nanocore | 2437c4e083c09345250b2311dcbfad2fe82621af546731d0f42daabbe39388c3

Analysis

max time kernel
129s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Size

1.5MB
MD5

58174d87903175d3435b0797c5cbca72
SHA1

e42c5a98a75fc6ffc480d719556fba3265f7b031
SHA256

2437c4e083c09345250b2311dcbfad2fe82621af546731d0f42daabbe39388c3
SHA512

0adb71645c9de03f63dc356ba2edb31ea6985dbefa97f2c1171261c865024cb7044ef18c49a529b3fb91589543d021e9a7d19d6b9c0e69872175c2ed9e2c93ea
SSDEEP

12288:W2qwfRCYMBclU/wuAnJ+RPVSHqiXZcsTswguUGK/dCg1dz50TROAc7nPEBHXg/FB:aeMq+GD7GH1V/Eqj6w3gsZlkQ

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.244.30.251:1122

meeti.hopto.org:1122

Mutex

dda54657-0c32-4980-b0be-517d79e7c1a9

Attributes

activate_away_mode
true
backup_connection_host
meeti.hopto.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-09-13T04:25:33.342614336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1122
default_group
1mb Hanging
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
dda54657-0c32-4980-b0be-517d79e7c1a9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.30.251
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

description	pid	process	target process
PID 968 set thread context of 2212	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3956 set thread context of 4944	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3316 set thread context of 860	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2584 set thread context of 4408	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3952 set thread context of 2084	3952	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1476 set thread context of 3356	1476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3512 set thread context of 5024	3512	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1876 set thread context of 3300	1876	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2216 set thread context of 4544	2216	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 5092 set thread context of 4564	5092	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2232 set thread context of 2116	2232	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3272 set thread context of 4964	3272	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2268 set thread context of 3316	2268	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4468 set thread context of 4220	4468	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3092 set thread context of 2100	3092	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3000 set thread context of 1628	3000	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3612 set thread context of 4936	3612	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 628 set thread context of 4996	628	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4816 set thread context of 3632	4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4292 set thread context of 3268	4292	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4476 set thread context of 4056	4476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1536 set thread context of 2952	1536	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3572 set thread context of 5064	3572	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 880 set thread context of 348	880	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2240 set thread context of 4964	2240	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2776 set thread context of 4368	2776	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1920 set thread context of 3664	1920	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1476 set thread context of 1388	1476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2948 set thread context of 4836	2948	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4816 set thread context of 1624	4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1572 set thread context of 4684	1572	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1412 set thread context of 2992	1412	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3768 set thread context of 1668	3768	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 4180 set thread context of 2860	4180	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2392 set thread context of 2272	2392	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4408 set thread context of 4816	4408	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	Conhost.exe
PID 3164 set thread context of 4456	3164	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4564 set thread context of 3216	4564	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 4940 set thread context of 452	4940	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4576 set thread context of 3780	4576	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3208 set thread context of 2652	3208	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4132 set thread context of 3776	4132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4480 set thread context of 4288	4480	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	cvtres.exe
PID 3164 set thread context of 2028	3164	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1388 set thread context of 2784	1388	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1668 set thread context of 628	1668	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 916 set thread context of 3208	916	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	cvtres.exe
PID 348 set thread context of 4888	348	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2120 set thread context of 2408	2120	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4860 set thread context of 4608	4860	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3216 set thread context of 940	3216	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4956 set thread context of 1752	4956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4528 set thread context of 1616	4528	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	backgroundTaskHost.exe
PID 4212 set thread context of 4340	4212	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4380 set thread context of 3392	4380	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	cvtres.exe
PID 2120 set thread context of 4836	2120	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1744 set thread context of 1536	1744	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 1948 set thread context of 4896	1948	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	cvtres.exe
PID 2232 set thread context of 1280	2232	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3268 set thread context of 2140	3268	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4080 set thread context of 2508	4080	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4596 set thread context of 3284	4596	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 4816 set thread context of 3776	4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	Conhost.exe
PID 4604 set thread context of 3648	4604	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

pid	process
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2212 RegAsm.exe

pid	process
2212	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3952	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3512	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1876	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2216	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2216	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
5092	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
5092	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2232	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3272	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3272	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2268	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4468	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3092	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3092	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3000	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3000	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3612	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
628	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
628	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4292	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4292	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1536	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3572	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3572	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
880	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
880	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2240	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2776	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1920	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2948	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1572	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1412	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3768	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4180	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
2392	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4408	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3164	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4564	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4940	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4576	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3208	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
4480	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
3164	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1388	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
1668	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
916	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

58174d87903175d3435b0797c5cbca72_JaffaCakes118.exeRegAsm.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2212	RegAsm.exe
Token: SeDebugPrivilege	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3512	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1876	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2216	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	5092	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2232	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3272	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2268	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3092	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3000	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3612	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	628	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4292	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1536	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3572	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	880	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2240	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2776	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1920	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1476	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2948	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1572	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1412	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3768	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4180	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2392	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4408	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3164	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4564	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4940	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4576	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3208	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4132	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4480	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3164	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1388	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1668	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	916	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	348	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2120	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4860	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3216	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4528	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4212	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4380	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2120	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1744	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	1948	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	2232	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	3268	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4080	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4596	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
Token: SeDebugPrivilege	4816	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58174d87903175d3435b0797c5cbca72_JaffaCakes118.execsc.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.execsc.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.execsc.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.execsc.exe58174d87903175d3435b0797c5cbca72_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 968 wrote to memory of 852	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 968 wrote to memory of 852	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 968 wrote to memory of 852	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 852 wrote to memory of 1792	852	csc.exe	cvtres.exe
PID 852 wrote to memory of 1792	852	csc.exe	cvtres.exe
PID 852 wrote to memory of 1792	852	csc.exe	cvtres.exe
PID 968 wrote to memory of 4576	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 4576	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 4576	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 2260	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 2260	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 2260	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 2212	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 2212	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 2212	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 2212	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 968 wrote to memory of 3956	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 968 wrote to memory of 3956	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 968 wrote to memory of 3956	968	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 3956 wrote to memory of 3360	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 3956 wrote to memory of 3360	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 3956 wrote to memory of 3360	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 3360 wrote to memory of 4580	3360	csc.exe	cvtres.exe
PID 3360 wrote to memory of 4580	3360	csc.exe	cvtres.exe
PID 3360 wrote to memory of 4580	3360	csc.exe	cvtres.exe
PID 3956 wrote to memory of 4944	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3956 wrote to memory of 4944	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3956 wrote to memory of 4944	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3956 wrote to memory of 4944	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3956 wrote to memory of 3316	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 3956 wrote to memory of 3316	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 3956 wrote to memory of 3316	3956	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 3316 wrote to memory of 4936	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 3316 wrote to memory of 4936	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 3316 wrote to memory of 4936	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 4936 wrote to memory of 216	4936	csc.exe	cvtres.exe
PID 4936 wrote to memory of 216	4936	csc.exe	cvtres.exe
PID 4936 wrote to memory of 216	4936	csc.exe	cvtres.exe
PID 3316 wrote to memory of 860	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3316 wrote to memory of 860	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3316 wrote to memory of 860	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3316 wrote to memory of 860	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 3316 wrote to memory of 2584	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 3316 wrote to memory of 2584	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 3316 wrote to memory of 2584	3316	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2584 wrote to memory of 688	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2584 wrote to memory of 688	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 2584 wrote to memory of 688	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 688 wrote to memory of 3164	688	csc.exe	cvtres.exe
PID 688 wrote to memory of 3164	688	csc.exe	cvtres.exe
PID 688 wrote to memory of 3164	688	csc.exe	cvtres.exe
PID 2584 wrote to memory of 4408	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2584 wrote to memory of 4408	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2584 wrote to memory of 4408	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2584 wrote to memory of 4408	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	RegAsm.exe
PID 2584 wrote to memory of 3952	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2584 wrote to memory of 3952	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 2584 wrote to memory of 3952	2584	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
PID 3952 wrote to memory of 4044	3952	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 3952 wrote to memory of 4044	3952	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 3952 wrote to memory of 4044	3952	58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe	csc.exe
PID 4044 wrote to memory of 4544	4044	csc.exe	RegAsm.exe
PID 4044 wrote to memory of 4544	4044	csc.exe	RegAsm.exe
PID 4044 wrote to memory of 4544	4044	csc.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rqhy0ptp\rqhy0ptp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A0B.tmp" "c:\Users\Admin\AppData\Local\Temp\rqhy0ptp\CSCF98CCD98972243AF9FB622D9C719E4FA.TMP"
3⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hln53l0j\hln53l0j.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DF3.tmp" "c:\Users\Admin\AppData\Local\Temp\hln53l0j\CSC6C51C2501E00461CA528EAA1B5C04354.TMP"
4⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xld1rxff\xld1rxff.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4277.tmp" "c:\Users\Admin\AppData\Local\Temp\xld1rxff\CSCB993B09E25494F8891E48CF44B92E46.TMP"
5⤵
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ws32qa0x\ws32qa0x.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44D9.tmp" "c:\Users\Admin\AppData\Local\Temp\ws32qa0x\CSC30474657ECE64B4D9DFB174DE96FEF3.TMP"
6⤵
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nt4rfssw\nt4rfssw.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47A8.tmp" "c:\Users\Admin\AppData\Local\Temp\nt4rfssw\CSCD4450F33C315410A988C6DC38993C53A.TMP"
7⤵
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\whvnyzja\whvnyzja.cmdline"
7⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49CA.tmp" "c:\Users\Admin\AppData\Local\Temp\whvnyzja\CSC2D7704EF9BE7489595AC4EC0467A9D25.TMP"
8⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ig0wdkp4\ig0wdkp4.cmdline"
8⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C3B.tmp" "c:\Users\Admin\AppData\Local\Temp\ig0wdkp4\CSC35B08EC31C1E4701AB73FF67CE43CBBD.TMP"
9⤵
PID:4496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rfiukjab\rfiukjab.cmdline"
9⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E6E.tmp" "c:\Users\Admin\AppData\Local\Temp\rfiukjab\CSCE776E22483D142AFAA988A69CDE85FD9.TMP"
10⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
9⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mi2j5pgt\mi2j5pgt.cmdline"
10⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50DF.tmp" "c:\Users\Admin\AppData\Local\Temp\mi2j5pgt\CSCDA2B4E043DEB4A8AA13AB99E9AC2CC9A.TMP"
11⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ydtzvd5f\ydtzvd5f.cmdline"
11⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES539E.tmp" "c:\Users\Admin\AppData\Local\Temp\ydtzvd5f\CSCA3B95EC1414342CF93D333E86E667E32.TMP"
12⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ikalb1mi\ikalb1mi.cmdline"
12⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES562E.tmp" "c:\Users\Admin\AppData\Local\Temp\ikalb1mi\CSCAE7B279BBBB04FEB9B9ACEAD2DE5E5D2.TMP"
13⤵
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bwy3rqyf\bwy3rqyf.cmdline"
13⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5832.tmp" "c:\Users\Admin\AppData\Local\Temp\bwy3rqyf\CSC6D474D4266A4BB8A2A3C0526E704D2F.TMP"
14⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\erwwhcmz\erwwhcmz.cmdline"
14⤵
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A45.tmp" "c:\Users\Admin\AppData\Local\Temp\erwwhcmz\CSC240193046C784CF9A6556C4C25B49BD.TMP"
15⤵
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fr3pwmk\3fr3pwmk.cmdline"
15⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C49.tmp" "c:\Users\Admin\AppData\Local\Temp\3fr3pwmk\CSC791A7B5995174029B4EB53AC722EA3BB.TMP"
16⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0o4bzhvd\0o4bzhvd.cmdline"
16⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EE9.tmp" "c:\Users\Admin\AppData\Local\Temp\0o4bzhvd\CSC62A58921BB2647ED85B131989CA33AFE.TMP"
17⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z5s5oozj\z5s5oozj.cmdline"
17⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES613A.tmp" "c:\Users\Admin\AppData\Local\Temp\z5s5oozj\CSC1A8939B9A12403E804E68DC615799F.TMP"
18⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\njcmpka1\njcmpka1.cmdline"
18⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES633E.tmp" "c:\Users\Admin\AppData\Local\Temp\njcmpka1\CSC6FAA8FFE83F647A0A0625383999EBB91.TMP"
19⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hzeagcel\hzeagcel.cmdline"
19⤵
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
20⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6561.tmp" "c:\Users\Admin\AppData\Local\Temp\hzeagcel\CSCEDBFEED0E68145E698BF6BBAF29BEF68.TMP"
20⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0fya40rp\0fya40rp.cmdline"
20⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6755.tmp" "c:\Users\Admin\AppData\Local\Temp\0fya40rp\CSC197DECB758ED4B4AB59BC830F0522D3C.TMP"
21⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1km5nk0b\1km5nk0b.cmdline"
21⤵
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6978.tmp" "c:\Users\Admin\AppData\Local\Temp\1km5nk0b\CSC77E5C91CBE0D4699BF82F07EA1EF61D5.TMP"
22⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dn0cnntr\dn0cnntr.cmdline"
22⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BBA.tmp" "c:\Users\Admin\AppData\Local\Temp\dn0cnntr\CSC122A6DBA96874AB78DB32FE17327DD.TMP"
23⤵
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qbziiv11\qbziiv11.cmdline"
23⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DDD.tmp" "c:\Users\Admin\AppData\Local\Temp\qbziiv11\CSC195CAF4D7F6842EBB83BCDDA8D867ECB.TMP"
24⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2olmd5dl\2olmd5dl.cmdline"
24⤵
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF0.tmp" "c:\Users\Admin\AppData\Local\Temp\2olmd5dl\CSCBE8E767C3874550A78F71B646523CF.TMP"
25⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
24⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wycge2fm\wycge2fm.cmdline"
25⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71E4.tmp" "c:\Users\Admin\AppData\Local\Temp\wycge2fm\CSC513C9AB3F8A64A1B8A10C4EF119BD92.TMP"
26⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:348

