ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc

Analysis

max time kernel
80s
max time network
85s
platform
windows10_x64
resource
win10v20210408
submitted
13-05-2021 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
Size

591KB
MD5

b55b30a4f9acf069604c4711b44295df
SHA1

7265416ac9429f14b6c2b6bb629dd5b326bfb5dc
SHA256

ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc
SHA512

9d92f6723f6938322b0cb59f549516668aceba1968be4a4e10ed52918432b27d37d92b993d5218570824b578204bbdd2380fead3d5328cc6f0c37097e561a6c0

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 1 IoCs

Processes:

ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe

Drops file in Windows directory 47 IoCs

Processes:

ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.exe

description	pid	process	target process
PID 900 wrote to memory of 200	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 200	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 200 wrote to memory of 1868	200	csc.exe	cvtres.exe
PID 200 wrote to memory of 1868	200	csc.exe	cvtres.exe
PID 900 wrote to memory of 3796	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 3796	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 3796 wrote to memory of 1356	3796	csc.exe	cvtres.exe
PID 3796 wrote to memory of 1356	3796	csc.exe	cvtres.exe
PID 900 wrote to memory of 2080	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 2080	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 2080 wrote to memory of 2880	2080	csc.exe	cvtres.exe
PID 2080 wrote to memory of 2880	2080	csc.exe	cvtres.exe
PID 900 wrote to memory of 3948	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 3948	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 3948 wrote to memory of 1824	3948	csc.exe	cvtres.exe
PID 3948 wrote to memory of 1824	3948	csc.exe	cvtres.exe
PID 900 wrote to memory of 4020	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 4020	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 4020 wrote to memory of 2448	4020	csc.exe	cvtres.exe
PID 4020 wrote to memory of 2448	4020	csc.exe	cvtres.exe
PID 900 wrote to memory of 904	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 904	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 904 wrote to memory of 2804	904	csc.exe	cvtres.exe
PID 904 wrote to memory of 2804	904	csc.exe	cvtres.exe
PID 900 wrote to memory of 2420	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 2420	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 2420 wrote to memory of 2176	2420	csc.exe	cvtres.exe
PID 2420 wrote to memory of 2176	2420	csc.exe	cvtres.exe
PID 900 wrote to memory of 768	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 768	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 768 wrote to memory of 3508	768	csc.exe	cvtres.exe
PID 768 wrote to memory of 3508	768	csc.exe	cvtres.exe
PID 900 wrote to memory of 1648	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 1648	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 1648 wrote to memory of 2128	1648	csc.exe	cvtres.exe
PID 1648 wrote to memory of 2128	1648	csc.exe	cvtres.exe
PID 900 wrote to memory of 2796	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 2796	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 2796 wrote to memory of 2080	2796	csc.exe	cvtres.exe
PID 2796 wrote to memory of 2080	2796	csc.exe	cvtres.exe
PID 900 wrote to memory of 3464	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 3464	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 3464 wrote to memory of 4088	3464	csc.exe	cvtres.exe
PID 3464 wrote to memory of 4088	3464	csc.exe	cvtres.exe
PID 900 wrote to memory of 2956	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 2956	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 2956 wrote to memory of 908	2956	csc.exe	cvtres.exe
PID 2956 wrote to memory of 908	2956	csc.exe	cvtres.exe
PID 900 wrote to memory of 492	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 492	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 492 wrote to memory of 1116	492	csc.exe	cvtres.exe
PID 492 wrote to memory of 1116	492	csc.exe	cvtres.exe
PID 900 wrote to memory of 1992	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 1992	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 1992 wrote to memory of 2228	1992	csc.exe	cvtres.exe
PID 1992 wrote to memory of 2228	1992	csc.exe	cvtres.exe
PID 900 wrote to memory of 1332	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 1332	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 1332 wrote to memory of 196	1332	csc.exe	cvtres.exe
PID 1332 wrote to memory of 196	1332	csc.exe	cvtres.exe
PID 900 wrote to memory of 3424	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 900 wrote to memory of 3424	900	ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe	csc.exe
PID 3424 wrote to memory of 2132	3424	csc.exe	cvtres.exe
PID 3424 wrote to memory of 2132	3424	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe
"C:\Users\Admin\AppData\Local\Temp\ca4b30667fba5b5847d0b2fe4233dd98390674dc7a1b2a597144c34551186fcc.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kqdk2eny.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD0D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBCFC.tmp"
3⤵
PID:1868

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqbc7lke.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE07.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBE06.tmp"
3⤵
PID:1356

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7rdsrkw0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA57.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEA56.tmp"
3⤵
PID:2880

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jn8tzmzx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEB21.tmp"
3⤵
PID:1824

