b3cc4e1f09aa77a31e7071f2a505bfe5f13f9ec3cb73997b0d4a5ac36fc710fa

Analysis

max time kernel
122s
max time network
153s
platform
windows10_x64
resource
win10v200217
submitted
20-02-2020 07:05

Sharing

Copy URL

Twitter E-mail

General

Target

New Purchase Order.exe
Size

392KB
MD5

6fde327d1798819ad86fa4f70c8c7603
SHA1

c7de8198e57b284203c79a819947d123fc749a3f
SHA256

97150b418a399bb490c31c29ff088f9bfcab8e13b12aa7028dd267d97c541bbb
SHA512

e8276f6a02b50e8e52c2c0376c930d104ac395ed69270c579f1f92342f6b8f70fdcc55989e363aefa18ad33eb3572e4835c6728f49e83cc6b8364bb949b18ff1

Score

8^/10

persistence spyware

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 50 IoCs

Processes:

fiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exe

pid	process
3952	fiGhquPuiorlfEXBma5.exe
3688	fiGhquPuiorlfEXBma5.exe
416	fiGhquPuiorlfEXBma5.exe
416	fiGhquPuiorlfEXBma5.exe
2484	fiGhquPuiorlfEXBma5.exe
2484	fiGhquPuiorlfEXBma5.exe
612	fiGhquPuiorlfEXBma5.exe
3824	fiGhquPuiorlfEXBma5.exe
1156	fiGhquPuiorlfEXBma5.exe
2936	fiGhquPuiorlfEXBma5.exe
1340	fiGhquPuiorlfEXBma5.exe
1400	fiGhquPuiorlfEXBma5.exe
3764	fiGhquPuiorlfEXBma5.exe
3764	fiGhquPuiorlfEXBma5.exe
2784	fiGhquPuiorlfEXBma5.exe
1396	fiGhquPuiorlfEXBma5.exe
4364	fiGhquPuiorlfEXBma5.exe
4364	fiGhquPuiorlfEXBma5.exe
4724	fiGhquPuiorlfEXBma5.exe
4724	fiGhquPuiorlfEXBma5.exe
4724	fiGhquPuiorlfEXBma5.exe
4724	fiGhquPuiorlfEXBma5.exe
4724	fiGhquPuiorlfEXBma5.exe
5108	fiGhquPuiorlfEXBma5.exe
4416	fiGhquPuiorlfEXBma5.exe
4768	fiGhquPuiorlfEXBma5.exe
5092	fiGhquPuiorlfEXBma5.exe
2900	fiGhquPuiorlfEXBma5.exe
1396	fiGhquPuiorlfEXBma5.exe
3824	fiGhquPuiorlfEXBma5.exe
3488	fiGhquPuiorlfEXBma5.exe
1856	fiGhquPuiorlfEXBma5.exe
4640	fiGhquPuiorlfEXBma5.exe
860	fiGhquPuiorlfEXBma5.exe
3700	fiGhquPuiorlfEXBma5.exe
4440	fiGhquPuiorlfEXBma5.exe
1792	fiGhquPuiorlfEXBma5.exe
4860	fiGhquPuiorlfEXBma5.exe
5384	fiGhquPuiorlfEXBma5.exe
5728	fiGhquPuiorlfEXBma5.exe
6064	fiGhquPuiorlfEXBma5.exe
6064	fiGhquPuiorlfEXBma5.exe
6064	fiGhquPuiorlfEXBma5.exe
5500	fiGhquPuiorlfEXBma5.exe
5908	fiGhquPuiorlfEXBma5.exe
4948	fiGhquPuiorlfEXBma5.exe
5596	fiGhquPuiorlfEXBma5.exe
6068	fiGhquPuiorlfEXBma5.exe
2912	fiGhquPuiorlfEXBma5.exe
1052	fiGhquPuiorlfEXBma5.exe

Suspicious use of SetThreadContext 40 IoCs

Processes:

description	pid	process	target process
PID 3952 set thread context of 3164	3952	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3688 set thread context of 3408	3688	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 416 set thread context of 1728	416	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 2484 set thread context of 8	2484	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 612 set thread context of 3396	612	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3824 set thread context of 1532	3824	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 1156 set thread context of 3288	1156	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 2936 set thread context of 3864	2936	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 1340 set thread context of 584	1340	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 1400 set thread context of 1156	1400	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3764 set thread context of 1976	3764	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 2784 set thread context of 3656	2784	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 1396 set thread context of 4248	1396	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 4364 set thread context of 4592	4364	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 4724 set thread context of 4976	4724	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 5108 set thread context of 4244	5108	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 4416 set thread context of 636	4416	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 4768 set thread context of 4308	4768	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 5092 set thread context of 4612	5092	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 2900 set thread context of 4960	2900	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 1396 set thread context of 4172	1396	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3824 set thread context of 292	3824	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3488 set thread context of 5088	3488	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 1856 set thread context of 4740	1856	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 4640 set thread context of 4304	4640	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 860 set thread context of 4396	860	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3700 set thread context of 4904	3700	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 4440 set thread context of 4360	4440	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 1792 set thread context of 5100	1792	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 4860 set thread context of 5252	4860	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 5384 set thread context of 5588	5384	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 5728 set thread context of 5924	5728	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 6064 set thread context of 2232	6064	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 5500 set thread context of 2308	5500	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 5908 set thread context of 6052	5908	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 4948 set thread context of 5448	4948	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 5596 set thread context of 5376	5596	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 6068 set thread context of 3456	6068	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 2912 set thread context of 4760	2912	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 1052 set thread context of 4688	1052	fiGhquPuiorlfEXBma5.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

fiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exefiGhquPuiorlfEXBma5.exe

description	pid	process
Token: SeDebugPrivilege	3952	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	3688	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	416	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	2484	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	612	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	3824	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	1156	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	2936	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	1340	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	1400	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	3764	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	2784	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	1396	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	4364	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	4724	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	5108	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	4416	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	4768	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	5092	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	2900	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	1396	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	3824	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	3488	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	1856	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	4640	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	860	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	3700	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	4440	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	1792	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	4860	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	5384	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	5728	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	6064	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	5500	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	5908	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	4948	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	3408	RegAsm.exe
Token: SeDebugPrivilege	3396	RegAsm.exe
Token: SeDebugPrivilege	3164	RegAsm.exe
Token: SeDebugPrivilege	8	RegAsm.exe
Token: SeDebugPrivilege	5596	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	6068	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	2912	fiGhquPuiorlfEXBma5.exe
Token: SeDebugPrivilege	1052	fiGhquPuiorlfEXBma5.exe

Suspicious behavior: EnumeratesProcesses 15132 IoCs

Processes:

fiGhquPuiorlfEXBma5.exe

pid	process
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe
3952	fiGhquPuiorlfEXBma5.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