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dgehmwdx\dgehmwdx.cmdline"
26⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73B9.tmp" "c:\Users\Admin\AppData\Local\Temp\dgehmwdx\CSC365676DE3A54704A55B34D52994D36D.TMP"
27⤵
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iywcy5tg\iywcy5tg.cmdline"
27⤵
PID:5056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
28⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75FB.tmp" "c:\Users\Admin\AppData\Local\Temp\iywcy5tg\CSCB9A9B20128E549998DC07DA8BE8629F.TMP"
28⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0mn44cg\z0mn44cg.cmdline"
28⤵
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78D9.tmp" "c:\Users\Admin\AppData\Local\Temp\z0mn44cg\CSCD56C290CB74C4CA88E841CC5DDE39E.TMP"
29⤵
PID:116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
28⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c2il2rxw\c2il2rxw.cmdline"
29⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B2B.tmp" "c:\Users\Admin\AppData\Local\Temp\c2il2rxw\CSCC03275FDCA9941FE8274F2D5ACB0ABD4.TMP"
30⤵
PID:4300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
29⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xyl0tob1\xyl0tob1.cmdline"
30⤵
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E48.tmp" "c:\Users\Admin\AppData\Local\Temp\xyl0tob1\CSCDFAF176918A49B08BE79C3FF41427C5.TMP"
31⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pf0rpu1t\pf0rpu1t.cmdline"
31⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8107.tmp" "c:\Users\Admin\AppData\Local\Temp\pf0rpu1t\CSC97049DDF1CD94A0D985E861F27A649A7.TMP"
32⤵
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\og3xe0ol\og3xe0ol.cmdline"
32⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8378.tmp" "c:\Users\Admin\AppData\Local\Temp\og3xe0ol\CSC6AD73DDEF4A4420CB682CFFE296CEE.TMP"
33⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r2lubpqi\r2lubpqi.cmdline"
33⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8676.tmp" "c:\Users\Admin\AppData\Local\Temp\r2lubpqi\CSC1AF0ED6A6F844C348DEDA9992F13F1D1.TMP"
34⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
33⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\np0iyarr\np0iyarr.cmdline"
34⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8954.tmp" "c:\Users\Admin\AppData\Local\Temp\np0iyarr\CSC1408E5796DB4168A0BF80E978B94B60.TMP"
35⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
34⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13esyvdr\13esyvdr.cmdline"
35⤵
PID:4292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
36⤵
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C32.tmp" "c:\Users\Admin\AppData\Local\Temp\13esyvdr\CSC422063B62052427297BA8779DCCD4F74.TMP"
36⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vjacchjl\vjacchjl.cmdline"
36⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EA3.tmp" "c:\Users\Admin\AppData\Local\Temp\vjacchjl\CSC1B2616AF92E74849BD651179561E40E1.TMP"
37⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
36⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\augbdsrh\augbdsrh.cmdline"
37⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9163.tmp" "c:\Users\Admin\AppData\Local\Temp\augbdsrh\CSC47F923EDBF784B3294D1B32164C73956.TMP"
38⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ow5kyevl\ow5kyevl.cmdline"
38⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9460.tmp" "c:\Users\Admin\AppData\Local\Temp\ow5kyevl\CSCF2B5CCDFB70B4E84B756ACB1EC1DD43C.TMP"
39⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2f0iotzy\2f0iotzy.cmdline"
39⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES976D.tmp" "c:\Users\Admin\AppData\Local\Temp\2f0iotzy\CSC1A4CE1019DF4B97BB4AD7653A7BC545.TMP"
40⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
39⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zszy3qnh\zszy3qnh.cmdline"
40⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A2D.tmp" "c:\Users\Admin\AppData\Local\Temp\zszy3qnh\CSC1E6E54191F74C818C4CD0A5901FF7BB.TMP"
41⤵
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
40⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vxfmqp4x\vxfmqp4x.cmdline"
41⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D0B.tmp" "c:\Users\Admin\AppData\Local\Temp\vxfmqp4x\CSC6F56E4FBE9AA4204BCB8FB8B7EB987F.TMP"
42⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dts1oo4i\dts1oo4i.cmdline"
42⤵
PID:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F8C.tmp" "c:\Users\Admin\AppData\Local\Temp\dts1oo4i\CSC8E5B9DC332B498FBDF4C05957D4EDB.TMP"
43⤵
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
42⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zndi5une\zndi5une.cmdline"
43⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C8.tmp" "c:\Users\Admin\AppData\Local\Temp\zndi5une\CSCDC807E57BA1C4C65A465AFF8C14543D.TMP"
44⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbpranda\bbpranda.cmdline"
44⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5D5.tmp" "c:\Users\Admin\AppData\Local\Temp\bbpranda\CSC7485AE13AFAB4EB89BE88A15BD4A1DC.TMP"
45⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqsw4awm\qqsw4awm.cmdline"
45⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8A4.tmp" "c:\Users\Admin\AppData\Local\Temp\qqsw4awm\CSC81D36D5B23E4461D97B369CC5CEFFF20.TMP"
46⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
45⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3kbhhuzf\3kbhhuzf.cmdline"
46⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB53.tmp" "c:\Users\Admin\AppData\Local\Temp\3kbhhuzf\CSC28FB3C8D836F4DA292A195144B23A933.TMP"
47⤵
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hldzamef\hldzamef.cmdline"
47⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADE3.tmp" "c:\Users\Admin\AppData\Local\Temp\hldzamef\CSCBEE320F7B211464684AF6FB61CF8F966.TMP"
48⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jneawdoo\jneawdoo.cmdline"
48⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB016.tmp" "c:\Users\Admin\AppData\Local\Temp\jneawdoo\CSC482E89DCDEA648C0A327913238669F3F.TMP"
49⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fp1cv1ki\fp1cv1ki.cmdline"
49⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2F4.tmp" "c:\Users\Admin\AppData\Local\Temp\fp1cv1ki\CSC22794822894543F8837B3312DDFCF7A.TMP"
50⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
49⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qsltfjnu\qsltfjnu.cmdline"
50⤵
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5B3.tmp" "c:\Users\Admin\AppData\Local\Temp\qsltfjnu\CSCF709B3AB523B4DC8BDD56AEBFB7260C4.TMP"
51⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
50⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r4kagckn\r4kagckn.cmdline"
51⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB892.tmp" "c:\Users\Admin\AppData\Local\Temp\r4kagckn\CSC9416413F22F740ACA982CEC7B5CA1A6C.TMP"
52⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aa4c5b40\aa4c5b40.cmdline"
52⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB12.tmp" "c:\Users\Admin\AppData\Local\Temp\aa4c5b40\CSC71FE7D7F54274194864BB96ABFC697D6.TMP"
53⤵
PID:4920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oaa45jel\oaa45jel.cmdline"
53⤵
PID:2216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
54⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDD2.tmp" "c:\Users\Admin\AppData\Local\Temp\oaa45jel\CSC5B94240E6C61416D839814CDF0AE8A79.TMP"
54⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hospmcnm\hospmcnm.cmdline"
54⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC071.tmp" "c:\Users\Admin\AppData\Local\Temp\hospmcnm\CSC72181781A2E64D3B99F51ED63180A6A3.TMP"
55⤵
PID:3200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\idkbug0c\idkbug0c.cmdline"
55⤵
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC321.tmp" "c:\Users\Admin\AppData\Local\Temp\idkbug0c\CSC8D5E8A144A3F43779291CC11D617DE4.TMP"
56⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
55⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n1irwbi4\n1irwbi4.cmdline"
56⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC592.tmp" "c:\Users\Admin\AppData\Local\Temp\n1irwbi4\CSC7EFC208D4E7349E19594BE774E8689CA.TMP"
57⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\npmhhz1i\npmhhz1i.cmdline"
57⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC870.tmp" "c:\Users\Admin\AppData\Local\Temp\npmhhz1i\CSC5A1B4C2EC91B4C95B00959BBB378862.TMP"
58⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwdfayyq\jwdfayyq.cmdline"
58⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB01.tmp" "c:\Users\Admin\AppData\Local\Temp\jwdfayyq\CSC663B6606F884445595B2EFCB81EDA3B.TMP"
59⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hhrgc2c1\hhrgc2c1.cmdline"
59⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDB0.tmp" "c:\Users\Admin\AppData\Local\Temp\hhrgc2c1\CSC40965F90C9A64161AEB85FE988FA75CA.TMP"
60⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ws4jwoqm\ws4jwoqm.cmdline"
60⤵
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD07F.tmp" "c:\Users\Admin\AppData\Local\Temp\ws4jwoqm\CSCAED8600E994D4E6BB754D4F2DECB343D.TMP"
61⤵
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfcbks1l\mfcbks1l.cmdline"
61⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2E0.tmp" "c:\Users\Admin\AppData\Local\Temp\mfcbks1l\CSC2B01866C18004AF0863D39ECF7F4D7C.TMP"
62⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ou4zrlun\ou4zrlun.cmdline"
62⤵
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5CE.tmp" "c:\Users\Admin\AppData\Local\Temp\ou4zrlun\CSC80DCDF5397FB410A9D97C75AF8EBB37F.TMP"
63⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0oszax5u\0oszax5u.cmdline"
63⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8BC.tmp" "c:\Users\Admin\AppData\Local\Temp\0oszax5u\CSCE08B8CF1B72341BF8A3145A48F8C28EB.TMP"
64⤵
PID:3296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
63⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mwtmxsjh\mwtmxsjh.cmdline"
64⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB6C.tmp" "c:\Users\Admin\AppData\Local\Temp\mwtmxsjh\CSC6DC897434144A97984D5E3896951CC3.TMP"
65⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
64⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5mhlv0kq\5mhlv0kq.cmdline"
65⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDEC.tmp" "c:\Users\Admin\AppData\Local\Temp\5mhlv0kq\CSC2799131678074B2F9B4BC45B199FA5FF.TMP"
66⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
65⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ktegaxzu\ktegaxzu.cmdline"
66⤵
PID:2912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0CB.tmp" "c:\Users\Admin\AppData\Local\Temp\ktegaxzu\CSC9C7E6DAADF164246B425BAA0BCBDC570.TMP"
67⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
66⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t0taro53\t0taro53.cmdline"
67⤵
PID:4760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
68⤵
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE30D.tmp" "c:\Users\Admin\AppData\Local\Temp\t0taro53\CSCD50B6BEBC29B42AEAB12B9BF2820924A.TMP"
68⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
67⤵
- Checks computer location settings
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lvcokesu\lvcokesu.cmdline"
68⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE520.tmp" "c:\Users\Admin\AppData\Local\Temp\lvcokesu\CSC9154EB6D343A44D99F2409ED59E886E.TMP"
69⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
68⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agcxfk2y\agcxfk2y.cmdline"
69⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE753.tmp" "c:\Users\Admin\AppData\Local\Temp\agcxfk2y\CSCD0C35767D3E4B8390A0A567B1C5456.TMP"
70⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
69⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlaeu2cs\rlaeu2cs.cmdline"
70⤵
PID:2776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE975.tmp" "c:\Users\Admin\AppData\Local\Temp\rlaeu2cs\CSCB5D43055C2A846AF997B72BE1D851581.TMP"
71⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
70⤵
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3zdziwbc\3zdziwbc.cmdline"
71⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBE6.tmp" "c:\Users\Admin\AppData\Local\Temp\3zdziwbc\CSC928CAC627E374E3AA34DF2FEE23BF.TMP"
72⤵
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
71⤵
- Checks computer location settings
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iscvi2am\iscvi2am.cmdline"
72⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEA6.tmp" "c:\Users\Admin\AppData\Local\Temp\iscvi2am\CSC9EC2FD15A36244A288343453186F767F.TMP"
73⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
72⤵
- Checks computer location settings
PID:452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p3aximcj\p3aximcj.cmdline"
73⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF155.tmp" "c:\Users\Admin\AppData\Local\Temp\p3aximcj\CSC3E5742A2D21C455F9C6296853C14ACF3.TMP"
74⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
73⤵
- Checks computer location settings
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\32a135td\32a135td.cmdline"
74⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF433.tmp" "c:\Users\Admin\AppData\Local\Temp\32a135td\CSC616F07127BD045FFA2DEF1E2366B54C7.TMP"
75⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
74⤵
- Checks computer location settings
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pk5tf4bt\pk5tf4bt.cmdline"
75⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF731.tmp" "c:\Users\Admin\AppData\Local\Temp\pk5tf4bt\CSC2066CF15DD34D8494DABEB24DEBDA6.TMP"
76⤵
PID:4380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
75⤵
- Checks computer location settings
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pekdxvbs\pekdxvbs.cmdline"
76⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA3E.tmp" "c:\Users\Admin\AppData\Local\Temp\pekdxvbs\CSCAB7F7EEB637B4159A9F5C37CDD375CC.TMP"
77⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
76⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\apdlqhjq\apdlqhjq.cmdline"
77⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD0D.tmp" "c:\Users\Admin\AppData\Local\Temp\apdlqhjq\CSCED380347D109423B9524CD9F76671CE8.TMP"
78⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
77⤵
PID:4368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\frajk21j\frajk21j.cmdline"
78⤵
PID:4812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF4F.tmp" "c:\Users\Admin\AppData\Local\Temp\frajk21j\CSCF19BE18AF62047A18A64D3A99E157094.TMP"
79⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
78⤵
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ila5lj20\ila5lj20.cmdline"
79⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EF.tmp" "c:\Users\Admin\AppData\Local\Temp\ila5lj20\CSC1C64D190670043F18820EF9A13DCA54.TMP"
80⤵
PID:3280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
79⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h3vmoxvu\h3vmoxvu.cmdline"
80⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES470.tmp" "c:\Users\Admin\AppData\Local\Temp\h3vmoxvu\CSCC8D0C48C990049D58CDA9E7DCACEF814.TMP"
81⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
80⤵
PID:4300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mqzn0t4y\mqzn0t4y.cmdline"
81⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74E.tmp" "c:\Users\Admin\AppData\Local\Temp\mqzn0t4y\CSCDAD4BE4C8E364F27AD33BADD3ECD6C16.TMP"
82⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
81⤵
- Checks computer location settings
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2pqw1zbr\2pqw1zbr.cmdline"
82⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB9.tmp" "c:\Users\Admin\AppData\Local\Temp\2pqw1zbr\CSCCE4D33FCD8994018893C99FB4F923724.TMP"
83⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
82⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxubfmeo\bxubfmeo.cmdline"
83⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2A.tmp" "c:\Users\Admin\AppData\Local\Temp\bxubfmeo\CSCB3CE6978887245DE9DF82D2C3C565B4E.TMP"
84⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
83⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsxek0ry\bsxek0ry.cmdline"
84⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10B4.tmp" "c:\Users\Admin\AppData\Local\Temp\bsxek0ry\CSC7230236855424E1887AA5129FFFCB80.TMP"
85⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
84⤵
- Checks computer location settings
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\io5yghxy\io5yghxy.cmdline"
85⤵
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1410.tmp" "c:\Users\Admin\AppData\Local\Temp\io5yghxy\CSC1039FFD3106146868425598A5B7F237D.TMP"
86⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
85⤵
- Checks computer location settings
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ismm14tk\ismm14tk.cmdline"
86⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES172D.tmp" "c:\Users\Admin\AppData\Local\Temp\ismm14tk\CSCD874632232A9426B889730BE9C95BF.TMP"
87⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
86⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5od0tzmp\5od0tzmp.cmdline"
87⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A2A.tmp" "c:\Users\Admin\AppData\Local\Temp\5od0tzmp\CSC199BD02498AF477D9640141341737F49.TMP"
88⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
87⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcxlke1s\xcxlke1s.cmdline"
88⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CE9.tmp" "c:\Users\Admin\AppData\Local\Temp\xcxlke1s\CSC42F41589C3984992A632A0D765BF8867.TMP"
89⤵
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
88⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nh3liqf2\nh3liqf2.cmdline"
89⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FB8.tmp" "c:\Users\Admin\AppData\Local\Temp\nh3liqf2\CSC490AD52030114033AED7326DA98BDB3.TMP"
90⤵
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
89⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\24khquyd\24khquyd.cmdline"
90⤵
PID:440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22C5.tmp" "c:\Users\Admin\AppData\Local\Temp\24khquyd\CSCC3671A7B8F25400D97B0A424CBB368B3.TMP"
91⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
90⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dwy2rloz\dwy2rloz.cmdline"
91⤵
PID:720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2565.tmp" "c:\Users\Admin\AppData\Local\Temp\dwy2rloz\CSC40BA15E73C05437AA090B2B43CDB1C7D.TMP"
92⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
91⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvoqegk2\dvoqegk2.cmdline"
92⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2798.tmp" "c:\Users\Admin\AppData\Local\Temp\dvoqegk2\CSC8141C05931C24C9F972495F6BAD046B7.TMP"
93⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
92⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cshcq31j\cshcq31j.cmdline"
93⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A38.tmp" "c:\Users\Admin\AppData\Local\Temp\cshcq31j\CSCF392AB1D89614093A9AF1695861DC81B.TMP"
94⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
93⤵
- Checks computer location settings
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dyejw5j4\dyejw5j4.cmdline"
94⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CE7.tmp" "c:\Users\Admin\AppData\Local\Temp\dyejw5j4\CSCC5F2C0088A89480DBC44F7D2A1612483.TMP"
95⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
94⤵
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fzyaupgu\fzyaupgu.cmdline"
95⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3004.tmp" "c:\Users\Admin\AppData\Local\Temp\fzyaupgu\CSC8FF5602F4F9F470CB554FFA150A2A8D.TMP"
96⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
95⤵
PID:4380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b0lrxeqa\b0lrxeqa.cmdline"
96⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32B3.tmp" "c:\Users\Admin\AppData\Local\Temp\b0lrxeqa\CSC65BF89D4F384B14B5E371B314CEF7B5.TMP"
97⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
96⤵
- Checks computer location settings
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hanxpswn\hanxpswn.cmdline"
97⤵
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3534.tmp" "c:\Users\Admin\AppData\Local\Temp\hanxpswn\CSCF4A418FFAD3B490F9F4B6D5C82501E45.TMP"
98⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
97⤵
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gb1nba2e\gb1nba2e.cmdline"
98⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37A5.tmp" "c:\Users\Admin\AppData\Local\Temp\gb1nba2e\CSCC0A76014D230417AAD3A327489D6551A.TMP"
99⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
98⤵
- Checks computer location settings
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hyjchyxh\hyjchyxh.cmdline"
99⤵
PID:4756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
100⤵
PID:3280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A55.tmp" "c:\Users\Admin\AppData\Local\Temp\hyjchyxh\CSCD069EDEE5A4A4C8E89A5116D5C5C3067.TMP"
100⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
99⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3uis3m2v\3uis3m2v.cmdline"
100⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CC6.tmp" "c:\Users\Admin\AppData\Local\Temp\3uis3m2v\CSCB193C99DC53B490FA4FCB32A13BB845A.TMP"
101⤵
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:3284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:4584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
100⤵
- Checks computer location settings
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kyzib2ca\kyzib2ca.cmdline"
101⤵
PID:3732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FB4.tmp" "c:\Users\Admin\AppData\Local\Temp\kyzib2ca\CSC1DFA46E7D18D4C119A912113F526D88.TMP"
102⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
101⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x1tf21ul\x1tf21ul.cmdline"
102⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4263.tmp" "c:\Users\Admin\AppData\Local\Temp\x1tf21ul\CSCE8E6D1D432AF45DFB678D16DD8A42D43.TMP"
103⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
102⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dncamgtq\dncamgtq.cmdline"
103⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44F3.tmp" "c:\Users\Admin\AppData\Local\Temp\dncamgtq\CSC100C34983734393865697C5EFA8362.TMP"
104⤵
PID:4616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
103⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ek2ykmaq\ek2ykmaq.cmdline"
104⤵
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4774.tmp" "c:\Users\Admin\AppData\Local\Temp\ek2ykmaq\CSC876BF0446F7547A898169342CC2C83D3.TMP"
105⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
104⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t2a1ld5p\t2a1ld5p.cmdline"
105⤵
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A62.tmp" "c:\Users\Admin\AppData\Local\Temp\t2a1ld5p\CSCCA0CC1023C044356A8F34F1C3E45646C.TMP"
106⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
105⤵
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j4rmoglz\j4rmoglz.cmdline"
106⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DAE.tmp" "c:\Users\Admin\AppData\Local\Temp\j4rmoglz\CSC51F694B089EC44D3A51AC1C356455B0.TMP"
107⤵
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
106⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kauprksf\kauprksf.cmdline"
107⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FD1.tmp" "c:\Users\Admin\AppData\Local\Temp\kauprksf\CSC8BB6CDAAE94B461CB4B13E9F7A24161F.TMP"
108⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
107⤵
- Checks computer location settings
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfx2cbc1\hfx2cbc1.cmdline"
108⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52AF.tmp" "c:\Users\Admin\AppData\Local\Temp\hfx2cbc1\CSCCE885D0A5908486581ECFDE9886E32D.TMP"
109⤵
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:3356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
108⤵
PID:3380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lwvsa0hx\lwvsa0hx.cmdline"
109⤵
PID:800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
110⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES554F.tmp" "c:\Users\Admin\AppData\Local\Temp\lwvsa0hx\CSC8A5FB17DAFD04F178FFEE7CE978053E4.TMP"
110⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
109⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b4l1xwfz\b4l1xwfz.cmdline"
110⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57FE.tmp" "c:\Users\Admin\AppData\Local\Temp\b4l1xwfz\CSC71A260CF1E7E4336B8EF6FA93A66A521.TMP"
111⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
110⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eazxjw1j\eazxjw1j.cmdline"
111⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A40.tmp" "c:\Users\Admin\AppData\Local\Temp\eazxjw1j\CSCAF4D686A61E24B9AA7C0AA8E5235552.TMP"
112⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
111⤵
- Checks computer location settings
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l4bp2euk\l4bp2euk.cmdline"
112⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D00.tmp" "c:\Users\Admin\AppData\Local\Temp\l4bp2euk\CSCD19E9F53E88A4C649396E950A4808248.TMP"
113⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
112⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qs40uqse\qs40uqse.cmdline"
113⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F51.tmp" "c:\Users\Admin\AppData\Local\Temp\qs40uqse\CSCA55565E035F84F3B919177688465FC39.TMP"
114⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
113⤵
- Checks computer location settings
PID:4112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ym4g40ax\ym4g40ax.cmdline"
114⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61B3.tmp" "c:\Users\Admin\AppData\Local\Temp\ym4g40ax\CSC88A8ACDD90DA4E49978982F19E197392.TMP"
115⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
114⤵
- Checks computer location settings
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcfvrcyu\wcfvrcyu.cmdline"
115⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6453.tmp" "c:\Users\Admin\AppData\Local\Temp\wcfvrcyu\CSC7A53103D50234A80A99396F925CDD220.TMP"
116⤵
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
115⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhxqk5jo\lhxqk5jo.cmdline"
116⤵
PID:3180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6712.tmp" "c:\Users\Admin\AppData\Local\Temp\lhxqk5jo\CSCB6269A1724F495EB8C7E845D639DAA4.TMP"
117⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
116⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xugknw3\0xugknw3.cmdline"
117⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69A2.tmp" "c:\Users\Admin\AppData\Local\Temp\0xugknw3\CSC310C46433C24C92A5CEC97DC940A153.TMP"
118⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
117⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kku0j04l\kku0j04l.cmdline"
118⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C42.tmp" "c:\Users\Admin\AppData\Local\Temp\kku0j04l\CSC83E89DB17D514448916FC64375F955F0.TMP"
119⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
118⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xs50lra4\xs50lra4.cmdline"
119⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EA3.tmp" "c:\Users\Admin\AppData\Local\Temp\xs50lra4\CSCEE9925E1300740CC9793DF737DA741A6.TMP"
120⤵
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
119⤵
- Checks computer location settings
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\we5pmayx\we5pmayx.cmdline"
120⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7097.tmp" "c:\Users\Admin\AppData\Local\Temp\we5pmayx\CSCD7502EEDC134C9AB786ED1C3B6E5665.TMP"
121⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
120⤵
- Checks computer location settings
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wlxu0zlq\wlxu0zlq.cmdline"
121⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72D9.tmp" "c:\Users\Admin\AppData\Local\Temp\wlxu0zlq\CSC89B7B0E08DE34313B74335DD8C928C15.TMP"
122⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
121⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agvugzij\agvugzij.cmdline"
122⤵
PID:3280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES750C.tmp" "c:\Users\Admin\AppData\Local\Temp\agvugzij\CSCCAB39B99C79644B78BAE7F0A59679FB.TMP"
123⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
122⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u54owshj\u54owshj.cmdline"
123⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES775E.tmp" "c:\Users\Admin\AppData\Local\Temp\u54owshj\CSCC0F659CFC73842D79B9DD534B9577990.TMP"
124⤵
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
123⤵
- Checks computer location settings
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3avd2viw\3avd2viw.cmdline"
124⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79CF.tmp" "c:\Users\Admin\AppData\Local\Temp\3avd2viw\CSC8483523F32704FFF9CB31733B41C4E5D.TMP"
125⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
124⤵
- Checks computer location settings
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3v4n1fk\a3v4n1fk.cmdline"
125⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CAD.tmp" "c:\Users\Admin\AppData\Local\Temp\a3v4n1fk\CSC8A3F54A38AD44F65A340BDE5FDAD14B.TMP"
126⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
125⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvzf2ywr\yvzf2ywr.cmdline"
126⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F3D.tmp" "c:\Users\Admin\AppData\Local\Temp\yvzf2ywr\CSC7D40D4C96ADE42409B8064AC20C7E8D.TMP"
127⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:4616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
126⤵
- Checks computer location settings
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\txioz0ob\txioz0ob.cmdline"
127⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES824A.tmp" "c:\Users\Admin\AppData\Local\Temp\txioz0ob\CSCFC1DC15422D14EC1884718CE70EB9526.TMP"
128⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:4368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
127⤵
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezhayu3z\ezhayu3z.cmdline"
128⤵
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84EA.tmp" "c:\Users\Admin\AppData\Local\Temp\ezhayu3z\CSCCE38F7DA742B4A27904FB3CC7FF19B61.TMP"
129⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
128⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u0rcmzll\u0rcmzll.cmdline"
129⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
130⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8836.tmp" "c:\Users\Admin\AppData\Local\Temp\u0rcmzll\CSCEE3217BAA624FBC8916CB515D8F85E9.TMP"
130⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
129⤵
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1nvxwdjd\1nvxwdjd.cmdline"
130⤵
PID:4436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B34.tmp" "c:\Users\Admin\AppData\Local\Temp\1nvxwdjd\CSCDFB1FBB31B3041F8BC102BB8B06A24D3.TMP"
131⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
130⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qm22gxqf\qm22gxqf.cmdline"
131⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E22.tmp" "c:\Users\Admin\AppData\Local\Temp\qm22gxqf\CSC27D85250EEE4411E8BBBF6181E8822E.TMP"
132⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
131⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a40lds2f\a40lds2f.cmdline"
132⤵
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES913F.tmp" "c:\Users\Admin\AppData\Local\Temp\a40lds2f\CSCAD4696D3390C483487C29AA2C4641999.TMP"
133⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
132⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2qx4srbq\2qx4srbq.cmdline"
133⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES942D.tmp" "c:\Users\Admin\AppData\Local\Temp\2qx4srbq\CSCF0E75EE8B5B9498C84A2FA8041D97086.TMP"
134⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
133⤵
- Checks computer location settings
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yb2gklwy\yb2gklwy.cmdline"
134⤵
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96DC.tmp" "c:\Users\Admin\AppData\Local\Temp\yb2gklwy\CSC91130ABFEB6A46BFB148C06726B1C21D.TMP"
135⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
134⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\31mq5omz\31mq5omz.cmdline"
135⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES993D.tmp" "c:\Users\Admin\AppData\Local\Temp\31mq5omz\CSCF3CFDAF71A1F48B286B02D66EDFA5925.TMP"
136⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
135⤵
- Checks computer location settings
PID:4660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1wfl3pkq\1wfl3pkq.cmdline"
136⤵
PID:348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BED.tmp" "c:\Users\Admin\AppData\Local\Temp\1wfl3pkq\CSC758A63B1F32B4C37B9611B2F7C79E168.TMP"
137⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
136⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jhp5vafj\jhp5vafj.cmdline"
137⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EDB.tmp" "c:\Users\Admin\AppData\Local\Temp\jhp5vafj\CSCA4AB1DE855C0439CBB1A7129596F3521.TMP"
138⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
137⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\syo5jgxa\syo5jgxa.cmdline"
138⤵
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA19A.tmp" "c:\Users\Admin\AppData\Local\Temp\syo5jgxa\CSC68E01184B7604760B6EAFC83F91F324E.TMP"
139⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
138⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rpnb00mu\rpnb00mu.cmdline"
139⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA459.tmp" "c:\Users\Admin\AppData\Local\Temp\rpnb00mu\CSC601E27BFCEE34A7D9BC37E5DEDDED5C0.TMP"
140⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
139⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxhq4b5c\rxhq4b5c.cmdline"
140⤵
PID:2616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA786.tmp" "c:\Users\Admin\AppData\Local\Temp\rxhq4b5c\CSC17B33FB01A8C4DD1BD13ABDF884EA1.TMP"
141⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
140⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ov4womf5\ov4womf5.cmdline"
141⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9F7.tmp" "c:\Users\Admin\AppData\Local\Temp\ov4womf5\CSCFC8CE96426BA460DB4E8F4EA678E4C7D.TMP"
142⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
141⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i42pr4jo\i42pr4jo.cmdline"
142⤵
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC87.tmp" "c:\Users\Admin\AppData\Local\Temp\i42pr4jo\CSC71E212D034A74349AAB2D7D91224CC89.TMP"
143⤵
PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
142⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0upuklba\0upuklba.cmdline"
143⤵
PID:3324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEF8.tmp" "c:\Users\Admin\AppData\Local\Temp\0upuklba\CSC38543728BF9F456C8454EDF93C97950.TMP"
144⤵
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
143⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffp2tzev\ffp2tzev.cmdline"
144⤵
PID:3492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB215.tmp" "c:\Users\Admin\AppData\Local\Temp\ffp2tzev\CSCC671C6413AE24E7DB99E7FC531374874.TMP"
145⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
144⤵
- Checks computer location settings
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mo1ezvkp\mo1ezvkp.cmdline"
145⤵
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4E4.tmp" "c:\Users\Admin\AppData\Local\Temp\mo1ezvkp\CSC5FBC95A5D28345D5AA1B43F21BF77968.TMP"
146⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
145⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\huhd0kts\huhd0kts.cmdline"
146⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7A3.tmp" "c:\Users\Admin\AppData\Local\Temp\huhd0kts\CSC4712FED9575740879D9DD94A10E37F2B.TMP"
147⤵
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
146⤵
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r24luz04\r24luz04.cmdline"
147⤵
PID:1768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
148⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA71.tmp" "c:\Users\Admin\AppData\Local\Temp\r24luz04\CSCF12755F5EDDD476683A74BCCD6D48146.TMP"
148⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
147⤵
- Checks computer location settings
PID:664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\loteytgc\loteytgc.cmdline"
148⤵
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD9E.tmp" "c:\Users\Admin\AppData\Local\Temp\loteytgc\CSC828FB829639B42A5ADE6804732A82AD.TMP"
149⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
148⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kg3nfmmc\kg3nfmmc.cmdline"
149⤵
PID:3588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
150⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC05D.tmp" "c:\Users\Admin\AppData\Local\Temp\kg3nfmmc\CSC85D3D3228CEE487EA86C50AD7FE5ED.TMP"
150⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
149⤵
- Checks computer location settings
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jatkb0rx\jatkb0rx.cmdline"
150⤵
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC36A.tmp" "c:\Users\Admin\AppData\Local\Temp\jatkb0rx\CSCD99D5924C285476AA3CE6393067C811.TMP"
151⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
150⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hz4z3qof\hz4z3qof.cmdline"
151⤵
PID:3696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC60A.tmp" "c:\Users\Admin\AppData\Local\Temp\hz4z3qof\CSC1227010C5E1D4CCEB4278660B8737A4D.TMP"
152⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
151⤵
- Checks computer location settings
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\udw1ldqd\udw1ldqd.cmdline"
152⤵
PID:3280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8F8.tmp" "c:\Users\Admin\AppData\Local\Temp\udw1ldqd\CSC96F66DCB911A4087AF51FD6BB2F0CED7.TMP"
153⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
152⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4u5tdmyd\4u5tdmyd.cmdline"
153⤵
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB79.tmp" "c:\Users\Admin\AppData\Local\Temp\4u5tdmyd\CSCBF971B2DFE1443B7B992C4A427A0AD38.TMP"
154⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
153⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxzumsvt\zxzumsvt.cmdline"
154⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE38.tmp" "c:\Users\Admin\AppData\Local\Temp\zxzumsvt\CSCC6DBF74227B543A0A92A3487AC61CAAE.TMP"
155⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
154⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\303djiqz\303djiqz.cmdline"
155⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD099.tmp" "c:\Users\Admin\AppData\Local\Temp\303djiqz\CSC149BB119BA184B0D886F93C2764F8E46.TMP"
156⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
155⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uw0ayfwc\uw0ayfwc.cmdline"
156⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD378.tmp" "c:\Users\Admin\AppData\Local\Temp\uw0ayfwc\CSCAFE2880488074B25978370EB3C85492A.TMP"
157⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
156⤵
- Checks computer location settings
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0wvq5h1p\0wvq5h1p.cmdline"
157⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD627.tmp" "c:\Users\Admin\AppData\Local\Temp\0wvq5h1p\CSC21576221EF5948D3934036BC356F8F1.TMP"
158⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
157⤵
PID:3696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\um1n5ica\um1n5ica.cmdline"
158⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD934.tmp" "c:\Users\Admin\AppData\Local\Temp\um1n5ica\CSC87DB183BCA33453D839A91F5E1FF7C.TMP"
159⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
158⤵
PID:4996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\juylmzg4\juylmzg4.cmdline"
159⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC03.tmp" "c:\Users\Admin\AppData\Local\Temp\juylmzg4\CSC89746A1E7BFE43678A4C574F1467F7BC.TMP"
160⤵
PID:3988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
159⤵
- Checks computer location settings
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hrvrocwn\hrvrocwn.cmdline"
160⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEA3.tmp" "c:\Users\Admin\AppData\Local\Temp\hrvrocwn\CSC768B6CCF68554B67BEB6136FFBB9E7AC.TMP"
161⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:4112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
160⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qk3p3rw5\qk3p3rw5.cmdline"
161⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE133.tmp" "c:\Users\Admin\AppData\Local\Temp\qk3p3rw5\CSC9FAE3F3CC03C4A59872A54ADD2A82867.TMP"
162⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
161⤵
- Checks computer location settings
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\npeb0stn\npeb0stn.cmdline"
162⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3D3.tmp" "c:\Users\Admin\AppData\Local\Temp\npeb0stn\CSCE89B3EDB09542E8B13B858E711DF74.TMP"
163⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
162⤵
- Checks computer location settings
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04qpi53t\04qpi53t.cmdline"
163⤵
PID:2120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
164⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6D1.tmp" "c:\Users\Admin\AppData\Local\Temp\04qpi53t\CSCB1566EC0E128413F8B5E4A045B4140.TMP"
164⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
163⤵
- Checks computer location settings
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4r0k0zu\d4r0k0zu.cmdline"
164⤵
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE961.tmp" "c:\Users\Admin\AppData\Local\Temp\d4r0k0zu\CSC48EF60C4F5334B1FA5C9EB6416343AA1.TMP"
165⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
164⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b01o4iux\b01o4iux.cmdline"
165⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
166⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC5F.tmp" "c:\Users\Admin\AppData\Local\Temp\b01o4iux\CSCFC14DE039FE844668323D04CE74FF24D.TMP"
166⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
165⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4dqq3wnh\4dqq3wnh.cmdline"
166⤵
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF008.tmp" "c:\Users\Admin\AppData\Local\Temp\4dqq3wnh\CSC2C274BF48BB74BF4BAC3734787BA367F.TMP"
167⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
166⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yjvouahz\yjvouahz.cmdline"
167⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF20C.tmp" "c:\Users\Admin\AppData\Local\Temp\yjvouahz\CSC9D80BF30AFF44E2493441E8F98F75444.TMP"
168⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
167⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cg3wmrcz\cg3wmrcz.cmdline"
168⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF42F.tmp" "c:\Users\Admin\AppData\Local\Temp\cg3wmrcz\CSC1CACB087837416DBF4AB2640AB1E4E.TMP"
169⤵
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
168⤵
- Checks computer location settings
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vnfivf4\4vnfivf4.cmdline"
169⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF613.tmp" "c:\Users\Admin\AppData\Local\Temp\4vnfivf4\CSC98E6909E3E5C42FF958290E6F2A32CE2.TMP"
170⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
169⤵
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c3lomad2\c3lomad2.cmdline"
170⤵
PID:4060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7F7.tmp" "c:\Users\Admin\AppData\Local\Temp\c3lomad2\CSC922973F19512481B983AD2A2E4179E5E.TMP"
171⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
170⤵
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlfni25r\rlfni25r.cmdline"
171⤵
PID:728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9EB.tmp" "c:\Users\Admin\AppData\Local\Temp\rlfni25r\CSC612C5BEAAFB74CDE9FE03775E7C971CD.TMP"
172⤵
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
171⤵
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qhsq1cpd\qhsq1cpd.cmdline"
172⤵
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBFF.tmp" "c:\Users\Admin\AppData\Local\Temp\qhsq1cpd\CSC41D0E214373F4AE287B2F113D289B20.TMP"
173⤵
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
172⤵
- Checks computer location settings
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rs3mjj2v\rs3mjj2v.cmdline"
173⤵
PID:748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
174⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE60.tmp" "c:\Users\Admin\AppData\Local\Temp\rs3mjj2v\CSCADF84637F3604FD3ACA63D7F83E7AB.TMP"
174⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
173⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xglmbar0\xglmbar0.cmdline"
174⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44.tmp" "c:\Users\Admin\AppData\Local\Temp\xglmbar0\CSC10B6AA0FB50C447A8877BC3BCE547F58.TMP"
175⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
174⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qhmwispn\qhmwispn.cmdline"
175⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES238.tmp" "c:\Users\Admin\AppData\Local\Temp\qhmwispn\CSCF762F58B23754C5FA6EADB661EE70E.TMP"
176⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
175⤵
- Checks computer location settings
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\he5etiid\he5etiid.cmdline"
176⤵
PID:3308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41D.tmp" "c:\Users\Admin\AppData\Local\Temp\he5etiid\CSC5B0F3E0671214109A0453864211BE99.TMP"
177⤵
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
176⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\epy0wkxz\epy0wkxz.cmdline"
177⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68E.tmp" "c:\Users\Admin\AppData\Local\Temp\epy0wkxz\CSCF44F10A9B8C74AA48044F7D5E7A0F5BB.TMP"
178⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:3768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
177⤵
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ydvech5t\ydvech5t.cmdline"
178⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES872.tmp" "c:\Users\Admin\AppData\Local\Temp\ydvech5t\CSCEA0307AD6B5F439593A6F1F436B74B7C.TMP"
179⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
178⤵
- Checks computer location settings
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\worygwsk\worygwsk.cmdline"
179⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA37.tmp" "c:\Users\Admin\AppData\Local\Temp\worygwsk\CSCDE782D56D3484E75BD2A59FF82C24175.TMP"
180⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
179⤵
- Checks computer location settings
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qdwteta3\qdwteta3.cmdline"
180⤵
PID:1536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3B.tmp" "c:\Users\Admin\AppData\Local\Temp\qdwteta3\CSC28307E55E0D4E17A5504E354D44F15.TMP"
181⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
180⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wfv035wd\wfv035wd.cmdline"
181⤵
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
182⤵
PID:3308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3F.tmp" "c:\Users\Admin\AppData\Local\Temp\wfv035wd\CSC54A164B1FCE6464497EFEEF3F1C0DA71.TMP"
182⤵
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
181⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\epbjwvfh\epbjwvfh.cmdline"
182⤵
PID:4240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1023.tmp" "c:\Users\Admin\AppData\Local\Temp\epbjwvfh\CSCE95E15C45C3F410BA71D1628035A0FA.TMP"
183⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
182⤵
- Checks computer location settings
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0qmbwuep\0qmbwuep.cmdline"
183⤵
PID:4580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
184⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1236.tmp" "c:\Users\Admin\AppData\Local\Temp\0qmbwuep\CSC942A0A34DA8E4EB3940EE6677B9B0F3.TMP"
184⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
183⤵
PID:4448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qdejclfv\qdejclfv.cmdline"
184⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1449.tmp" "c:\Users\Admin\AppData\Local\Temp\qdejclfv\CSCCAA326196C7A480787807825475792D.TMP"
185⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
184⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dyfqkro5\dyfqkro5.cmdline"
185⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES160F.tmp" "c:\Users\Admin\AppData\Local\Temp\dyfqkro5\CSC97B0FE375C194D6EBC3F5F4B442691C.TMP"
186⤵
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
185⤵
- Checks computer location settings
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cajmpd5d\cajmpd5d.cmdline"
186⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1803.tmp" "c:\Users\Admin\AppData\Local\Temp\cajmpd5d\CSC5B030289793345868198932BBBDF954.TMP"
187⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
186⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0avscj1k\0avscj1k.cmdline"
187⤵
PID:2692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
188⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19F7.tmp" "c:\Users\Admin\AppData\Local\Temp\0avscj1k\CSC993C6D95DDAF4974AE54E69A1F0864B.TMP"
188⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
187⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
187⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\00dwglaf\00dwglaf.cmdline"
188⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BDB.tmp" "c:\Users\Admin\AppData\Local\Temp\00dwglaf\CSC998E73AA9F934A3E9926C7111BCD356B.TMP"
189⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
188⤵
- Checks computer location settings
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qxvd505u\qxvd505u.cmdline"
189⤵
PID:4016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
190⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DDF.tmp" "c:\Users\Admin\AppData\Local\Temp\qxvd505u\CSC19EFF85D370E4B66A0FB1E464183386.TMP"
190⤵
PID:220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
189⤵
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e12tklxf\e12tklxf.cmdline"
190⤵
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FD3.tmp" "c:\Users\Admin\AppData\Local\Temp\e12tklxf\CSC65561E3F73C3412DBF5C66E1AFF656B3.TMP"
191⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
190⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcunmx5v\xcunmx5v.cmdline"
191⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21D6.tmp" "c:\Users\Admin\AppData\Local\Temp\xcunmx5v\CSC4F040B5DCE284678A48C867C9E739E43.TMP"
192⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
191⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4hoqtiym\4hoqtiym.cmdline"
192⤵
PID:116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23F9.tmp" "c:\Users\Admin\AppData\Local\Temp\4hoqtiym\CSC44200E849835493CA82281F4BDED081.TMP"
193⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
192⤵
- Checks computer location settings
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52at0cpb\52at0cpb.cmdline"
193⤵
PID:4220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
194⤵
PID:220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25ED.tmp" "c:\Users\Admin\AppData\Local\Temp\52at0cpb\CSCF812C81868B2440F92CD1B9A92FA543F.TMP"
194⤵
PID:3140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
193⤵
- Checks computer location settings
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yhky3oll\yhky3oll.cmdline"
194⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27D1.tmp" "c:\Users\Admin\AppData\Local\Temp\yhky3oll\CSCBD40BD42CD78485BA0C592BD1AD69EA.TMP"
195⤵
PID:4656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
194⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ylnnpgo\0ylnnpgo.cmdline"
195⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29B6.tmp" "c:\Users\Admin\AppData\Local\Temp\0ylnnpgo\CSC99E8730BAE314BFF80B3A747A21599FF.TMP"
196⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
195⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjtizfrh\kjtizfrh.cmdline"
196⤵
PID:4920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B7B.tmp" "c:\Users\Admin\AppData\Local\Temp\kjtizfrh\CSC76CD3C49AB444E25A55E553CB63779F7.TMP"
197⤵
PID:728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
196⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dkhd1kih\dkhd1kih.cmdline"
197⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D6F.tmp" "c:\Users\Admin\AppData\Local\Temp\dkhd1kih\CSC8B3DEB4E8CD473783C2DE232B82A354.TMP"
198⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
197⤵
PID:3344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grygxzlf\grygxzlf.cmdline"
198⤵
PID:2916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F63.tmp" "c:\Users\Admin\AppData\Local\Temp\grygxzlf\CSCF2C6D80426D48B694D727F2B7892815.TMP"
199⤵
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
198⤵
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hnfyltr3\hnfyltr3.cmdline"
199⤵
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3157.tmp" "c:\Users\Admin\AppData\Local\Temp\hnfyltr3\CSC3953166C133847D78D3151E646D3FB10.TMP"
200⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
199⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g2m1jybs\g2m1jybs.cmdline"
200⤵
PID:3732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES333B.tmp" "c:\Users\Admin\AppData\Local\Temp\g2m1jybs\CSC2CE10BDA9D2B46A194F6EA674ABC340.TMP"
201⤵
PID:396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
200⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b45v5dnw\b45v5dnw.cmdline"
201⤵
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
202⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES353F.tmp" "c:\Users\Admin\AppData\Local\Temp\b45v5dnw\CSC26682BC17D4FE1BCA1104520827FA0.TMP"
202⤵
PID:4872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
201⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y0z2e0bb\y0z2e0bb.cmdline"
202⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3781.tmp" "c:\Users\Admin\AppData\Local\Temp\y0z2e0bb\CSC789D2F68EF6E4172A91F3ABD36D53B5.TMP"
203⤵
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
202⤵
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkqud2sy\gkqud2sy.cmdline"
203⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
204⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A50.tmp" "c:\Users\Admin\AppData\Local\Temp\gkqud2sy\CSCCAF02DFF19A04D6DA9BF1C5DAA4D9CCD.TMP"
204⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
203⤵
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\30zpxsr4\30zpxsr4.cmdline"
204⤵
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D7C.tmp" "c:\Users\Admin\AppData\Local\Temp\30zpxsr4\CSC30A8B41FDCEA4E249624AB7F4B9EC78B.TMP"
205⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
204⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y3nmzf21\y3nmzf21.cmdline"
205⤵
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4099.tmp" "c:\Users\Admin\AppData\Local\Temp\y3nmzf21\CSC10375AAED83D4392A31FC4F828906C92.TMP"
206⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
205⤵
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mgkjkydg\mgkjkydg.cmdline"
206⤵
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4404.tmp" "c:\Users\Admin\AppData\Local\Temp\mgkjkydg\CSC5C79017CC79A4BF4A8959DCE65DA62F6.TMP"
207⤵
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
206⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebdieki0\ebdieki0.cmdline"
207⤵
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
208⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4694.tmp" "c:\Users\Admin\AppData\Local\Temp\ebdieki0\CSC1F1E346B16743F4B68F6869ACFDCAD0.TMP"
208⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
207⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5yr5vzm\f5yr5vzm.cmdline"
208⤵
PID:3880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48D7.tmp" "c:\Users\Admin\AppData\Local\Temp\f5yr5vzm\CSCCCB392842DE44459A77FC2A1922CED.TMP"
209⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
208⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\by11qusf\by11qusf.cmdline"
209⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B96.tmp" "c:\Users\Admin\AppData\Local\Temp\by11qusf\CSC3034484F7545422C9ECBBC8867ED33A2.TMP"
210⤵
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
209⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vleldwgj\vleldwgj.cmdline"
210⤵
PID:548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:3696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F10.tmp" "c:\Users\Admin\AppData\Local\Temp\vleldwgj\CSCB41CE13A64540DFA331BFD132D74E0.TMP"
211⤵
PID:440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
210⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ej32w5w\5ej32w5w.cmdline"
211⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51EF.tmp" "c:\Users\Admin\AppData\Local\Temp\5ej32w5w\CSCC263874D50344962AE0BA1861CEBB9.TMP"
212⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
211⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hmg3dlby\hmg3dlby.cmdline"
212⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54EC.tmp" "c:\Users\Admin\AppData\Local\Temp\hmg3dlby\CSCB2D4C6F19D4544E88F787C193F1C7CD.TMP"
213⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
212⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
212⤵
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ssqtbzd0\ssqtbzd0.cmdline"
213⤵
PID:4364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
214⤵
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES574E.tmp" "c:\Users\Admin\AppData\Local\Temp\ssqtbzd0\CSC7EB572D7C8F0441ABB4E9D779FCC1A8.TMP"
214⤵
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
213⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4lwxfm1\g4lwxfm1.cmdline"
214⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A1C.tmp" "c:\Users\Admin\AppData\Local\Temp\g4lwxfm1\CSCA013598CA2CE494B8C32391113B2A1C.TMP"
215⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
214⤵
PID:4048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxi5lssb\cxi5lssb.cmdline"
215⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CCC.tmp" "c:\Users\Admin\AppData\Local\Temp\cxi5lssb\CSC789DBA70E8E246EFB2919E3928354FDA.TMP"
216⤵
PID:4920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
215⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
215⤵
PID:3768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fe2u0i3p\fe2u0i3p.cmdline"
216⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F7B.tmp" "c:\Users\Admin\AppData\Local\Temp\fe2u0i3p\CSC3ABC19EF137F4F9E8FC08997B7977D9E.TMP"
217⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
216⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
216⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\czosxesj\czosxesj.cmdline"
217⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6269.tmp" "c:\Users\Admin\AppData\Local\Temp\czosxesj\CSC71BDE85BCDBD418491E4BD35961280AD.TMP"
218⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
217⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\05qxcolz\05qxcolz.cmdline"
218⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6519.tmp" "c:\Users\Admin\AppData\Local\Temp\05qxcolz\CSC567AC9686D1849F8863C4C2FE7941DE.TMP"
219⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
218⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
218⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cf2p5xyo\cf2p5xyo.cmdline"
219⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6855.tmp" "c:\Users\Admin\AppData\Local\Temp\cf2p5xyo\CSCF210212568FA4C6680B643509BED1B14.TMP"
220⤵
PID:3296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
219⤵
PID:3140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mdvpxgmo\mdvpxgmo.cmdline"
220⤵
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BC0.tmp" "c:\Users\Admin\AppData\Local\Temp\mdvpxgmo\CSC4986833136FF42BFBD7D96F32098F3.TMP"
221⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
220⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkfnbp0r\pkfnbp0r.cmdline"
221⤵
PID:4252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EAE.tmp" "c:\Users\Admin\AppData\Local\Temp\pkfnbp0r\CSC2A44B9D98E514FC1858EF1CC5B95F10.TMP"
222⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
221⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ba025ch\4ba025ch.cmdline"
222⤵
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71BB.tmp" "c:\Users\Admin\AppData\Local\Temp\4ba025ch\CSC52CF618CBA714E069D96762E0EA6CF7.TMP"
223⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
222⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ewzhzkzf\ewzhzkzf.cmdline"
223⤵
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74C9.tmp" "c:\Users\Admin\AppData\Local\Temp\ewzhzkzf\CSCB1B03302C7694D5481F325E2F2EF8AB7.TMP"
224⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58174d87903175d3435b0797c5cbca72_JaffaCakes118.exe"
223⤵
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aaghpd14\aaghpd14.cmdline"
224⤵
PID:1884