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ssynodi-.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECD7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCECD6.tmp"
3⤵
PID:2448

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m4mtfz63.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDD1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEDC1.tmp"
3⤵
PID:2804

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p-npbscy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFE5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEFE4.tmp"
3⤵
PID:2176

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nsats1wg.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF10E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF0FD.tmp"
3⤵
PID:3508

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ved_q3sk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF227.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF226.tmp"
3⤵
PID:2128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qolq6uuz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF39E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF39D.tmp"
3⤵
PID:2080

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skhtxiov.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26C4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC26C3.tmp"
3⤵
PID:4088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m7id_gsb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES278F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC277E.tmp"
3⤵
PID:908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a5qoehgl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2898.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2897.tmp"
3⤵
PID:1116

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\funofqc7.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2992.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2991.tmp"
3⤵
PID:2228

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wu83tood.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2ADA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2ACA.tmp"
3⤵
PID:196

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y_qcczd7.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B77.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2B66.tmp"
3⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\te7bhwze.cmdline"
2⤵
PID:3780

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3867.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3866.tmp"
3⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbeqiakg.cmdline"
2⤵
PID:4024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3913.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3912.tmp"
3⤵
PID:2268

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvm2iejl.cmdline"
2⤵
PID:1036

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39EE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC39ED.tmp"
3⤵
PID:4048

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qzyatecw.cmdline"
2⤵
PID:4088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AA9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3AA8.tmp"
3⤵
PID:2244

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e6etf_za.cmdline"
2⤵
PID:3024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C01.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3C00.tmp"
3⤵
PID:3928

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xztq8sfg.cmdline"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C9D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3C9C.tmp"
3⤵
PID:1120

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zhza0u8k.cmdline"
2⤵
PID:3032

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D97.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3D96.tmp"
3⤵
PID:936

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_0gn8o5z.cmdline"
2⤵
PID:3804

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E34.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E23.tmp"
3⤵
PID:196

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fp3gibbb.cmdline"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F5C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3F4C.tmp"
3⤵
PID:3504

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uljdxef3.cmdline"
2⤵
PID:2920

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FF9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3FF8.tmp"
3⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a-ldfpn7.cmdline"
2⤵
PID:3972

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC40F2.tmp"
3⤵
PID:3820

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zaat_wjp.cmdline"
2⤵
PID:4024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES417F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC417E.tmp"
3⤵
PID:2184

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5svq_l5.cmdline"
2⤵
PID:3384

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES425A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4259.tmp"
3⤵
PID:4068

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m5jdkbfi.cmdline"
2⤵
PID:4088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4335.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4334.tmp"
3⤵
PID:2956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zeapcspl.cmdline"
2⤵
PID:3024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4410.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC440F.tmp"
3⤵
PID:692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\58iywzkr.cmdline"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44BB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC44BA.tmp"
3⤵
PID:3672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wua0qujy.cmdline"
2⤵
PID:1212

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4595.tmp"
3⤵
PID:1332

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evcb8jsr.cmdline"
2⤵
PID:684

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4642.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4641.tmp"
3⤵
PID:3028

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rbeoom-k.cmdline"
2⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES473C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC473B.tmp"
3⤵
PID:2008

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oe74rquz.cmdline"
2⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47D8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC47D7.tmp"
3⤵
PID:1472

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3incgkoc.cmdline"
2⤵
PID:3824

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC48A2.tmp"
3⤵
PID:2892

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g5krwli1.cmdline"
2⤵
PID:3908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4940.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC492F.tmp"
3⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xz9bm0tq.cmdline"
2⤵
PID:1552

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A49.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A48.tmp"
3⤵
PID:1004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcxnupte.cmdline"
2⤵
PID:3384

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B05.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4AF4.tmp"
3⤵
PID:3464

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rnv6sejr.cmdline"
2⤵
PID:4020

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BEF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4BEE.tmp"
3⤵
PID:64

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j-1o2yub.cmdline"
2⤵
PID:3024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C9A.tmp"
3⤵
PID:3672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\isypqget.cmdline"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4D65.tmp"
3⤵
PID:1332

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bc5f0sga.cmdline"
2⤵
PID:200

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DD4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4DD3.tmp"
3⤵
PID:3028

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sdkgw3ke.cmdline"
2⤵
PID:3804

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EAE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4EAD.tmp"
3⤵
PID:1352

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uwz1lz1g.cmdline"
2⤵
PID:4000

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F4B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4F4A.tmp"
3⤵
PID:1336

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\204uyroh.cmdline"
2⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5016.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5015.tmp"
3⤵
PID:3972