New Purchase Order.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	New Purchase Order.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	New Purchase Order.exe

Reads browser user data or profiles (possible credential harvesting) 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 1036 IoCs

Processes:

New Purchase Order.exefiGhquPuiorlfEXBma5.execsc.execsc.execmd.exefiGhquPuiorlfEXBma5.execsc.execsc.execmd.exefiGhquPuiorlfEXBma5.execsc.execsc.exe

description	pid	process	target process
PID 3924 wrote to memory of 3952	3924	New Purchase Order.exe	fiGhquPuiorlfEXBma5.exe
PID 3924 wrote to memory of 3952	3924	New Purchase Order.exe	fiGhquPuiorlfEXBma5.exe
PID 3924 wrote to memory of 3952	3924	New Purchase Order.exe	fiGhquPuiorlfEXBma5.exe
PID 3952 wrote to memory of 4044	3952	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3952 wrote to memory of 4044	3952	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3952 wrote to memory of 4044	3952	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 4044 wrote to memory of 3864	4044	csc.exe	cvtres.exe
PID 4044 wrote to memory of 3864	4044	csc.exe	cvtres.exe
PID 4044 wrote to memory of 3864	4044	csc.exe	cvtres.exe
PID 3952 wrote to memory of 3100	3952	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3952 wrote to memory of 3100	3952	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3952 wrote to memory of 3100	3952	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3100 wrote to memory of 4076	3100	csc.exe	cvtres.exe
PID 3100 wrote to memory of 4076	3100	csc.exe	cvtres.exe
PID 3100 wrote to memory of 4076	3100	csc.exe	cvtres.exe
PID 3952 wrote to memory of 3164	3952	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3952 wrote to memory of 3164	3952	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3952 wrote to memory of 3164	3952	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3952 wrote to memory of 3164	3952	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3952 wrote to memory of 3248	3952	fiGhquPuiorlfEXBma5.exe	cmd.exe
PID 3952 wrote to memory of 3248	3952	fiGhquPuiorlfEXBma5.exe	cmd.exe
PID 3952 wrote to memory of 3248	3952	fiGhquPuiorlfEXBma5.exe	cmd.exe
PID 3248 wrote to memory of 3800	3248	cmd.exe	choice.exe
PID 3248 wrote to memory of 3800	3248	cmd.exe	choice.exe
PID 3248 wrote to memory of 3800	3248	cmd.exe	choice.exe
PID 3952 wrote to memory of 3688	3952	fiGhquPuiorlfEXBma5.exe	fiGhquPuiorlfEXBma5.exe
PID 3952 wrote to memory of 3688	3952	fiGhquPuiorlfEXBma5.exe	fiGhquPuiorlfEXBma5.exe
PID 3952 wrote to memory of 3688	3952	fiGhquPuiorlfEXBma5.exe	fiGhquPuiorlfEXBma5.exe
PID 3688 wrote to memory of 2916	3688	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3688 wrote to memory of 2916	3688	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3688 wrote to memory of 2916	3688	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 2916 wrote to memory of 1000	2916	csc.exe	cvtres.exe
PID 2916 wrote to memory of 1000	2916	csc.exe	cvtres.exe
PID 2916 wrote to memory of 1000	2916	csc.exe	cvtres.exe
PID 3688 wrote to memory of 3052	3688	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3688 wrote to memory of 3052	3688	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3688 wrote to memory of 3052	3688	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 3052 wrote to memory of 3532	3052	csc.exe	cvtres.exe
PID 3052 wrote to memory of 3532	3052	csc.exe	cvtres.exe
PID 3052 wrote to memory of 3532	3052	csc.exe	cvtres.exe
PID 3688 wrote to memory of 3408	3688	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3688 wrote to memory of 3408	3688	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3688 wrote to memory of 3408	3688	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3688 wrote to memory of 3408	3688	fiGhquPuiorlfEXBma5.exe	RegAsm.exe
PID 3688 wrote to memory of 4040	3688	fiGhquPuiorlfEXBma5.exe	cmd.exe
PID 3688 wrote to memory of 4040	3688	fiGhquPuiorlfEXBma5.exe	cmd.exe
PID 3688 wrote to memory of 4040	3688	fiGhquPuiorlfEXBma5.exe	cmd.exe
PID 4040 wrote to memory of 2844	4040	cmd.exe	choice.exe
PID 4040 wrote to memory of 2844	4040	cmd.exe	choice.exe
PID 4040 wrote to memory of 2844	4040	cmd.exe	choice.exe
PID 3688 wrote to memory of 416	3688	fiGhquPuiorlfEXBma5.exe	fiGhquPuiorlfEXBma5.exe
PID 3688 wrote to memory of 416	3688	fiGhquPuiorlfEXBma5.exe	fiGhquPuiorlfEXBma5.exe
PID 3688 wrote to memory of 416	3688	fiGhquPuiorlfEXBma5.exe	fiGhquPuiorlfEXBma5.exe
PID 416 wrote to memory of 644	416	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 416 wrote to memory of 644	416	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 416 wrote to memory of 644	416	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 644 wrote to memory of 400	644	csc.exe	cvtres.exe
PID 644 wrote to memory of 400	644	csc.exe	cvtres.exe
PID 644 wrote to memory of 400	644	csc.exe	cvtres.exe
PID 416 wrote to memory of 1144	416	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 416 wrote to memory of 1144	416	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 416 wrote to memory of 1144	416	fiGhquPuiorlfEXBma5.exe	csc.exe
PID 1144 wrote to memory of 1544	1144	csc.exe	cvtres.exe
PID 1144 wrote to memory of 1544	1144	csc.exe	cvtres.exe

Executes dropped EXE 41 IoCs

Processes:

pid	process
3952	fiGhquPuiorlfEXBma5.exe
3688	fiGhquPuiorlfEXBma5.exe
416	fiGhquPuiorlfEXBma5.exe
2484	fiGhquPuiorlfEXBma5.exe
612	fiGhquPuiorlfEXBma5.exe
3824	fiGhquPuiorlfEXBma5.exe
1156	fiGhquPuiorlfEXBma5.exe
2936	fiGhquPuiorlfEXBma5.exe
1340	fiGhquPuiorlfEXBma5.exe
1400	fiGhquPuiorlfEXBma5.exe
3764	fiGhquPuiorlfEXBma5.exe
2784	fiGhquPuiorlfEXBma5.exe
1396	fiGhquPuiorlfEXBma5.exe
4364	fiGhquPuiorlfEXBma5.exe
4724	fiGhquPuiorlfEXBma5.exe
5108	fiGhquPuiorlfEXBma5.exe
4416	fiGhquPuiorlfEXBma5.exe
4768	fiGhquPuiorlfEXBma5.exe
5092	fiGhquPuiorlfEXBma5.exe
2900	fiGhquPuiorlfEXBma5.exe
1396	fiGhquPuiorlfEXBma5.exe
3824	fiGhquPuiorlfEXBma5.exe
3488	fiGhquPuiorlfEXBma5.exe
1856	fiGhquPuiorlfEXBma5.exe
4640	fiGhquPuiorlfEXBma5.exe
860	fiGhquPuiorlfEXBma5.exe
3700	fiGhquPuiorlfEXBma5.exe
4440	fiGhquPuiorlfEXBma5.exe
1792	fiGhquPuiorlfEXBma5.exe
4860	fiGhquPuiorlfEXBma5.exe
5384	fiGhquPuiorlfEXBma5.exe
5728	fiGhquPuiorlfEXBma5.exe
6064	fiGhquPuiorlfEXBma5.exe
5500	fiGhquPuiorlfEXBma5.exe
5908	fiGhquPuiorlfEXBma5.exe
4948	fiGhquPuiorlfEXBma5.exe
5596	fiGhquPuiorlfEXBma5.exe
6068	fiGhquPuiorlfEXBma5.exe
2912	fiGhquPuiorlfEXBma5.exe
1052	fiGhquPuiorlfEXBma5.exe
3004	fiGhquPuiorlfEXBma5.exe

C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffcfnb5m\ffcfnb5m.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA26A.tmp" "c:\Users\Admin\AppData\Local\Temp\ffcfnb5m\CSCFE0BB134F4D447448CBFC01999DE73E.TMP"
4⤵
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uilatwta\uilatwta.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA894.tmp" "c:\Users\Admin\AppData\Local\Temp\uilatwta\CSC30C81DED51164E9888AE59852FCD2D31.TMP"
4⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3bkbkj5i\3bkbkj5i.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A16.tmp" "c:\Users\Admin\AppData\Local\Temp\3bkbkj5i\CSC90CF6F08EB944664B22266596496A8FB.TMP"
5⤵
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqtmj01k\zqtmj01k.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BDB.tmp" "c:\Users\Admin\AppData\Local\Temp\zqtmj01k\CSCCBA87CC178944BD9B549336233559EA.TMP"
5⤵
PID:3532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwnfu0qo\vwnfu0qo.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES432E.tmp" "c:\Users\Admin\AppData\Local\Temp\vwnfu0qo\CSC2B25168DC41C4C37926B6CEDD58E5A9.TMP"
6⤵
PID:400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4qtkhdvp\4qtkhdvp.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES460C.tmp" "c:\Users\Admin\AppData\Local\Temp\4qtkhdvp\CSCEB45C0AACB63499E8B6E25657DE63A3C.TMP"
6⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
5⤵
PID:2128

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nv2uq33n\nv2uq33n.cmdline"
6⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A62.tmp" "c:\Users\Admin\AppData\Local\Temp\nv2uq33n\CSCEF7B9345C3C646708755E195F88353FE.TMP"
7⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rk4uboiu\rk4uboiu.cmdline"
6⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DDC.tmp" "c:\Users\Admin\AppData\Local\Temp\rk4uboiu\CSC995D83001A6B42A2AFCBB49A5E9139C5.TMP"
7⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
6⤵
PID:3092

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\weua14z4\weua14z4.cmdline"
7⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5399.tmp" "c:\Users\Admin\AppData\Local\Temp\weua14z4\CSCFFA6D123BA4C426089BBF4494598349.TMP"
8⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkwya103\lkwya103.cmdline"
7⤵
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58BA.tmp" "c:\Users\Admin\AppData\Local\Temp\lkwya103\CSCE44123F55D0B459C99E5FF0467A39B9.TMP"
8⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
7⤵
PID:3308

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lipef121\lipef121.cmdline"
8⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C82.tmp" "c:\Users\Admin\AppData\Local\Temp\lipef121\CSCBDCD0EBAE5D54D7E88E286B053614.TMP"
9⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qujblpwl\qujblpwl.cmdline"
8⤵
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES607A.tmp" "c:\Users\Admin\AppData\Local\Temp\qujblpwl\CSCE26D05FF14B64AF1B94B452C5A36C8B.TMP"
9⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
8⤵
PID:1584

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2o0citif\2o0citif.cmdline"
9⤵
PID:3652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6675.tmp" "c:\Users\Admin\AppData\Local\Temp\2o0citif\CSC8CAB8B5CA2294333A34F1F39B2A7249.TMP"
10⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fm03gd4u\fm03gd4u.cmdline"
9⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AEA.tmp" "c:\Users\Admin\AppData\Local\Temp\fm03gd4u\CSC4FBDEC41861A47E195AB8A7CE2B7158.TMP"
10⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
9⤵
PID:1396

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lmebfglt\lmebfglt.cmdline"
10⤵
PID:500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FBC.tmp" "c:\Users\Admin\AppData\Local\Temp\lmebfglt\CSC84F78D4C1314CA8A8193CF1F383296.TMP"
11⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qkfq4qoo\qkfq4qoo.cmdline"
10⤵
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES727B.tmp" "c:\Users\Admin\AppData\Local\Temp\qkfq4qoo\CSCA954B289CCE94F9F814D3A1C234535E.TMP"
11⤵
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
10⤵
PID:692

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\usss011l\usss011l.cmdline"
11⤵
PID:3308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77FA.tmp" "c:\Users\Admin\AppData\Local\Temp\usss011l\CSCD8A9266AF0A14398902C21356E41B56E.TMP"
12⤵
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0foajdng\0foajdng.cmdline"
11⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A8A.tmp" "c:\Users\Admin\AppData\Local\Temp\0foajdng\CSC81E57E125A024C3D94792F5981381A50.TMP"
12⤵
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
11⤵
PID:1488

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gmqgq3er\gmqgq3er.cmdline"
12⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8141.tmp" "c:\Users\Admin\AppData\Local\Temp\gmqgq3er\CSCCC7A0F70392049D3A68326237CCCD983.TMP"
13⤵
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t2yzlgll\t2yzlgll.cmdline"
12⤵
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83F0.tmp" "c:\Users\Admin\AppData\Local\Temp\t2yzlgll\CSCA3782526B3F4471AAB18EA397D90FE95.TMP"
13⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
12⤵
PID:3800

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxerjuob\bxerjuob.cmdline"
13⤵
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8836.tmp" "c:\Users\Admin\AppData\Local\Temp\bxerjuob\CSC262A360C77AC4EDFBE573D7A5C37224B.TMP"
14⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y5klezmm\y5klezmm.cmdline"
13⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C0E.tmp" "c:\Users\Admin\AppData\Local\Temp\y5klezmm\CSC90034E563D0F4039B56E8D23E4FA118D.TMP"
14⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
13⤵
PID:3688