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv PfraIVXHFEasDA0SpJb5Qw.0.2
1⤵
PID:3768

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1616

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:1044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3A0B.tmp
Filesize
1KB

MD5
fdcf61abd6850b6bd5053975bab0c316

SHA1
820159054e82cbf712750d19af812497fafee942

SHA256
20591d8aa3b9d1bef1de910c05467e8b860800c6c14ebfbb1b25927dd7ee1e0b

SHA512
ca822e586080b575e3b9760a3f54c302b76c864617e02e54502d866abbf234a7719ce86552a62933c78a73976a7052f40970f743fc0488d46e032fa7c314aa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3DF3.tmp
Filesize
1KB

MD5
e052f7d63f280437f4de9159da1ede1b

SHA1
5b2927b1996df148a7a74c94e8e718b5ceb13f0c

SHA256
aa53546b3672ae9ec4904e431f2dd01bf5df629183a611c60058c597ce04e0f4

SHA512
53c84f4e61eadab2bba4c987ed3719c09e26c93bfa4b0f2f916ad092de9ba7ae52b7ba2bb37f73486bf89485e382c5c836b873fd5301bdab6a668db5c1533806

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4277.tmp
Filesize
1KB

MD5
2cf3162d17f2ecc789daf44481398e0d

SHA1
76150d9069117a50b93518314031721f19d8cff3

SHA256
8cbb0537e17df3363f32c5ed22f2a1a63e37329fdbde4648b1fa3880e670c46a

SHA512
0b64c948eada9375b419b4f9b03c1290ce7ae88fb2562450d4733b2559285206dd5e57d49059152c48c4583ac4fbf1c6e3529e45c8ee1f073552577b9904f961

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES44D9.tmp
Filesize
1KB

MD5
78f74f06c1d50c8f279b67e7ec5dc527

SHA1
c2b696801f8d15e17c8f5fa35190d54dc05838bb

SHA256
f969e906578a149626fb8a6448c5355e439a490cc574798c9d6a8935cb32c841

SHA512
156222e9ac5af650c52223142a26c8fee3f031d699da04ec9ba7a92bb2a15025c3316a0f02cf392173c72027ccb5737577d800145a5c437feb6a37c17f7b802b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES47A8.tmp
Filesize
1KB

MD5
91b92098fb10f7ee1555d3f0bf1ac558

SHA1
d4880588ead8343f7eddbed088887770b02f1dff

SHA256
bfdac8d188b7a48b2622e4322477521a578f907e5e853c12fb46c5ec41670c38

SHA512
5ffc29100aeec3128d9aef20d686ca872506b6e807a91592a789f7921fc854b057bad9e12dd670c67a69e593c551380dccd4069e344cb9025b3b29f8566b9dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49CA.tmp
Filesize
1KB

MD5
6c296d64798440e3eb0391793d3d431b

SHA1
4e152d892f32983afe8bfe10d83300584f94f009

SHA256
ea804f69bbef29c58d72c601fb9a6710ab185cd8b6dee7d1ccaab6bf07f05eec

SHA512
a53d193330e8a0e767d3ba7efdfdf70e55c1c6b4bb2325368b072e45f4bc093a76e502d10e8d1b25c5d01c40c962ff1ea301d74f8be33c1d52d37fc1867def4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C3B.tmp
Filesize
1KB

MD5
ed49f5f0da25d66505b245b631109ff2

SHA1
23580f92de9b8cf6b8eeb14987125ae59f474fd6

SHA256
e89b43bb9ff1f4b526f392501dcd3cdae2144d6abee698f7e452e9e15a6f425c

SHA512
fb64e9ac93e687c128f78cbac5c015bde927350e3823552f4aef9e693487b470412b4c0520eff1565d42fcc99d4b927db1e3efb3e7c077c9c1d5a15cb3b348ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E6E.tmp
Filesize
1KB

MD5
412b81c6b326d52f4ae8102fc057eeac

SHA1
6775a565c993732d48121f814e38a950e83b36e0

SHA256
a0b144ec930dcfffd68f60fbc8f9f196975271a988b3cd315df8bdffc4ab517e

SHA512
9eabac8df9c41d811e4cdc442c26842fee0b0e5e19205c95dcbc1e7cffb96e53a2ae7efa503fc2ed312e072dcdcc3e15bc7142dfe7d609fc8570f37828da7011

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50DF.tmp
Filesize
1KB

MD5
8c60e0613c00cb350d15e1642c2ad312

SHA1
31fef68094202577c76e1f5f2b2189d7a23b083e

SHA256
c69ecd666c289ef4c2941f6c66d3d866560928bb37649039f72dd3676c9a7a0b

SHA512
8ac6e5e0bb8d94911a2a766313ca847954c5f971807c8a31f625c275c7fc4eed30a0df918cb2f865ee71475526b577eba9156c29c3bbe98906448f626cca9bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES539E.tmp
Filesize
1KB

MD5
1dcebc000af692ad8b4a38c034c9304f

SHA1
588cf967a0b128726655015b62d5e35531f1213d

SHA256
2daf1e42904f570753031140d85ce73adebc4cd75e949513d14abbc49a6096e2

SHA512
b6536e9a4a5b6fb7a16b62ea65217e2e382e0aabe91a948b1adcc365b033184e438a293c38ace39c297791cc704b052192f549f19b8b493e8377d458bd7e1cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES562E.tmp
Filesize
1KB

MD5
23dbbafcf7f27cc17e1fcd8a921a1498

SHA1
b51cea3f16ef66bcd6090bfcaecb10e25069c0f7

SHA256
7fbae829b4a6495ac17680a2ed66cfa8b9dbe47504cdb89db0a4d722a64d4cc1

SHA512
9c15afcedf3ac248feece860f2b1e295246663cc322f271052b214a1ed2c0404014f1dc555ad64619ace751d4c1da09bd0bc2fd4477634d4b9e780d356a0c1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hln53l0j\hln53l0j.dll
Filesize
1.4MB

MD5
1858b75f4f1c52e0d177b923dc21d891

SHA1
928206c9652abfb9598d9717064080077459f831

SHA256
d01d815406dafb78f007134de5b05623829302e1afb85ca23603b98efd00da6e

SHA512
f65f4c413e1559bd4008fda0f05e5c95808444cdccc31765b605f9edf6b3b9b635ae92c87ebe810b54dcfd1c97921242727b251e0bc1addf8b42616dd67e42ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig0wdkp4\ig0wdkp4.dll
Filesize
1.4MB

MD5
9f9175f9bd49fd716a3a0a2a4b2429b4

SHA1
1b8bcc93ee96ea3212ab72189d46c1ff0b07e3a8

SHA256
2048103b8d634f234d03138941c09f0a0e32f22d049af9737df7b92e5bb741ed

SHA512
bcd50d45fd8129d7ae934a78689667af7f5c2a0e5f18d1630c89781b9c87a4c2d6953817ccfb65aacd32f967991b319b04e2b2ddc1ac216d834202429c428561

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi2j5pgt\mi2j5pgt.dll
Filesize
1.4MB

MD5
ec79d087a352fb2177e17d27f78dcdd1

SHA1
b1af83c49a4c590aea79c4371ae8b0d3c6f0bd24

SHA256
c2f011f5c2f5846da8f7df7c86794e43d14e32401039e0a508ebf3cdf0207e49

SHA512
6e0f0b48273e987c50ddee080db894f213afbc4bb0a01e9810fa7d3ee65660bce7b3d6797db3f4e692ae357c00f77f2849da0fc36ad3ad148a79304e9d4dbb83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nt4rfssw\nt4rfssw.dll
Filesize
1.4MB

MD5
a4d09f4fd433d22b84937b887a58cbaa

SHA1
d5f3f03cebdc286fa6d9584812ac2f659022df6a

SHA256
afcb0908fcccde463a4116b239784bce2fa0b625869189750d974a92e6c9e02a

SHA512
429c664afd35ed60bdee2484d83e3b214bef17063919de7e2bb8d0c382f730ba2420584adbcdf05fbbc9014c3455d7066ee9182182a66a872a06b73bbc5420c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfiukjab\rfiukjab.dll
Filesize
1.4MB

MD5
fc9edcda6c193df01d425f4b3aeb3eb8

SHA1
70f1f959f4de8d5d970e7163b3f308395df62b1a

SHA256
3822d97f59d6b6b25c5aa028a727c36c199e6b2b322a62c2f2ffeded8d31195c

SHA512
ca0da0a6f0613882e0ca72499998e49e92bb7fbfa5f8aa0dedfbc28353215a19e59363ba7dd7314179681e2938ccd02602a4e2e8bc88ebf27678bbdcbf036e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqhy0ptp\rqhy0ptp.dll
Filesize
1.4MB

MD5
a955f8f9ad6a8c09126585bc0612268b

SHA1
0488be7018bc3aa2c533f990d7f950835832c34c

SHA256
20f299f3fee50a8946e053519092a8006a153676eeaf6ed75cf3f559b89178bc

SHA512
dd13d6d62e6c8dd2030f1a341d80b4cedd35945f05f43e376fbcafb521be99835b0c5fc10c7726dd88a7c935b2e6232f97d833020e9b7175a58b494d2144ef66

Download Submit
C:\Users\Admin\AppData\Local\Temp\whvnyzja\whvnyzja.dll
Filesize
1.4MB

MD5
119c20a7b2e88ba8c784c2aa82dfd722

SHA1
fb7882d70e9665e49d391dba5841f6294775a0c4

SHA256
64c8a6bbd29dfa5206520b6c2774cb4be36e051bb2934a3dd16d774df84a4c39

SHA512
1cb5d8283d369d5c8c7bd4b0603e0378777adda80ad66f956a0081ad8551c904aee6062a6d7df8fabeb20c1e4fc471b35888ae212e1cf2aa577d990aa17be7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ws32qa0x\ws32qa0x.dll
Filesize
1.4MB

MD5
85cd6184bb52bb6c926b070b548b076b

SHA1
41cba0b27309372d7691bcb451aa37c77fd6c1f6

SHA256
231ccfda29270cac664bdd991c9ac70eef0c820e2ff09c68c3d8f56d30b4b2ca

SHA512
303c1e361ebc063a532d61de278200e7eff145343f2811ed6d36267a5c050eb355ef6b39601ebe3449b6342552de76a65fe574653013ee333e7c64582fa27a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\xld1rxff\xld1rxff.dll
Filesize
1.4MB