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g6hado-v.cmdline"
2⤵
PID:3824

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50A1.tmp"
3⤵
PID:4024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6e9zr_n0.cmdline"
2⤵
PID:3456

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES517D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC517C.tmp"
3⤵
PID:2396

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvoxpagl.cmdline"
2⤵
PID:3912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5219.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5218.tmp"
3⤵
PID:2188

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yhw2vqcj.cmdline"
2⤵
PID:3464

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52D5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC52D4.tmp"
3⤵
PID:2284

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\10j3e8ye.cmdline"
2⤵
PID:4020

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5381.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5380.tmp"
3⤵
PID:1956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mrxgipdc.cmdline"
2⤵
PID:3024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES545B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC545A.tmp"
3⤵
PID:196

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c_elx11h.cmdline"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54F8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC54F7.tmp"
3⤵
PID:3232

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ylu-cnw.cmdline"
2⤵
PID:1940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55E2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC55D1.tmp"
3⤵
PID:2104

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m9mjmvsb.cmdline"
2⤵
PID:3852

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES567E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC567D.tmp"
3⤵
PID:3460

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cefd22w-.cmdline"
2⤵
PID:3796

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5769.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5768.tmp"
3⤵
PID:1128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ngcrxw_7.cmdline"
2⤵
PID:1472

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57E6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC57E5.tmp"
3⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-l6ekijm.cmdline"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58C0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC58BF.tmp"
3⤵
PID:1004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oouzpjsx.cmdline"
2⤵
PID:3908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES594D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC594C.tmp"
3⤵
PID:3148

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bnidugds.cmdline"
2⤵
PID:2376

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C2B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C2A.tmp"
3⤵
PID:3712

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kkyj3pe4.cmdline"
2⤵
PID:2280

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CB8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5CB7.tmp"
3⤵
PID:192

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d5ehczl_.cmdline"
2⤵
PID:4080

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D83.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D82.tmp"
3⤵
PID:2208

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhzy7pxr.cmdline"
2⤵
PID:1156

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E1F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5E1E.tmp"
3⤵
PID:3232

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\offtyofi.cmdline"
2⤵
PID:188

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F0A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F09.tmp"
3⤵
PID:2008

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\unsft72y.cmdline"
2⤵
PID:1144

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FA6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F95.tmp"
3⤵
PID:788

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s6g1iq5q.cmdline"
2⤵
PID:3852

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6090.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC608F.tmp"
3⤵
PID:3048

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ix5beue.cmdline"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES613C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC613B.tmp"
3⤵
PID:2080

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rrygexhb.cmdline"
2⤵
PID:2268

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61F8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC61F7.tmp"
3⤵
PID:2328

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sx4po9ro.cmdline"
2⤵
PID:3964

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62A4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6293.tmp"
3⤵
PID:1004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbs0pom8.cmdline"
2⤵
PID:3076

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES635F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC635E.tmp"
3⤵
PID:4068

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\szrtnft3.cmdline"
2⤵
PID:2260

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC63FA.tmp"
3⤵
PID:3912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jzreycj7.cmdline"
2⤵
PID:2148

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6553.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6552.tmp"
3⤵
PID:2552

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pclvmorz.cmdline"
2⤵
PID:692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES660F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC65FE.tmp"
3⤵
PID:580

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gbxy-zsf.cmdline"
2⤵
PID:1172

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66F9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC66F8.tmp"
3⤵
PID:4020

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xijstlwh.cmdline"
2⤵
PID:936

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6786.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6785.tmp"
3⤵
PID:196

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxog_fmd.cmdline"
2⤵
PID:3576

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6860.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6850.tmp"
3⤵
PID:2008

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qbb3m_dp.cmdline"
2⤵
PID:1212

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC68EC.tmp"
3⤵
PID:788

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qobbv8sj.cmdline"
2⤵
PID:1648

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69C8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC69C7.tmp"
3⤵
PID:4000

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\js3wcxhs.cmdline"
2⤵
PID:3424

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A64.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6A63.tmp"
3⤵
PID:2080

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\se0s1a85.cmdline"
2⤵
PID:3796

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B2F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B2E.tmp"
3⤵
PID:2076

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m224q__m.cmdline"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BBC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6BBB.tmp"
3⤵
PID:1004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxgamsa7.cmdline"
2⤵
PID:2396

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9C21.tmp"
3⤵
PID:4088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qhls_aig.cmdline"
2⤵
PID:1528

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CCE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9CCD.tmp"
3⤵
PID:1520

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bjfgyrnq.cmdline"
2⤵
PID:2956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DA9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9DA8.tmp"
3⤵
PID:64