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
14⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4mtgudt\g4mtgudt.cmdline"
14⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9083.tmp" "c:\Users\Admin\AppData\Local\Temp\g4mtgudt\CSC38EC72947A1F4E008422EE4AE96CAFF7.TMP"
15⤵
PID:3652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\knt2ecqb\knt2ecqb.cmdline"
14⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92F4.tmp" "c:\Users\Admin\AppData\Local\Temp\knt2ecqb\CSC9E8702D96720438E9EABFC45F0801D.TMP"
15⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
14⤵
PID:588

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
15⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r5fhw5t0\r5fhw5t0.cmdline"
15⤵
PID:292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9814.tmp" "c:\Users\Admin\AppData\Local\Temp\r5fhw5t0\CSC639631489E384D2DBDACCA1BA1582D0.TMP"
16⤵
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0tp3vcer\0tp3vcer.cmdline"
15⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99BA.tmp" "c:\Users\Admin\AppData\Local\Temp\0tp3vcer\CSC6B1D1CB6A68C4C3BBE3E73A43308368.TMP"
16⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
15⤵
PID:4304

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
16⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ejstk5g\5ejstk5g.cmdline"
16⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CD7.tmp" "c:\Users\Admin\AppData\Local\Temp\5ejstk5g\CSC41FC75E0DD8B4163A294B7BCEAFC828.TMP"
17⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t0deqa1a\t0deqa1a.cmdline"
16⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EFA.tmp" "c:\Users\Admin\AppData\Local\Temp\t0deqa1a\CSC8E160F5699264A1C8AC23FCEE6C7FE90.TMP"
17⤵
PID:4552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
16⤵
PID:4648

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
17⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1yeyo0t\q1yeyo0t.cmdline"
17⤵
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA294.tmp" "c:\Users\Admin\AppData\Local\Temp\q1yeyo0t\CSC9E999C16AC1F4B879B4450E35A131D.TMP"
18⤵
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rtne5tza\rtne5tza.cmdline"
17⤵
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA60E.tmp" "c:\Users\Admin\AppData\Local\Temp\rtne5tza\CSC9896934C766145258883CC2ED6479FEE.TMP"
18⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
17⤵
PID:5032

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
18⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ttvlpghn\ttvlpghn.cmdline"
18⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB2F.tmp" "c:\Users\Admin\AppData\Local\Temp\ttvlpghn\CSC86098EDACB3C4097A5DDF418E9296F4.TMP"
19⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ktak1mrs\ktak1mrs.cmdline"
18⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADB0.tmp" "c:\Users\Admin\AppData\Local\Temp\ktak1mrs\CSC180C60548844462FA24FC6DDC014C344.TMP"
19⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
18⤵
PID:500

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
19⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eoik4hms\eoik4hms.cmdline"
19⤵
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0EC.tmp" "c:\Users\Admin\AppData\Local\Temp\eoik4hms\CSC1EFA0C58268B43B0A94350B5A05C2E1.TMP"
20⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlind21a\xlind21a.cmdline"
19⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3BA.tmp" "c:\Users\Admin\AppData\Local\Temp\xlind21a\CSC2378551789B84B4395667A91A1757.TMP"
20⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
19⤵
PID:4836

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
20⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
19⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afvlz20e\afvlz20e.cmdline"
20⤵
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB81F.tmp" "c:\Users\Admin\AppData\Local\Temp\afvlz20e\CSC57E49828AB334C2E98F33880B2BE558.TMP"
21⤵
PID:4864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1oynp5sl\1oynp5sl.cmdline"
20⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9C5.tmp" "c:\Users\Admin\AppData\Local\Temp\1oynp5sl\CSC5ACEDCBEB034D6E847FD960EBF3B845.TMP"
21⤵
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
20⤵
PID:4216

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
21⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
20⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wmbjhh1a\wmbjhh1a.cmdline"
21⤵
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDAD.tmp" "c:\Users\Admin\AppData\Local\Temp\wmbjhh1a\CSC12F3E9BA390B4F5C9A6F875423AC9891.TMP"
22⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eawza1le\eawza1le.cmdline"
21⤵
PID:4208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC166.tmp" "c:\Users\Admin\AppData\Local\Temp\eawza1le\CSCAA1CD76A07F40ADB0F13B8FD9F37F74.TMP"
22⤵
PID:4368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
21⤵
PID:4552

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
22⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
21⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kmvypqat\kmvypqat.cmdline"
22⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC56E.tmp" "c:\Users\Admin\AppData\Local\Temp\kmvypqat\CSCDAB64EB7A5A34CD587E52EDE24ED09C.TMP"
23⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gyew1sbr\gyew1sbr.cmdline"
22⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC83C.tmp" "c:\Users\Admin\AppData\Local\Temp\gyew1sbr\CSCC741248BAF4446B2A9134AA2D3AFECCC.TMP"
23⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
22⤵
PID:4792

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
23⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
22⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oiqgretd\oiqgretd.cmdline"
23⤵
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB3A.tmp" "c:\Users\Admin\AppData\Local\Temp\oiqgretd\CSC5390CD29F3124965A7DAF1EBF435EEB5.TMP"
24⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n5zii0xn\n5zii0xn.cmdline"
23⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE18.tmp" "c:\Users\Admin\AppData\Local\Temp\n5zii0xn\CSCDB85D149AB134A41944BA4D690429FA4.TMP"
24⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
23⤵
PID:4932

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
24⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
23⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a4t2oc2p\a4t2oc2p.cmdline"
24⤵
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD174.tmp" "c:\Users\Admin\AppData\Local\Temp\a4t2oc2p\CSC2B976DD7E93444CA8BFEF53C712BC17D.TMP"
25⤵
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\my23izrs\my23izrs.cmdline"
24⤵
PID:4772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3C6.tmp" "c:\Users\Admin\AppData\Local\Temp\my23izrs\CSC11F80F27883A4B4AA165AC8AAD8D7E43.TMP"
25⤵
PID:4112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
24⤵
PID:500

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
25⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
24⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5kqafaz4\5kqafaz4.cmdline"
25⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7AE.tmp" "c:\Users\Admin\AppData\Local\Temp\5kqafaz4\CSC6278C07D9D0E43F7B517F4C1E6B0B3FF.TMP"
26⤵
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vatuy0v2\vatuy0v2.cmdline"
25⤵
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD992.tmp" "c:\Users\Admin\AppData\Local\Temp\vatuy0v2\CSC5AD0C0C2907A4D9A94753C9EC6A85682.TMP"
26⤵
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
25⤵
PID:1196

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
26⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
25⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5dr4f1ai\5dr4f1ai.cmdline"
26⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE07.tmp" "c:\Users\Admin\AppData\Local\Temp\5dr4f1ai\CSC92A7609ACBCC4BAE8835C13942A184F5.TMP"
27⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwmvvdit\hwmvvdit.cmdline"
26⤵
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF6E.tmp" "c:\Users\Admin\AppData\Local\Temp\hwmvvdit\CSCED801787A23459DA69FC7487EFD3A18.TMP"
27⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
26⤵
PID:2720

