-0x0000000004910000-0x0000000004A70000-memory.dmp

Filesize
1.4MB

Download
memory/2520-61-0x0000000000860000-0x000000000087E000-memory.dmp

Filesize
120KB

Download
memory/2520-74-0x0000000000A60000-0x0000000000A8E000-memory.dmp

Filesize
184KB

Download
memory/2520-75-0x00000000009F0000-0x0000000000A04000-memory.dmp

Filesize
80KB

Download
memory/2520-56-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2520-54-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/2520-62-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/2520-59-0x00000000004D0000-0x00000000004E4000-memory.dmp

Filesize
80KB

Download
memory/2520-58-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2520-60-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/2520-57-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/2556-443-0x0000000004D20000-0x0000000004E80000-memory.dmp

Filesize
1.4MB

Download
memory/2592-723-0x0000000004800000-0x0000000004960000-memory.dmp

Filesize
1.4MB

Download
memory/2628-555-0x00000000049B0000-0x0000000004B10000-memory.dmp

Filesize
1.4MB

Download
memory/2640-214-0x0000000004DB0000-0x0000000004F10000-memory.dmp

Filesize
1.4MB

Download
memory/2652-1073-0x0000000004F80000-0x00000000050E0000-memory.dmp

Filesize
1.4MB

Download
memory/2664-331-0x0000000004860000-0x00000000049C0000-memory.dmp

Filesize
1.4MB

Download
memory/2704-695-0x0000000004CA0000-0x0000000004E00000-memory.dmp

Filesize
1.4MB

Download
memory/2704-1003-0x0000000004E10000-0x0000000004F70000-memory.dmp

Filesize
1.4MB

Download
memory/2736-134-0x0000000004DD0000-0x0000000004F30000-memory.dmp

Filesize
1.4MB

Download
memory/2760-429-0x0000000004CF0000-0x0000000004E50000-memory.dmp

Filesize
1.4MB

Download
memory/2776-527-0x0000000004F00000-0x0000000005060000-memory.dmp

Filesize
1.4MB

Download
memory/2780-24-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2780-22-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2780-20-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2796-639-0x0000000004E50000-0x0000000004FB0000-memory.dmp

Filesize
1.4MB

Download
memory/2840-41-0x0000000004E50000-0x0000000004FB0000-memory.dmp

Filesize
1.4MB

Download
memory/2864-1129-0x0000000004A10000-0x0000000004B70000-memory.dmp

Filesize
1.4MB

Download
memory/2872-303-0x0000000004D00000-0x0000000004E60000-memory.dmp

Filesize
1.4MB

Download
memory/2888-387-0x0000000004D30000-0x0000000004E90000-memory.dmp

Filesize
1.4MB

Download
memory/2980-597-0x0000000004C90000-0x0000000004DF0000-memory.dmp

Filesize
1.4MB

Download
memory/3032-709-0x0000000004DD0000-0x0000000004F30000-memory.dmp

Filesize
1.4MB

Download
memory/3060-793-0x0000000004CF0000-0x0000000004E50000-memory.dmp

Filesize
1.4MB

Download