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s2gctenc.cmdline"
2⤵
PID:2064

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E36.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E35.tmp"
3⤵
PID:2292

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dqztt8hl.cmdline"
2⤵
PID:604

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F01.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F00.tmp"
3⤵
PID:908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jp8wpasy.cmdline"
2⤵
PID:508

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FAD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9FAC.tmp"
3⤵
PID:3032

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2qd_9mn.cmdline"
2⤵
PID:936

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA0C5.tmp"
3⤵
PID:3832

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uw0_hysm.cmdline"
2⤵
PID:200

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA153.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA152.tmp"
3⤵
PID:3500

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u3dfmwmt.cmdline"
2⤵
PID:1496

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA21E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA21D.tmp"
3⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f6qm6otm.cmdline"
2⤵
PID:2796

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA2C9.tmp"
3⤵
PID:2080

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvjgv39s.cmdline"
2⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3B4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3B3.tmp"
3⤵
PID:2560

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rhh87fe4.cmdline"
2⤵
PID:2892

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA441.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA440.tmp"
3⤵
PID:1004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ikpd_f4b.cmdline"
2⤵
PID:3828

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA50C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA50B.tmp"
3⤵
PID:3908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hccj3sah.cmdline"
2⤵
PID:3456

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA589.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA588.tmp"
3⤵
PID:4064

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1litoqbv.cmdline"
2⤵
PID:2244

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA644.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA643.tmp"
3⤵
PID:2260

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q5mdhgqq.cmdline"
2⤵
PID:2204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES26C4.tmp
MD5
5c614e18694bf7182d21e451c572df7d

SHA1
00db52ad6bfe537f655454d30b64231e5338490d

SHA256
5153dca2c9fb046128259d773e3bf4375c02df7331068db764356edb15a48f33

SHA512
83db62c3334df724aaadac799ab842930bfe1a9941d7a52abfb103632323d65edd1735f5a0ceef6321a6a914ea6d12e54e9a5a34059a1e6b3b1ca2a0b5e3ecf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES278F.tmp
MD5
71b47ec6159e8d077e979f6a5ff63a56

SHA1
cb121d8f8b1763894aee4d859405164767bcb080

SHA256
1251730a5fca2869fbc222a95182394aeec0c8903389fa30b53dd33b0f0448dd

SHA512
73e30a4a98e0e11515cee7a1e64f1ca82bfaaa3352647fbf8fbc0005f068f1e31de14051f03613b9976cbb0ccbe1c4d64a34aeafb5ecf9f5a41de9c4720c46f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2898.tmp
MD5
84935c3f6235bdde2b3631b4342a4f46

SHA1
6a77cf492b21d6b20cdff61306cae100b028df0b

SHA256
18668f6415aa82f25dff551be3da492692eac2ccd49d2e3f77a4fd7e4653dfc1

SHA512
04709c34bd8b99ee489c4e7fe444fdd7ee5b20f6a46bcf88017d4e59e55b1f9ca6f7d23777f00248792a68463feb0fd197a757820c0a063e3243e0c84404eb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD0D.tmp
MD5
a5b8b7ccc25660fd8ca214f003e0a2e0

SHA1
3313ae67873e0a80fe7aff57773a50d45c3ae6be

SHA256
385eee020f6c239bc6b0f24cc807a946008a7605b53400472cfc4fe303853563

SHA512
631a4a869848ef4c787d757e1d9937eab079b8b22752823e7a122a12a7a816cde39df3c7d5fddaa06ccc6ad4969a5beefc408abef0c34f1be2e52d323a60fe82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE07.tmp
MD5
c372c9b9b42dc110c1543bd6df3a9633

SHA1
0381b029db209a3a317481f5e4e4be4afbcf5cd8

SHA256
787cfb76b34b1ea0f4404750f5442f671f7e467c8c77555d351b80b29716af9e

SHA512
eb41d5807d20c425858bd58d986a297d545f2b45af29aa1483fadf0cf8686e7248a2462c520f5159f1cc5f9e5b06a6c9808351ff8a89eb4275d4d5e6046d45c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA57.tmp
MD5
dec8421280aff3075042bae2a2e83138

SHA1
5324a45e9a008e91ec0b1114904c41f14eb000df

SHA256
aaa7693b7ceb2a770bf4036b6dadd30bb9f0eee3406d0e8c7356efda8024c02e

SHA512
5598da9b7587542eed5090808471610e3ddec73dc3fbaf2ffb10a033ebfa81d3a178893fcd36dea0bed4168cbf196162ab71836242b570cf7d7d9b2dfd619f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEB22.tmp
MD5
ffd1bfbaa03ffd32f451d83e9aad202b