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
27⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
26⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ofc3o1sv\ofc3o1sv.cmdline"
27⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2F8.tmp" "c:\Users\Admin\AppData\Local\Temp\ofc3o1sv\CSC9A592D6735D04E43BE8C93E29FBA63FC.TMP"
28⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5op2me3\l5op2me3.cmdline"
27⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4CD.tmp" "c:\Users\Admin\AppData\Local\Temp\l5op2me3\CSCC3580EF2F6304D90A15F44FB3CFA6D4.TMP"
28⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
27⤵
PID:5112

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
28⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
27⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bu0yyp21\bu0yyp21.cmdline"
28⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE838.tmp" "c:\Users\Admin\AppData\Local\Temp\bu0yyp21\CSCFBE23B1B35A64353A26B8091A6492CA2.TMP"
29⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0103lhzk\0103lhzk.cmdline"
28⤵
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA99.tmp" "c:\Users\Admin\AppData\Local\Temp\0103lhzk\CSC9E58811A5AFC455CB645AE2E5367762.TMP"
29⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
28⤵
PID:4828

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
29⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
28⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pnctnvje\pnctnvje.cmdline"
29⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE33.tmp" "c:\Users\Admin\AppData\Local\Temp\pnctnvje\CSCAC519046509C43CCB0FE3AAF39977E14.TMP"
30⤵
PID:504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jygncxi5\jygncxi5.cmdline"
29⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF018.tmp" "c:\Users\Admin\AppData\Local\Temp\jygncxi5\CSCC48E6D1898144186B68D90DAF8436AD7.TMP"
30⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
29⤵
PID:4968

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
30⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
29⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k2q00mxt\k2q00mxt.cmdline"
30⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF46D.tmp" "c:\Users\Admin\AppData\Local\Temp\k2q00mxt\CSC2EBA65EC863549478C66A235EA69C483.TMP"
31⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q0fvq1yf\q0fvq1yf.cmdline"
30⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF69F.tmp" "c:\Users\Admin\AppData\Local\Temp\q0fvq1yf\CSC7057CAC625464F33A0F3FEF732C5BD16.TMP"
31⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
30⤵
PID:1884

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
31⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
30⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ayjs02te\ayjs02te.cmdline"
31⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBA1.tmp" "c:\Users\Admin\AppData\Local\Temp\ayjs02te\CSCEE8574B25BDF45ECADE0B16FC3162D52.TMP"
32⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\to2cippy\to2cippy.cmdline"
31⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE02.tmp" "c:\Users\Admin\AppData\Local\Temp\to2cippy\CSCF219248842CB4E87B7F6985D6CEAB161.TMP"
32⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
31⤵
PID:4552

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
32⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
31⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0tclx301\0tclx301.cmdline"
32⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FA.tmp" "c:\Users\Admin\AppData\Local\Temp\0tclx301\CSC305CC4AF8A274DA483BF4AB720597B.TMP"
33⤵
PID:5144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evpjbz4x\evpjbz4x.cmdline"
32⤵
PID:5172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FD.tmp" "c:\Users\Admin\AppData\Local\Temp\evpjbz4x\CSCA21E99FB36C745A69D109953F1EC09E.TMP"
33⤵
PID:5224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:5252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
32⤵
PID:5320

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
33⤵
PID:5372

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
32⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:5384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5rleozgg\5rleozgg.cmdline"
33⤵
PID:5428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A7.tmp" "c:\Users\Admin\AppData\Local\Temp\5rleozgg\CSC391C44C3F61943A69353FCF2780F95D.TMP"
34⤵
PID:5480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tyrmntin\tyrmntin.cmdline"
33⤵
PID:5508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA08.tmp" "c:\Users\Admin\AppData\Local\Temp\tyrmntin\CSC94A344F182B14E2CA2AB4475911E57A4.TMP"
34⤵
PID:5560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:5588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
33⤵
PID:5644

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
34⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
33⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:5728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ac3a0cbv\ac3a0cbv.cmdline"
34⤵
PID:5764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF48.tmp" "c:\Users\Admin\AppData\Local\Temp\ac3a0cbv\CSCABC31D3FC10439595E4706F344BF34A.TMP"
35⤵
PID:5816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\svolflpd\svolflpd.cmdline"
34⤵
PID:5844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES114C.tmp" "c:\Users\Admin\AppData\Local\Temp\svolflpd\CSCFDEB14F2D1FA4955A8D647A5B22C4B86.TMP"
35⤵
PID:5896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:5924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
34⤵
PID:5980

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
35⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
34⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:6064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oqk14uin\oqk14uin.cmdline"
35⤵
PID:6100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1514.tmp" "c:\Users\Admin\AppData\Local\Temp\oqk14uin\CSCED8D77146F9041DBBE3BAD5C8E66F43A.TMP"
36⤵
PID:5124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r5dk42ly\r5dk42ly.cmdline"
35⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1756.tmp" "c:\Users\Admin\AppData\Local\Temp\r5dk42ly\CSC77E737F6820F4DB685A5B41B33D91654.TMP"
36⤵
PID:5224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:5192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:5180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
35⤵
PID:3100

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
36⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
35⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:5500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\33tozxb1\33tozxb1.cmdline"
36⤵
PID:5428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C19.tmp" "c:\Users\Admin\AppData\Local\Temp\33tozxb1\CSCAB2B36054F004B239F7AB4B0FBA490C6.TMP"
37⤵
PID:5508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s3vbeuxv\s3vbeuxv.cmdline"
36⤵
PID:5596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DCF.tmp" "c:\Users\Admin\AppData\Local\Temp\s3vbeuxv\CSCB7E6F0BB2D87438EB6382FF5F0D7E5AB.TMP"
37⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
36⤵
PID:5812

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
37⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
36⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:5908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0cb4zhdf\0cb4zhdf.cmdline"
37⤵
PID:5880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2291.tmp" "c:\Users\Admin\AppData\Local\Temp\0cb4zhdf\CSC172EFFD3485D4CA1AD8ECE29F877CBBC.TMP"
38⤵
PID:5372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irtcejsa\irtcejsa.cmdline"
37⤵
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23F9.tmp" "c:\Users\Admin\AppData\Local\Temp\irtcejsa\CSC85E9B2E91BF0482A83AC65A926B9139E.TMP"
38⤵
PID:5336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:6052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
37⤵
PID:6120