MD5
0c149ab8526819cd022e90cde0754c16

SHA1
1b15d571c16341bf45c95ac799c43f8967f542b8

SHA256
d6aafdc6bf3b7a21e8190b4f34c6f5d40c4ed253aa01d0bbb5e028c64777803e

SHA512
dba175653092fa62f65c143e5af338045763b171560e20613b029fe80d982cd93924cd14611aa34884cae2b36a5a2bc90b0d54ccb15b187570fc0ccfc672992c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydtzvd5f\ydtzvd5f.dll
Filesize
1.4MB

MD5
642262f3926f52e0523ff197c79325e3

SHA1
44e5bbb546dc2b2b004b6a902795dcd1db149896

SHA256
97b2ffb8e348ed06de619e3c2dd586f98f841a2616e3a3c4eee0879fe1f75322

SHA512
c05187eb211f92fb997aeea6b0fe6f5aab24430bfe423fe3297c03898afe0431df7d8eeb1b87d6413ab1fd440b74d4678878ba44b8600fbdce695f938bb2dbd7

Download Submit
C:\Users\Admin\DocumentsWebSocketCloseStatus.txt
Filesize
2.0MB

MD5
d510225b94b0ebe2d5414699b2a89771

SHA1
3e79f1ea8c96ed35a27247227c533c5c4dd6010a

SHA256
01d57933cac2d50b0b439e322323f20b0083302f1ae80263ff151f3390f4be24

SHA512
dc28498c4b43efcbe4969e65cf6f509a352fb2221905a1eeb43b955bab2ed55852e8167d13f9dc83b736c8b0ddd6b270d8d7c120720fb6406279c17aaa43e399

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hln53l0j\CSC6C51C2501E00461CA528EAA1B5C04354.TMP
Filesize
1KB

MD5
229d0f8e055c4ca6bd7bf2252e2ee0ce

SHA1
7fa4cf763d4af118d871092f191ad63e19646efa

SHA256
b4426812e371a8984c3e376b047e4fdc8b3d9c8015eb8c6d3bc11909c2a4321a

SHA512
fd3b56631e1aba9caf9f7b363c5a8ade045e7379c1d11c119a412795ff985789f86b0ebe0cc516870e81ecc5337d29b86cadff274e6bcaa8e8ee49fe451f30dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hln53l0j\hln53l0j.cmdline
Filesize
301B

MD5
dacebc44df20c228f8212e769b003c27

SHA1
d9892c5dbe73a04feea7293ecc680f7a0f2b19b3

SHA256
e542f533d6ef262305e86e9aacb84163b957c7d02a209bb07cf17d6fb0bde591

SHA512
ade8732b976eaa65bebc8dd05e1bc2d7c5d1fcb788da78b4e7ea969814177fc6976434e17e387d23f616401fd71b9145a0c5f4ca00056bcf0e9cb12226763b9e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig0wdkp4\CSC35B08EC31C1E4701AB73FF67CE43CBBD.TMP
Filesize
1KB

MD5
8bc5ccbaaa222460bb91fe2dfcf22d6d

SHA1
52aaf8945185c7e0cf1e2ba5a67746730f127aa7

SHA256
589e0df878a87e51e5543c9e1f51dc8a81c359260683989ad4666da8afb1de60

SHA512
9d5e121c49e6c1db9067c53d7be4590e0ee77fe75b4001f43ff46f9bc77c431dac202f07e4de7a8ac77e2895c7089fdc074b183f30a0b8d311459f0df9662b8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig0wdkp4\ig0wdkp4.cmdline
Filesize
301B

MD5
2acd50f787d1044d9b35cecc54038e12

SHA1
d787a456d26ca4a673ef65ef3049a7da08546cfe

SHA256
94867456ef40ed72911d91f29c51c7a3e31958e1d3d8554a6e49cb6d4da26a20

SHA512
7aea18f2ed0fd76303db396c77f4eb22c95ec4e63b15ace4c485a108ef99fe5fcf86dbfabb8d248a375c7b5274b0329ad7ec55b1db2b1134089d475e43bfe677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ikalb1mi\CSCAE7B279BBBB04FEB9B9ACEAD2DE5E5D2.TMP
Filesize
1KB

MD5
0a2570b75c48777dc5e8968a90098a56

SHA1
7effff32b77324feb3c5d498644feef4d0fe5305

SHA256
57afd97cc33697d40b127010493ebea1197798450f181aa5c1dbc825af02cd25

SHA512
a5fd90bd04ff2a0a63fba0850f8b337a4e0949db14b6941f330ad165c821b95df96e6210ab949148938aeb939d0c5f981d9b125e3e7c80c6d05e8d311d2e5b79

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ikalb1mi\ikalb1mi.cmdline
Filesize
301B

MD5
3ba2ac1dce70a7f8822ded382b6d4397

SHA1
c2836adcd41c10707fd2bf1e913471ea292d38d0

SHA256
9f318c351ebe8f08ddede936ec40a0316edc6da1bc91a801e7725f858dcbaa36

SHA512
66a3632dc54dfe5b8c7c0d02e16df432ad583ab5d77645fb47120815cd8062f02ca4d8f5668efbb0b2017ab540340995971152494e1f853bb00546c66f5dd9d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mi2j5pgt\CSCDA2B4E043DEB4A8AA13AB99E9AC2CC9A.TMP
Filesize
1KB

MD5
2227280ad274f71cbb8ef890e0092dda

SHA1
8681eea8552f7d64e31d495d3bbfd11165fee0ae

SHA256
1825934eff841b07512d0b54586732f2a64b1b827908d4f6bf24a4fda63bfc93

SHA512
03e836a114189bfd4451596ff5cf809eeb59257ed0de3ce6fb06e1d0cebeb637a01bf2f8ab102858b9adf3309b8923dca4b097c398b1d23b13e9131c673d807b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mi2j5pgt\mi2j5pgt.cmdline
Filesize
301B

MD5
2365b113030674ddc93fa3e78661f27b

SHA1
08c2606e7764315dfe46fc2efd3f010f9fea5e27

SHA256
454cfea5dda42eddb829ba90f1d471a172983f869d1a7456295d45c4bf984667

SHA512
9dc6cca94f7040f9f2ac28bdf806d7a9659d84671de6ff09db4aad0683480f11ff6c0dfc79314e577536ef44daf43c8f66f46eb3a62f92e80eca3e29c81aa899

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nt4rfssw\CSCD4450F33C315410A988C6DC38993C53A.TMP
Filesize
1KB

MD5
b666562562d94f851f250fedf78d534d

SHA1
7245c0fde44afe677f46846d1669a41695d57e85

SHA256
ef8a6b691df221870b0c2be743ca5fb3684652714798f877e8a58988c35a779e

SHA512
2617f5b43f436c3a3b652ce5843a1ee02f361925247a45e9c449ed68696a75109cfd0d8e7b2bec77ebb3eaef3eddeec08b5595a689262bf188b0b3b586dbe5d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nt4rfssw\nt4rfssw.cmdline
Filesize
301B

MD5
a8c665722fba34ff7d25cd12c293ed0e

SHA1
81ed9f43693611024d10f7ae2ca4d278a8025516

SHA256
926a06724817fe6ba73c223a3fa22805713c2bbe92e8f648f9aeee452142bfbe

SHA512
824e5d6fd07b1f5e7d03e02288000694426616a279e1dfcb34410886dd8d941b56a3b210e5803ebff556e2cb879ff307fa0114ed60af2f9dc5fc19e72e4a39df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfiukjab\CSCE776E22483D142AFAA988A69CDE85FD9.TMP
Filesize
1KB

MD5
5bf05d8323e068e6eea601bacc8b8c25

SHA1
31d88721d9dbcf165d020736e875591e173a254a

SHA256
6bc407104997f645a25a0e810ed8bff41e7f984726b20bd70c71d986003abf7a

SHA512
0b3e4802c73eaf305bdf24da025d2e7003c141b0bc738cbb2c443b0b6fb63e189f48beba85b831f6ffcbfaee87223409cc7defbe0b12016da8c6f2c1c5b152dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfiukjab\rfiukjab.cmdline
Filesize
301B

MD5
84e16698e7cea8b6b5b7bbc8096bedcc

SHA1
f9de14fc4dba41acd13364852eec820a20de1d49

SHA256
06fc8861b42d8e6823ee4a2db5078aa98dcb952c7d110ab043edf31ff86b92d0

SHA512
3362f80496a2f8d3cb6595c38d5e429016003d4aef0a9454f04fd16d6ea374aed2db520344c04a51e792077f939dc58fa5df07186e2d995fe2905e9ef8fba615

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rqhy0ptp\CSCF98CCD98972243AF9FB622D9C719E4FA.TMP
Filesize
1KB

MD5
2eb11510fbc4ebefe348724342d21e22

SHA1
93eafa2f05daf18bcdae3d396e46f4a17ab3dc94

SHA256
fa4ad2e42e12bf5d96d3c4806390b9f55ab3d204257ae195d86392569986259f

SHA512
597f11f8c9efcc527f8526cf46713844ec8da54b135f2b466059e574674b15b1974fffaf562bfe4242e62d98413b086f5b46d8b1f982a36fdcb3f9e0c4c28ae9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rqhy0ptp\rqhy0ptp.0.cs
Filesize
2.0MB

MD5
3add63d70f7cf265c31ad4493b45a28d

SHA1
b125041f6d712116143020fe3b4c0deaab678143

SHA256
f20c56aaf9f9f21eb0e5cd84d863176f442d8bb0a59ec2ae4f91c928a4754bda

SHA512
e4614a662da9db59e126885ea8e7c42e605438e3a09dd7a71b4a5ea8a0182bf8a2a4f6c0fefa5761bb24527940cddb6644a1e27537afac9231fcddbc297b4a9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rqhy0ptp\rqhy0ptp.cmdline
Filesize
301B

MD5
50dea0abf22ba32cb612dd3d1b542100

SHA1
18276b7938acc2b1927be25b87a4cb64fb867afd

SHA256
2c4749939816a5a46ec44419f8956a2fed79e30dd7fcb4eee8010910666873c1

SHA512
6a81e0e6ab6db91fa7ad6707c6862e420224107bf4944f833dc9c2cb466214eeebab733b81288c3b11affaeffc9d69b020ff7ec5ecc35eb2a5d46227963b5b0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whvnyzja\CSC2D7704EF9BE7489595AC4EC0467A9D25.TMP
Filesize
1KB

MD5
5f5ed89a409c92945950b1b376ea1afb

SHA1
a47b39795db3a2eeb563f32c4c93b4b2b6e6cc19

SHA256
09717f3ee7055bb07f1a241760fced122bfd6523f4cbba1a7ab832a2f36a18cc

SHA512
437c3ae8b5a27866e9ec4e6f0587108bf9ff4f32a53f170b83555759bb8ae25338650be523a2f10df1bbcfa668213f7eaa85d7ab9d938af63c002b48bc49fc66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whvnyzja\whvnyzja.cmdline
Filesize
301B

MD5
fbde868f83ac79d4c4259dab4235d53e

SHA1
febdd4a5ed480137c2ab6c124b4e9be923c30b4d

SHA256
e2a8e9d08a107a8c82400fcaa53192523eb7d34400d8d76ec2dc3e571abee0f0

SHA512
e2e97b13d1f1211e0b0b79243fa65e4cb00501816ad6cff42ad96216524e822adec78bce78eceb0beaa1925b95b72912a0cb9384d7d92ca286c2ebccd6761631

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ws32qa0x\CSC30474657ECE64B4D9DFB174DE96FEF3.TMP
Filesize
1KB

MD5
5841a72c69617e3f054de77413321fbf

SHA1
b03dcff056c5f3b92b8bf5cabfb09ff10ce77dfd

SHA256
c81f0432a38604b9c6e43cd4f91aaffe6c34874a5bfd7c78decd5c1e1a3592ce

SHA512
5f8cce01c441a2a7a94b2bb622f6df62262b2db5fe51c7cc24b7fa48cf7aea99b99d2a845f2799c7b085834ac147eea83ab78efdba49ac0d322efc523e1a2483

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ws32qa0x\ws32qa0x.cmdline
Filesize
301B

MD5
13ad3fc7e56ae7f342e22559ce91553d

SHA1
9b324c2efe3b4f8d3a6df81c6d79ae0d72b7bb1b

SHA256
15ca691104f69e86290bc86aa1a381d63ebf1ff72b10ecd9b00c517401eb0b3a

SHA512
cadcabb67a3b2b0f29a25a3d60c52a38e05e4336ad237fc9528aebd5075c33f84c70dd3a71885e5beb8b98c60f2a0275254d5ffed178b0d624d05abe2cb012aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xld1rxff\CSCB993B09E25494F8891E48CF44B92E46.TMP
Filesize
1KB