SHA1
48c322a994880a3c756626aa67e3fb9736964a3d

SHA256
4fb161867e7968cd6d5c2a6d1cba18e514b18f4ec7abe378228249cef4bef8ed

SHA512
3991bb7ce1975c29f959a39842652792491e778546189323d574c5817b20cd4f754c48739735eefcc9864a12835463912820615d750ee630fcaa8f637d801d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESECD7.tmp
MD5
0a9c81b93ccdb92b9659cc40effd0e29

SHA1
37026f7381589a4f378cc1465a6b2f80d404ff84

SHA256
506640b33a855e27bfd2e52b3b8748428104e4f02aa3e1cf76b34d3e2e0e9baf

SHA512
6df3cda47dc3e3154b3bfbfbcca32183d9961fc9b20f0fb9148da455c2e5096dfdb283c0505f15d39632b044bade4ae2188037ee79e9a4484f3c736861061129

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEDD1.tmp
MD5
158d6cebb43968cd439519fc6317e919

SHA1
485ffd934bbe0804f066bc1ec40dfcef2e906353

SHA256
9c40bf204a3179dfa735a7e4e1765eab270d0708f187b65dd96a2d591f59907c

SHA512
4fb3042c38fb9abe553198064370d0cd59d128993e6f2e7c6ec0f2eff769feb4a5a1065de84154c715f6b276fa2e8b2b7234e925c0aa347ebbe60e97a9ae4c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEFE5.tmp
MD5
ff93d76f3d68cb8f1687e689afd3ca6d

SHA1
e339ebb30faaadf87e5c19f9f4d1feca2f009acc

SHA256
e20f344f234e12f76feef34190e958d2a704bf034887434ba4d3eca06aa31132

SHA512
efd0154072ee62491a27ccd7e4e444b8a3308f8a5dbf79e73ed8f259b6dd95171279b409510f4923d658fbba415cde0e63e55c8e6fcce8d1bb792635d6b747a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF10E.tmp
MD5
74b4dbc16bd85c198f04ac921d3be2c9

SHA1
48bfa91b8cf4893a5bd4027ef07e62919c462516

SHA256
919a628c427f8c657c309f4ce429573eb38a5ade8f147daf57a61307553a8748

SHA512
44ff2524252f7a79d95923743c008f0f25e24a310c492a48d9c833b409e616175b3ff91dffe939bc9112f368525d8947c03bf5f1413d8406cbddcb08d9736c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF227.tmp
MD5
35eb31c843f1f625eb40ce453233a96b

SHA1
e788b66a97453e7e1432c548ba00560a33e66661

SHA256
ffe33428e4a2c64ca1566c533b98eafc7f6e61a22282690475ed4a97e6db80ec

SHA512
348feb07b88c06615cb5c9f29668dc16ae8721b7efbabe8820cbe4f8349ce535c51d74dd4ff1a6c147c702842c03e2f351887bc9285fcb49cf2f95096093a086

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF39E.tmp
MD5
dcf457c3ec74782608778b0923593478

SHA1
3dffe2da49b045ee1e7722a7c8a3dde145f5c6b7

SHA256
fb252aaf6c09a5151e7425d71fb2bcb1a3e7f7bdc96771f3cf458e1c79b3acd1

SHA512
992cd2f41112dd5ebaa9741093134a273f16612a1e8d1325640b8911bb7642467267e88ee59de204601a0fdea3508359c55ac508c7c3e7daeb009e26082e2013

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1072y.exe
MD5
3109974b7cdd9822d0d684c3ed62bb1f

SHA1
b24239fd89c2c34d7dcce9bc1ae2e55829563d89

SHA256
70c3236506bdf317ae2285e1f1468805d5b2ede693edd0be57c3f112f062db2b

SHA512
25a976fd6a20c7725fe9fc615ec93cc145dcec0acb981761fbc7a47892efa29872d8188f1ee253051f44cc72174a480c7b046b8c93ca655b8c2b1b1ff45cedf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1072y.exe
MD5
d4ea70789704f0c43ba169efc6978887

SHA1
0b51e198b367dedf02053bf3641ec6ab55071011

SHA256
3af13097eaec23aaecca7641076bf6ef5b467d7ba93cb794beb4d5b14a66e928

SHA512
35355e9f3bdedfb632da64f15e84db2ebfce0bea05c83d68db21267924edd57ec8e7f48dc474c15971f29110f1a0ee790f22eb4f63cc199176db44426f00826d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1177y.exe
MD5
89fd74110e20b9b48bc8e4baa496c910