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
38⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
37⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:4948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ncfp21y2\ncfp21y2.cmdline"
38⤵
PID:5704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27D1.tmp" "c:\Users\Admin\AppData\Local\Temp\ncfp21y2\CSC5A60669E7BB4CC0BAECDB721BB5623.TMP"
39⤵
PID:5636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4lqkcnog\4lqkcnog.cmdline"
38⤵
PID:5644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29A6.tmp" "c:\Users\Admin\AppData\Local\Temp\4lqkcnog\CSCE8A137D30724866A01CA722A1BD5FEA.TMP"
39⤵
PID:5528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:5448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
38⤵
PID:1948

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
39⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
38⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:5596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qehms45f\qehms45f.cmdline"
39⤵
PID:5740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F53.tmp" "c:\Users\Admin\AppData\Local\Temp\qehms45f\CSCE9B020107D6543B58A3D1EBF2329BB9.TMP"
40⤵
PID:6012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwojsk1o\jwojsk1o.cmdline"
39⤵
PID:6008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30AB.tmp" "c:\Users\Admin\AppData\Local\Temp\jwojsk1o\CSC455388516D5844F1825B13FDFEB520C7.TMP"
40⤵
PID:5372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
39⤵
PID:4424

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
40⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
39⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:6068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ru0r3bod\ru0r3bod.cmdline"
40⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3445.tmp" "c:\Users\Admin\AppData\Local\Temp\ru0r3bod\CSCEBC176208F5D45CD9C6EBE5A1B3DD074.TMP"
41⤵
PID:5368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sivrmjaf\sivrmjaf.cmdline"
40⤵
PID:5648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3619.tmp" "c:\Users\Admin\AppData\Local\Temp\sivrmjaf\CSC2B325BCCAE90426B927458ADADE9AB20.TMP"
41⤵
PID:5604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
40⤵
PID:5652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
41⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
40⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\npdmk0ir\npdmk0ir.cmdline"
41⤵
PID:4484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A30.tmp" "c:\Users\Admin\AppData\Local\Temp\npdmk0ir\CSCB71F13B8ABDA4ABDA7D39E98A7C9B460.TMP"
42⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ub0uq1vk\ub0uq1vk.cmdline"
41⤵
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D4D.tmp" "c:\Users\Admin\AppData\Local\Temp\ub0uq1vk\CSCC17E4D5AE9904E44A8BDB9E6FA6771F.TMP"
42⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
41⤵
PID:1904

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
42⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
41⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcxhwffx\kcxhwffx.cmdline"
42⤵
PID:4264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40B8.tmp" "c:\Users\Admin\AppData\Local\Temp\kcxhwffx\CSC82D352AF943F4F0DBF83CC2C4A4C3B29.TMP"
43⤵
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t01wupqc\t01wupqc.cmdline"
42⤵
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES424E.tmp" "c:\Users\Admin\AppData\Local\Temp\t01wupqc\CSC5D2EE53E1DFC4EF6AC6F1158223FF8A1.TMP"
43⤵
PID:4348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
42⤵
PID:4720

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
43⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe"
42⤵
- Executes dropped EXE
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uofks2it\uofks2it.cmdline"
43⤵
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0103lhzk\0103lhzk.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cb4zhdf\0cb4zhdf.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\0foajdng\0foajdng.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tclx301\0tclx301.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tp3vcer\0tp3vcer.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\1oynp5sl\1oynp5sl.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2o0citif\2o0citif.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\33tozxb1\33tozxb1.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bkbkj5i\3bkbkj5i.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\4lqkcnog\4lqkcnog.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qtkhdvp\4qtkhdvp.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dr4f1ai\5dr4f1ai.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ejstk5g\5ejstk5g.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kqafaz4\5kqafaz4.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\5rleozgg\5rleozgg.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fiGhquPuiorlfEXBma5.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES114C.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1514.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1756.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C19.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DCF.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1FA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2291.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES23F9.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES27D1.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29A6.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F53.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES30AB.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3445.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3619.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A16.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A30.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3BDB.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D4D.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3FD.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES40B8.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES424E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES432E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES460C.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A62.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DDC.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5399.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES58BA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C82.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES607A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6675.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6AEA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6FBC.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES727B.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES77FA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A7.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A8A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8141.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES83F0.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8836.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C0E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9083.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES92F4.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9814.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99BA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9CD7.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9EFA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA08.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA26A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA294.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA60E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA894.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB2F.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADB0.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB0EC.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3BA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB81F.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB9C5.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBDAD.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC166.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC56E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC83C.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB3A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE18.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD174.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3C6.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD7AE.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD992.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE07.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF6E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2F8.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE4CD.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE838.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA99.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEE33.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF018.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF46D.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF48.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF69F.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFBA1.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE02.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4t2oc2p\a4t2oc2p.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac3a0cbv\ac3a0cbv.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\afvlz20e\afvlz20e.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayjs02te\ayjs02te.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\bu0yyp21\bu0yyp21.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxerjuob\bxerjuob.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\eawza1le\eawza1le.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoik4hms\eoik4hms.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\evpjbz4x\evpjbz4x.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffcfnb5m\ffcfnb5m.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\fm03gd4u\fm03gd4u.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4mtgudt\g4mtgudt.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmqgq3er\gmqgq3er.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyew1sbr\gyew1sbr.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwmvvdit\hwmvvdit.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\irtcejsa\irtcejsa.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwojsk1o\jwojsk1o.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\jygncxi5\jygncxi5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2q00mxt\k2q00mxt.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcxhwffx\kcxhwffx.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmvypqat\kmvypqat.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\knt2ecqb\knt2ecqb.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktak1mrs\ktak1mrs.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5op2me3\l5op2me3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\lipef121\lipef121.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkwya103\lkwya103.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmebfglt\lmebfglt.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\my23izrs\my23izrs.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5zii0xn\n5zii0xn.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncfp21y2\ncfp21y2.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\npdmk0ir\npdmk0ir.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\nv2uq33n\nv2uq33n.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofc3o1sv\ofc3o1sv.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiqgretd\oiqgretd.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqk14uin\oqk14uin.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnctnvje\pnctnvje.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0fvq1yf\q0fvq1yf.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1yeyo0t\q1yeyo0t.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\qehms45f\qehms45f.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkfq4qoo\qkfq4qoo.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\qujblpwl\qujblpwl.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5dk42ly\r5dk42ly.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5fhw5t0\r5fhw5t0.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\rk4uboiu\rk4uboiu.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtne5tza\rtne5tza.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ru0r3bod\ru0r3bod.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3vbeuxv\s3vbeuxv.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\sivrmjaf\sivrmjaf.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\svolflpd\svolflpd.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\t01wupqc\t01wupqc.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\t0deqa1a\t0deqa1a.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\t2yzlgll\t2yzlgll.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\to2cippy\to2cippy.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttvlpghn\ttvlpghn.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyrmntin\tyrmntin.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\ub0uq1vk\ub0uq1vk.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\uilatwta\uilatwta.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\usss011l\usss011l.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\vatuy0v2\vatuy0v2.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwnfu0qo\vwnfu0qo.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\weua14z4\weua14z4.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmbjhh1a\wmbjhh1a.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlind21a\xlind21a.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5klezmm\y5klezmm.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqtmj01k\zqtmj01k.dll