MD5
9f47d96d169788e362d0005d5288e94c

SHA1
b6cf30ff5f99f9168feb7e23d75a8e2f9e9b7905

SHA256
1b81cf0b553ad0245e2512a81cc3dce8295daa868f35be7618a7a683c5fe72ac

SHA512
e9bd1a6ff49f20753c393fd14621f8e25055085997a9d80fa2ed18b0e9b420fc01830a1fb874463e7d718069edd6de95ebe003d9c04bdd7d2cc69441063025ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xld1rxff\xld1rxff.cmdline
Filesize
301B

MD5
9d27b21603ee997dad9809c603a1ca53

SHA1
875891b4bf37d746372299ffb4ea1d1c6debd854

SHA256
ee2d5b7b08c0931554e23f7afd14b2e360befbdb2e800421036cb370997b5647

SHA512
d121163ee8f7f3d12c476b7ec91f19ae7bb4a05dbb7858d94ccf33db42222d5f7dff66f6d94671c5a05a93eb5132d8572017f26a27fa8d34ea03c0f1654a04fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ydtzvd5f\CSCA3B95EC1414342CF93D333E86E667E32.TMP
Filesize
1KB

MD5
b9ab27d4741eab00694204640ff9b219

SHA1
bdf9482869af6d64fca9f26363897c1425642b7d

SHA256
4f9a238e7c15591476ff28ed3f34442a14e33cda15bf9f44da1c27abf2f16674

SHA512
fab5916119b789d4c8e44af4bfd1a85de5e2c2029a03e283c3cfff6be658e9cf7558d4603c0e50728fef66bc01874845a4749722109e593b9060fb0cc7191e92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ydtzvd5f\ydtzvd5f.cmdline
Filesize
301B

MD5
677abc9b64faf45ec83792525aea0ce8

SHA1
cbd64845d02b8761b79e199d6748f4f65b867ccd

SHA256
a7890489489d9afecb7d64bec3bc78a506c48a6be0718e1ba03425091257e66f

SHA512
d78882c7955fb865aa86be50892a0f92722d259f9cccdde9d996ebd19dce8863431c062c8fd514c27c21e29926ba7cb743e0affbd2d0e7fd36667e2f062875b6

Download Submit
memory/348-662-0x0000000005880000-0x00000000059E0000-memory.dmp

Filesize
1.4MB

Download
memory/452-950-0x0000000005620000-0x0000000005780000-memory.dmp

Filesize
1.4MB

Download
memory/628-301-0x0000000004D70000-0x0000000004ED0000-memory.dmp

Filesize
1.4MB

Download
memory/880-373-0x00000000053A0000-0x0000000005500000-memory.dmp

Filesize
1.4MB

Download
memory/916-650-0x00000000054A0000-0x0000000005600000-memory.dmp

Filesize
1.4MB

Download
memory/968-21-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/968-19-0x00000000058E0000-0x0000000005968000-memory.dmp

Filesize
544KB

Download
memory/968-57-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/968-17-0x0000000005780000-0x00000000058E0000-memory.dmp

Filesize
1.4MB

Download
memory/968-7-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/968-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/968-1-0x0000000000D10000-0x0000000000E96000-memory.dmp

Filesize
1.5MB

Download
memory/1380-962-0x0000000005870000-0x00000000059D0000-memory.dmp

Filesize
1.4MB

Download
memory/1388-625-0x00000000050F0000-0x0000000005250000-memory.dmp

Filesize
1.4MB

Download
memory/1412-469-0x0000000004C00000-0x0000000004D60000-memory.dmp

Filesize
1.4MB

Download
memory/1476-421-0x0000000005130000-0x0000000005290000-memory.dmp

Filesize
1.4MB

Download
memory/1476-127-0x0000000005240000-0x00000000053A0000-memory.dmp

Filesize
1.4MB

Download
memory/1536-349-0x0000000004C10000-0x0000000004D70000-memory.dmp

Filesize
1.4MB

Download
memory/1572-457-0x00000000056E0000-0x0000000005840000-memory.dmp

Filesize
1.4MB

Download
memory/1668-638-0x0000000004CB0000-0x0000000004E10000-memory.dmp

Filesize
1.4MB

Download
memory/1744-770-0x0000000005610000-0x0000000005770000-memory.dmp

Filesize
1.4MB

Download
memory/1876-163-0x00000000052F0000-0x0000000005450000-memory.dmp

Filesize
1.4MB

Download
memory/1920-409-0x0000000005860000-0x00000000059C0000-memory.dmp

Filesize
1.4MB

Download
memory/1948-782-0x0000000005710000-0x0000000005870000-memory.dmp

Filesize
1.4MB

Download
memory/1972-938-0x0000000005B20000-0x0000000005C80000-memory.dmp

Filesize
1.4MB

Download
memory/2120-674-0x0000000005B50000-0x0000000005CB0000-memory.dmp

Filesize
1.4MB

Download
memory/2120-758-0x00000000056D0000-0x0000000005830000-memory.dmp

Filesize
1.4MB

Download
memory/2212-45-0x0000000005FF0000-0x0000000006004000-memory.dmp

Filesize
80KB

Download
memory/2212-22-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-47-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/2212-23-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/2212-24-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/2212-50-0x0000000006040000-0x000000000604A000-memory.dmp

Filesize
40KB

Download
memory/2212-46-0x0000000006000000-0x000000000600E000-memory.dmp

Filesize
56KB

Download
memory/2212-43-0x0000000005EA0000-0x0000000005EBA000-memory.dmp

Filesize
104KB

Download
memory/2212-25-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/2212-51-0x0000000006190000-0x00000000061BE000-memory.dmp

Filesize
184KB

Download
memory/2212-42-0x00000000052D0000-0x00000000052E2000-memory.dmp

Filesize
72KB

Download
memory/2212-40-0x0000000005130000-0x000000000513A000-memory.dmp

Filesize
40KB

Download
memory/2212-20-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2212-44-0x0000000005FE0000-0x0000000005FEE000-memory.dmp

Filesize
56KB

Download
memory/2212-52-0x00000000061C0000-0x00000000061D4000-memory.dmp

Filesize
80KB

Download
memory/2212-627-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-26-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/2216-181-0x0000000005650000-0x00000000057B0000-memory.dmp

Filesize
1.4MB

Download
memory/2232-794-0x00000000050E0000-0x0000000005240000-memory.dmp

Filesize
1.4MB

Download
memory/2232-216-0x0000000005A40000-0x0000000005BA0000-memory.dmp

Filesize
1.4MB

Download
memory/2240-385-0x0000000005290000-0x00000000053F0000-memory.dmp

Filesize
1.4MB

Download
memory/2248-902-0x0000000004DD0000-0x0000000004F30000-memory.dmp

Filesize
1.4MB

Download
memory/2268-241-0x00000000052D0000-0x0000000005430000-memory.dmp

Filesize
1.4MB

Download
memory/2392-505-0x0000000005400000-0x0000000005560000-memory.dmp

Filesize
1.4MB

Download
memory/2584-91-0x0000000004AE0000-0x0000000004C40000-memory.dmp

Filesize
1.4MB

Download
memory/2776-397-0x0000000004F60000-0x00000000050C0000-memory.dmp

Filesize
1.4MB

Download
memory/2948-433-0x0000000005230000-0x0000000005390000-memory.dmp

Filesize
1.4MB

Download
memory/3000-277-0x0000000005610000-0x0000000005770000-memory.dmp

Filesize
1.4MB

Download
memory/3092-265-0x00000000058B0000-0x0000000005A10000-memory.dmp

Filesize
1.4MB

Download
memory/3100-866-0x0000000005170000-0x00000000052D0000-memory.dmp

Filesize
1.4MB

Download
memory/3164-613-0x0000000004EF0000-0x0000000005050000-memory.dmp

Filesize
1.4MB

Download
memory/3164-529-0x0000000004D40000-0x0000000004EA0000-memory.dmp

Filesize
1.4MB

Download
memory/3208-577-0x0000000005A60000-0x0000000005BC0000-memory.dmp

Filesize
1.4MB

Download
memory/3216-698-0x0000000004AD0000-0x0000000004C30000-memory.dmp

Filesize
1.4MB

Download
memory/3268-806-0x00000000056D0000-0x0000000005830000-memory.dmp

Filesize
1.4MB

Download
memory/3272-229-0x0000000005620000-0x0000000005780000-memory.dmp

Filesize
1.4MB

Download
memory/3316-73-0x00000000058C0000-0x0000000005A20000-memory.dmp

Filesize
1.4MB

Download
memory/3512-145-0x0000000005A10000-0x0000000005B70000-memory.dmp

Filesize
1.4MB

Download
memory/3572-361-0x00000000054A0000-0x0000000005600000-memory.dmp

Filesize
1.4MB

Download
memory/3612-289-0x0000000004D90000-0x0000000004EF0000-memory.dmp

Filesize
1.4MB

Download
memory/3768-481-0x0000000005450000-0x00000000055B0000-memory.dmp

Filesize
1.4MB

Download
memory/3836-974-0x0000000005220000-0x0000000005380000-memory.dmp

Filesize
1.4MB

Download
memory/3952-109-0x00000000053A0000-0x0000000005500000-memory.dmp

Filesize
1.4MB

Download
memory/3956-54-0x0000000005170000-0x00000000052D0000-memory.dmp

Filesize
1.4MB

Download
memory/4044-890-0x0000000005020000-0x0000000005180000-memory.dmp

Filesize
1.4MB

Download
memory/4080-818-0x0000000005620000-0x0000000005780000-memory.dmp

Filesize
1.4MB

Download
memory/4132-589-0x0000000005050000-0x00000000051B0000-memory.dmp

Filesize
1.4MB

Download
memory/4180-493-0x0000000005220000-0x0000000005380000-memory.dmp

Filesize
1.4MB

Download
memory/4212-734-0x0000000004E40000-0x0000000004FA0000-memory.dmp

Filesize
1.4MB

Download
memory/4292-325-0x00000000057A0000-0x0000000005900000-memory.dmp

Filesize
1.4MB

Download
memory/4380-746-0x00000000051A0000-0x0000000005300000-memory.dmp

Filesize
1.4MB

Download
memory/4408-517-0x0000000005990000-0x0000000005AF0000-memory.dmp

Filesize
1.4MB

Download
memory/4468-253-0x0000000004CC0000-0x0000000004E20000-memory.dmp

Filesize
1.4MB

Download
memory/4476-337-0x0000000004C20000-0x0000000004D80000-memory.dmp

Filesize
1.4MB

Download
memory/4480-601-0x0000000004D30000-0x0000000004E90000-memory.dmp

Filesize
1.4MB

Download
memory/4528-722-0x00000000050F0000-0x0000000005250000-memory.dmp

Filesize
1.4MB

Download
memory/4564-541-0x00000000050C0000-0x0000000005220000-memory.dmp

Filesize
1.4MB

Download
memory/4576-565-0x0000000004FE0000-0x0000000005140000-memory.dmp

Filesize
1.4MB

Download
memory/4580-914-0x0000000004BB0000-0x0000000004D10000-memory.dmp

Filesize
1.4MB

Download
memory/4596-830-0x0000000004DE0000-0x0000000004F40000-memory.dmp

Filesize
1.4MB

Download
memory/4600-926-0x0000000005210000-0x0000000005370000-memory.dmp

Filesize
1.4MB

Download
memory/4604-854-0x0000000004C70000-0x0000000004DD0000-memory.dmp

Filesize
1.4MB

Download
memory/4732-878-0x00000000057C0000-0x0000000005920000-memory.dmp

Filesize
1.4MB

Download
memory/4816-842-0x00000000055B0000-0x0000000005710000-memory.dmp

Filesize
1.4MB

Download
memory/4816-445-0x00000000056D0000-0x0000000005830000-memory.dmp

Filesize
1.4MB

Download
memory/4816-313-0x0000000004C70000-0x0000000004DD0000-memory.dmp

Filesize
1.4MB

Download
memory/4860-686-0x0000000005660000-0x00000000057C0000-memory.dmp

Filesize
1.4MB

Download
memory/4940-553-0x0000000005BC0000-0x0000000005D20000-memory.dmp

Filesize
1.4MB

Download
memory/4956-710-0x00000000056F0000-0x0000000005850000-memory.dmp

Filesize
1.4MB

Download
memory/5092-199-0x00000000051B0000-0x0000000005310000-memory.dmp

Filesize
1.4MB

Download