SHA1
a8b4dce5166af098e00f5f33bed20af2c3a5ac05

SHA256
07c01c89859f5b52410c3e73666324c397d6b1f7d85b1b1cc72ad36eaed957ac

SHA512
c290e171082590cb616ca0d90609c4e5d6139583e66e7b1dcec1a9f18b8089bd1e505bb8c06df1cafc5f4ccb1c3808591b8e6457fec483bf9c4a1a63a2d7c42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1177y.exe
MD5
cb50ef09bdf4e39ced4ef6d05c7e1ee0

SHA1
42dc1e3c8b7f85ecdbb42b58dba56b0689411447

SHA256
5bee344c1f49deee84c5b4ec0b1d342b66825be07ccf59f131372b2348f6311e

SHA512
66dad0b2293591d74c3a6694fc81094871bf862343e5e730f2db1db11faae450ea976480841b118b512cb90126a7d4743db8be82bf95ae0545570eddca9e2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1212y.exe
MD5
b0254ca95ec784708a1d2daf505487d5

SHA1
7aedf85852ecea504c28607f24d2c6a61e5ce764

SHA256
89bfb0b80756223a553995617ff198b22246268849c3d6caf3a26ca50db2914c

SHA512
ae2ed6c02d83afc25eea94e3315b359140bbd6fe60c65e52220022fb743549bd1543eb28aca55178679ab352dac4afe9606fc50f2c62d145437da400e2e29fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1212y.exe
MD5
0781fa7431b95455a2e56f895c343da0

SHA1
1f51812ee99fd719d9c877cca81e06572bf81a49

SHA256
d0c5aede03a27f5a93a94f71cabd8944069653a193d3cd8c15addbb547963db1

SHA512
022b0cb96a59bec504b9719609c2be055733d62819c5c0f3a0cb0c5122cffc9f0b82b68f768deb60bf347f11865e10bc897a063d99ced2d62ff1ea0c8ce62fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x551y.exe
MD5
a475cd588a77ca05fcb34e7ab8fc18c2

SHA1
bb9abd6a38e011107e25203e7f1bd85038d15894

SHA256
9cd273f6f023195b744232deaf3fdaf776d83900fa00df119bb410580765ef41

SHA512
68ee5b14f3be4b546ba1683ca3d1966df1a7c3b891b45f2def3d455d875f4d997aed52bf0ff25bd77e260db5facd01d76c4742b8212dad61a9f5f64236a9c4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x551y.exe
MD5
f358655b09636d08e6ea90f0e0224b78

SHA1
83d26e140f94ed9f9f2c22c7db1a33a8654d4b4a

SHA256
74907cdfd209bf5d0e8f6bb912007f96c3ef23c8afa009c0556ce339eff7b480

SHA512
23ed75087ce7909807501d95affe679ec4072c5c7a98e1da83043ed43edaeeed9dae55f5744adb87b77fcbd5c1b14150b444f4e12de1ffb3727a65ce0a891f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x599y.exe
MD5
5543bdfccc8dd4760b6bb3db0aeab628

SHA1
5da95298f7c4ad18afe9ebb1b7085471f1d7aa8c

SHA256
9cf2e20fe707aaed8585fde1f2e421ac1f0c533af1650d3a2e24805ac0ce3916

SHA512
8c13c5cc27e92490caec25a0ea3a046ab2c794c28cc90c2acf10e54816634f7829b08a6bb96491de98f9abeae41194511ad2908d10a1b33b09044e983ea71b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x599y.exe
MD5
984f792e5d5f29e19a016624b81c95bc

SHA1
121ecef6ccbbd5e8445c331d3846cfcbd4e1e7f5

SHA256
833c7ed97098d89545ed2d05844db8f276d66017aff22609f8fd2ee89486481f

SHA512
c4c074279da34275458f903f1973250a0f40d52daabe6d104a7d7c964e8b0218fe844e72e9d8794edd88f0730f7d4dae60361583f874a819759269850e85a392

Download Submit
C:\Users\Admin\AppData\Local\Temp\x83y.exe
MD5
b3bf8fbbdfd7a1c0e5720e9e6ecdcb4d

SHA1
90cad7ed556a0d7463ea8395ac28f85f7a7a1bec

SHA256
073bcd6378900db5a9184c2d18303c547ab6682749c6729dbfbb40eef7a4be8d

SHA512
2e8cb1b5e97e05c7adfa9e00116c864dd66df926b034ba34667560dc962393216f921d106cd8c1212d912d73de2eeb91877f0d98cde1da75e6b6182b412e596f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x83y.exe
MD5
1958b072be6c6e39861f2d7c513c3b22