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0103lhzk\0103lhzk.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0103lhzk\0103lhzk.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0103lhzk\CSC9E58811A5AFC455CB645AE2E5367762.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0cb4zhdf\0cb4zhdf.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0cb4zhdf\0cb4zhdf.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0cb4zhdf\CSC172EFFD3485D4CA1AD8ECE29F877CBBC.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0foajdng\0foajdng.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0foajdng\0foajdng.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0foajdng\CSC81E57E125A024C3D94792F5981381A50.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tclx301\0tclx301.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tclx301\0tclx301.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tclx301\CSC305CC4AF8A274DA483BF4AB720597B.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tp3vcer\0tp3vcer.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tp3vcer\0tp3vcer.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tp3vcer\CSC6B1D1CB6A68C4C3BBE3E73A43308368.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1oynp5sl\1oynp5sl.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1oynp5sl\1oynp5sl.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1oynp5sl\CSC5ACEDCBEB034D6E847FD960EBF3B845.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o0citif\2o0citif.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o0citif\2o0citif.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2o0citif\CSC8CAB8B5CA2294333A34F1F39B2A7249.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33tozxb1\33tozxb1.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33tozxb1\33tozxb1.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\33tozxb1\CSCAB2B36054F004B239F7AB4B0FBA490C6.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3bkbkj5i\3bkbkj5i.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3bkbkj5i\3bkbkj5i.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3bkbkj5i\CSC90CF6F08EB944664B22266596496A8FB.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lqkcnog\4lqkcnog.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lqkcnog\4lqkcnog.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lqkcnog\CSCE8A137D30724866A01CA722A1BD5FEA.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qtkhdvp\4qtkhdvp.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qtkhdvp\4qtkhdvp.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qtkhdvp\CSCEB45C0AACB63499E8B6E25657DE63A3C.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5dr4f1ai\5dr4f1ai.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5dr4f1ai\5dr4f1ai.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5dr4f1ai\CSC92A7609ACBCC4BAE8835C13942A184F5.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ejstk5g\5ejstk5g.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ejstk5g\5ejstk5g.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ejstk5g\CSC41FC75E0DD8B4163A294B7BCEAFC828.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5kqafaz4\5kqafaz4.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5kqafaz4\5kqafaz4.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5kqafaz4\CSC6278C07D9D0E43F7B517F4C1E6B0B3FF.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5rleozgg\5rleozgg.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5rleozgg\5rleozgg.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5rleozgg\CSC391C44C3F61943A69353FCF2780F95D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a4t2oc2p\CSC2B976DD7E93444CA8BFEF53C712BC17D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a4t2oc2p\a4t2oc2p.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a4t2oc2p\a4t2oc2p.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ac3a0cbv\CSCABC31D3FC10439595E4706F344BF34A.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ac3a0cbv\ac3a0cbv.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ac3a0cbv\ac3a0cbv.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afvlz20e\CSC57E49828AB334C2E98F33880B2BE558.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afvlz20e\afvlz20e.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afvlz20e\afvlz20e.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayjs02te\CSCEE8574B25BDF45ECADE0B16FC3162D52.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayjs02te\ayjs02te.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayjs02te\ayjs02te.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bu0yyp21\CSCFBE23B1B35A64353A26B8091A6492CA2.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bu0yyp21\bu0yyp21.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bu0yyp21\bu0yyp21.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxerjuob\CSC262A360C77AC4EDFBE573D7A5C37224B.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxerjuob\bxerjuob.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxerjuob\bxerjuob.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eawza1le\CSCAA1CD76A07F40ADB0F13B8FD9F37F74.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eawza1le\eawza1le.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eawza1le\eawza1le.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eoik4hms\CSC1EFA0C58268B43B0A94350B5A05C2E1.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eoik4hms\eoik4hms.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eoik4hms\eoik4hms.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evpjbz4x\CSCA21E99FB36C745A69D109953F1EC09E.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evpjbz4x\evpjbz4x.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evpjbz4x\evpjbz4x.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffcfnb5m\CSCFE0BB134F4D447448CBFC01999DE73E.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffcfnb5m\ffcfnb5m.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ffcfnb5m\ffcfnb5m.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fm03gd4u\CSC4FBDEC41861A47E195AB8A7CE2B7158.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fm03gd4u\fm03gd4u.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fm03gd4u\fm03gd4u.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g4mtgudt\CSC38EC72947A1F4E008422EE4AE96CAFF7.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g4mtgudt\g4mtgudt.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g4mtgudt\g4mtgudt.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gmqgq3er\CSCCC7A0F70392049D3A68326237CCCD983.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gmqgq3er\gmqgq3er.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gmqgq3er\gmqgq3er.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gyew1sbr\CSCC741248BAF4446B2A9134AA2D3AFECCC.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gyew1sbr\gyew1sbr.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gyew1sbr\gyew1sbr.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwmvvdit\CSCED801787A23459DA69FC7487EFD3A18.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwmvvdit\hwmvvdit.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwmvvdit\hwmvvdit.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\irtcejsa\CSC85E9B2E91BF0482A83AC65A926B9139E.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\irtcejsa\irtcejsa.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\irtcejsa\irtcejsa.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwojsk1o\CSC455388516D5844F1825B13FDFEB520C7.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwojsk1o\jwojsk1o.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwojsk1o\jwojsk1o.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jygncxi5\CSCC48E6D1898144186B68D90DAF8436AD7.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jygncxi5\jygncxi5.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jygncxi5\jygncxi5.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k2q00mxt\CSC2EBA65EC863549478C66A235EA69C483.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k2q00mxt\k2q00mxt.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k2q00mxt\k2q00mxt.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcxhwffx\CSC82D352AF943F4F0DBF83CC2C4A4C3B29.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcxhwffx\kcxhwffx.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcxhwffx\kcxhwffx.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kmvypqat\CSCDAB64EB7A5A34CD587E52EDE24ED09C.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kmvypqat\kmvypqat.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kmvypqat\kmvypqat.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knt2ecqb\CSC9E8702D96720438E9EABFC45F0801D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knt2ecqb\knt2ecqb.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knt2ecqb\knt2ecqb.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ktak1mrs\CSC180C60548844462FA24FC6DDC014C344.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ktak1mrs\ktak1mrs.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ktak1mrs\ktak1mrs.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5op2me3\CSCC3580EF2F6304D90A15F44FB3CFA6D4.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5op2me3\l5op2me3.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5op2me3\l5op2me3.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lipef121\CSCBDCD0EBAE5D54D7E88E286B053614.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lipef121\lipef121.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lipef121\lipef121.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkwya103\CSCE44123F55D0B459C99E5FF0467A39B9.