SHA1
7c95c1185156eb62c1d90efdf7566a8e23b5d298

SHA256
aa24616e3ebbcb15710597554d47d8d1e47adfeca842551545224f8a9dbc47b7

SHA512
9edbb8904b24507d557ea21d81a3ccdc6e9ca47382be8fefa21db546deea0b5a8de5b71dbb4b01c60366a8a297c4724ad94a61d0fa584c1fc00ba414d4bd25a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7rdsrkw0.0.cs
MD5
a1d9ba1cc2c9ed7b798322e7192fbd32

SHA1
9911c46ee2cada3343a866f0d2228a078c0671c5

SHA256
f08a0040558e63a50a6efebbc41357639f561e8ddcdbadc9f0c036e541703501

SHA512
570a7a5815cdf9a19d53ef9ee5320cf09107302d42a867da2579813e6792dc2f6392a578451e752058b24c7c6250c4dd6684f508603774041c252f6f043204e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7rdsrkw0.cmdline
MD5
ca58eca58e20cc045f6498a493d06bf2

SHA1
7a1648ec87c1101db112b52b9f94aa389df88fe3

SHA256
f466acf602415a6c5dff08bb73dd847445dc6d63c5baea205944238afe9c6560

SHA512
189d0d3994645257022792a8de4284ecc55efd75158de345d25315590123d3efdcffff9f30ec6498c8e52f7c9d034c4dbd2c29c9b4eddd76f28c3d7f496f0820

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC26C3.tmp
MD5
8f8808cdaffc1145f9d3e447633db945

SHA1
9b3eff53f7f6bb47130bcee1a060d7ace60ba1fc

SHA256
e2030cdb22d646de05fd1d7cf1e0fce97ce0b539aa28be00515c31f8b7a6dd41

SHA512
6a71e39d7bd1ba766b41c708277e34fa73f5760152a134d7b533221c332d20dc6648e53c29e66dbcf1e17b8866043a72b8b4be3245b913fcd50732f59e24b715

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC277E.tmp
MD5
8f8808cdaffc1145f9d3e447633db945

SHA1
9b3eff53f7f6bb47130bcee1a060d7ace60ba1fc

SHA256
e2030cdb22d646de05fd1d7cf1e0fce97ce0b539aa28be00515c31f8b7a6dd41

SHA512
6a71e39d7bd1ba766b41c708277e34fa73f5760152a134d7b533221c332d20dc6648e53c29e66dbcf1e17b8866043a72b8b4be3245b913fcd50732f59e24b715

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2897.tmp
MD5
bb3b31b9f936380f96266173b8c173d3

SHA1
0fd76cf9cc25dd00bd9bd28095c217ccc2b0d8e8

SHA256
db302b6d85189e5801b359ca68161516893ea11944b545f6ebd6560f499d022f

SHA512
75893b8afdc48f2929098a4ed785c5633a5fe0ddf0d8c19ed12f95dce339a7b19df17ad5893ad86af04697d864a41f67bebb84e3adb7763e73d08a4e3809e2ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBCFC.tmp
MD5
4e73a6ec8230e0fa52abe7a225745fd3

SHA1
0cce7300f92356ef45d7889665d8ef352faa9ee7

SHA256
56347dc1a02f4b5d86e3307e26171db98bd791347bd24fdee26a97e3f56e8aea

SHA512
28ec84a97081a0520a9f59ef5206eb63db3a79ec113b4fa0172deae5b7e66799c25c2af7ad99c63b9667bcc723626169970bfabe95bd46bb3254da1541bf8c19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBE06.tmp
MD5
4e73a6ec8230e0fa52abe7a225745fd3

SHA1
0cce7300f92356ef45d7889665d8ef352faa9ee7

SHA256
56347dc1a02f4b5d86e3307e26171db98bd791347bd24fdee26a97e3f56e8aea

SHA512
28ec84a97081a0520a9f59ef5206eb63db3a79ec113b4fa0172deae5b7e66799c25c2af7ad99c63b9667bcc723626169970bfabe95bd46bb3254da1541bf8c19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEA56.tmp
MD5
dcef205bc7cfa41adeb5b0a6e7b94eff

SHA1
574e7838750ba16739139b3cbbf80a5c36367d07

SHA256
4a59dde67eb712b90b24ed94fc72a92d059b207ba6ac858114ba6e5ca1251979

SHA512
72110ae92891c1fdf405b90c589c386b12ef2f2570d091e371e4ccf332847ade218955738302135c3b1b771a92bb6bce425aa1e50bfc3b73709f9f8627ab55a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEB21.tmp
MD5
dcef205bc7cfa41adeb5b0a6e7b94eff