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkwya103\lkwya103.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkwya103\lkwya103.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lmebfglt\CSC84F78D4C1314CA8A8193CF1F383296.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lmebfglt\lmebfglt.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lmebfglt\lmebfglt.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\my23izrs\CSC11F80F27883A4B4AA165AC8AAD8D7E43.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\my23izrs\my23izrs.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\my23izrs\my23izrs.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n5zii0xn\CSCDB85D149AB134A41944BA4D690429FA4.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n5zii0xn\n5zii0xn.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n5zii0xn\n5zii0xn.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ncfp21y2\CSC5A60669E7BB4CC0BAECDB721BB5623.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ncfp21y2\ncfp21y2.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ncfp21y2\ncfp21y2.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\npdmk0ir\CSCB71F13B8ABDA4ABDA7D39E98A7C9B460.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\npdmk0ir\npdmk0ir.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\npdmk0ir\npdmk0ir.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nv2uq33n\CSCEF7B9345C3C646708755E195F88353FE.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nv2uq33n\nv2uq33n.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nv2uq33n\nv2uq33n.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ofc3o1sv\CSC9A592D6735D04E43BE8C93E29FBA63FC.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ofc3o1sv\ofc3o1sv.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ofc3o1sv\ofc3o1sv.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oiqgretd\CSC5390CD29F3124965A7DAF1EBF435EEB5.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oiqgretd\oiqgretd.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oiqgretd\oiqgretd.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqk14uin\CSCED8D77146F9041DBBE3BAD5C8E66F43A.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqk14uin\oqk14uin.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqk14uin\oqk14uin.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pnctnvje\CSCAC519046509C43CCB0FE3AAF39977E14.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pnctnvje\pnctnvje.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pnctnvje\pnctnvje.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q0fvq1yf\CSC7057CAC625464F33A0F3FEF732C5BD16.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q0fvq1yf\q0fvq1yf.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q0fvq1yf\q0fvq1yf.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1yeyo0t\CSC9E999C16AC1F4B879B4450E35A131D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1yeyo0t\q1yeyo0t.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1yeyo0t\q1yeyo0t.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qehms45f\CSCE9B020107D6543B58A3D1EBF2329BB9.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qehms45f\qehms45f.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qehms45f\qehms45f.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qkfq4qoo\CSCA954B289CCE94F9F814D3A1C234535E.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qkfq4qoo\qkfq4qoo.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qkfq4qoo\qkfq4qoo.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qujblpwl\CSCE26D05FF14B64AF1B94B452C5A36C8B.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qujblpwl\qujblpwl.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qujblpwl\qujblpwl.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r5dk42ly\CSC77E737F6820F4DB685A5B41B33D91654.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r5dk42ly\r5dk42ly.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r5dk42ly\r5dk42ly.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r5fhw5t0\CSC639631489E384D2DBDACCA1BA1582D0.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r5fhw5t0\r5fhw5t0.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r5fhw5t0\r5fhw5t0.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rk4uboiu\CSC995D83001A6B42A2AFCBB49A5E9139C5.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rk4uboiu\rk4uboiu.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rk4uboiu\rk4uboiu.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rtne5tza\CSC9896934C766145258883CC2ED6479FEE.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rtne5tza\rtne5tza.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rtne5tza\rtne5tza.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ru0r3bod\CSCEBC176208F5D45CD9C6EBE5A1B3DD074.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ru0r3bod\ru0r3bod.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ru0r3bod\ru0r3bod.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s3vbeuxv\CSCB7E6F0BB2D87438EB6382FF5F0D7E5AB.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s3vbeuxv\s3vbeuxv.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s3vbeuxv\s3vbeuxv.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sivrmjaf\CSC2B325BCCAE90426B927458ADADE9AB20.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sivrmjaf\sivrmjaf.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sivrmjaf\sivrmjaf.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svolflpd\CSCFDEB14F2D1FA4955A8D647A5B22C4B86.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svolflpd\svolflpd.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svolflpd\svolflpd.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t01wupqc\CSC5D2EE53E1DFC4EF6AC6F1158223FF8A1.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t01wupqc\t01wupqc.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t01wupqc\t01wupqc.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t0deqa1a\CSC8E160F5699264A1C8AC23FCEE6C7FE90.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t0deqa1a\t0deqa1a.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t0deqa1a\t0deqa1a.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t2yzlgll\CSCA3782526B3F4471AAB18EA397D90FE95.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t2yzlgll\t2yzlgll.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t2yzlgll\t2yzlgll.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to2cippy\CSCF219248842CB4E87B7F6985D6CEAB161.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to2cippy\to2cippy.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to2cippy\to2cippy.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttvlpghn\CSC86098EDACB3C4097A5DDF418E9296F4.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttvlpghn\ttvlpghn.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttvlpghn\ttvlpghn.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tyrmntin\CSC94A344F182B14E2CA2AB4475911E57A4.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tyrmntin\tyrmntin.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tyrmntin\tyrmntin.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ub0uq1vk\CSCC17E4D5AE9904E44A8BDB9E6FA6771F.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ub0uq1vk\ub0uq1vk.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ub0uq1vk\ub0uq1vk.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uilatwta\CSC30C81DED51164E9888AE59852FCD2D31.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uilatwta\uilatwta.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uilatwta\uilatwta.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\usss011l\CSCD8A9266AF0A14398902C21356E41B56E.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\usss011l\usss011l.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\usss011l\usss011l.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vatuy0v2\CSC5AD0C0C2907A4D9A94753C9EC6A85682.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vatuy0v2\vatuy0v2.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vatuy0v2\vatuy0v2.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwnfu0qo\CSC2B25168DC41C4C37926B6CEDD58E5A9.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwnfu0qo\vwnfu0qo.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwnfu0qo\vwnfu0qo.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\weua14z4\CSCFFA6D123BA4C426089BBF4494598349.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\weua14z4\weua14z4.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\weua14z4\weua14z4.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wmbjhh1a\CSC12F3E9BA390B4F5C9A6F875423AC9891.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wmbjhh1a\wmbjhh1a.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wmbjhh1a\wmbjhh1a.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlind21a\CSC2378551789B84B4395667A91A1757.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlind21a\xlind21a.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlind21a\xlind21a.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y5klezmm\CSC90034E563D0F4039B56E8D23E4FA118D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y5klezmm\y5klezmm.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y5klezmm\y5klezmm.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqtmj01k\CSCCBA87CC178944BD9B549336233559EA.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqtmj01k\zqtmj01k.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqtmj01k\zqtmj01k.cmdline

Download Submit
memory/416-37-0x0000000005080000-0x00000000050CC000-memory.dmp

Filesize
304KB

Download
memory/3164-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download