SHA1
574e7838750ba16739139b3cbbf80a5c36367d07

SHA256
4a59dde67eb712b90b24ed94fc72a92d059b207ba6ac858114ba6e5ca1251979

SHA512
72110ae92891c1fdf405b90c589c386b12ef2f2570d091e371e4ccf332847ade218955738302135c3b1b771a92bb6bce425aa1e50bfc3b73709f9f8627ab55a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCECD6.tmp
MD5
3c48601c2d3f92685614ff9986585f75

SHA1
1dd69ebd2c3a18233710285361001389112e103a

SHA256
31258bcb5f667627a25a61b0b684f1c23c94d6b68797386e32f47b690aff4110

SHA512
354b4c8ba5a1cb52d765e7204734abe12f3cf1ed0a41df1ef55b479f89564358e804037393c0b359ade49b2553844eb470369c38c557fc3c385509c8cd99d754

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEDC1.tmp
MD5
3c48601c2d3f92685614ff9986585f75

SHA1
1dd69ebd2c3a18233710285361001389112e103a

SHA256
31258bcb5f667627a25a61b0b684f1c23c94d6b68797386e32f47b690aff4110

SHA512
354b4c8ba5a1cb52d765e7204734abe12f3cf1ed0a41df1ef55b479f89564358e804037393c0b359ade49b2553844eb470369c38c557fc3c385509c8cd99d754

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEFE4.tmp
MD5
12059683321f86d216bddfe3fc372d67

SHA1
f461698fac455ede24dab861e3c9c06b3376252d

SHA256
f4e37bd81eff013ea1b97240471f4e9a4b15da248ebac222d00f8020b06566c2

SHA512
493a3b71432aa0cb9396a2df848c3bbcba27aa0a1dafc9f6c6b735d5618099f61de75fd51f0896a393cc59e50b43d4969f1dac435d372091bd3c6031710405b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF0FD.tmp
MD5
12059683321f86d216bddfe3fc372d67

SHA1
f461698fac455ede24dab861e3c9c06b3376252d

SHA256
f4e37bd81eff013ea1b97240471f4e9a4b15da248ebac222d00f8020b06566c2

SHA512
493a3b71432aa0cb9396a2df848c3bbcba27aa0a1dafc9f6c6b735d5618099f61de75fd51f0896a393cc59e50b43d4969f1dac435d372091bd3c6031710405b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF226.tmp
MD5
0667d61e3a8bd0b947aae414a82058ba

SHA1
034fb2cf2be4386069fa63bd36613d59a8917c2b

SHA256
358f4ba5c9e8792e7ccc254cee4e78a330040e36f817a44eff304623732104a8

SHA512
69d25a753c1cbfb80bbed870ffaaec12f7dedbaf9aedf224310529761210eb7dde321538f288efb5e05e039497edbcc146324e6b5aa99867f04ea9b12100e461

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF39D.tmp
MD5
0667d61e3a8bd0b947aae414a82058ba

SHA1
034fb2cf2be4386069fa63bd36613d59a8917c2b

SHA256
358f4ba5c9e8792e7ccc254cee4e78a330040e36f817a44eff304623732104a8

SHA512
69d25a753c1cbfb80bbed870ffaaec12f7dedbaf9aedf224310529761210eb7dde321538f288efb5e05e039497edbcc146324e6b5aa99867f04ea9b12100e461

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a5qoehgl.0.cs
MD5
4f728db9de80a175f3df982ec4531b71

SHA1
791664d767d665b5e974cdc5d244e3173f54b443

SHA256
b6ec355ffdcec39b8ecc0284ee52d77435f5c92a1903d4fe0bf6f063cd54b230

SHA512
90d1a697b670c95db51b40adfae2e9d682939a04138e0c6cf04219c99fc531866fd22f442163a5c9283b195f22eb63cc5e5f02ec3f707d7c04745c3e1f2f2961

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a5qoehgl.cmdline
MD5
b7548cf55c14c98eecd9969fd89f3cf1

SHA1
3639cff58a427d650d056c7a39529800c9d38b13

SHA256
2053071d3d532b3462dc216fe292341935dd646f0133fbecebfa9e2d6402b0fc

SHA512
f47d378cb3cbf9799dd048ec71e21b06a3501687858f235874e7757f99a910a7ad6d27c14bb588a75249862e39301507a5a8bdc3deb2bae5d30244c1db50444c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jn8tzmzx.0.cs
MD5
d56b6ea498199a432d41e3a37930b0fd

SHA1
8677a5f36d5433400f4f60d792c144a12b0ddfdc

SHA256
65ec5da19385d26819e4978b554812f533191c3e07bdec2e4f5410ff75b711b2

SHA512
6f899999d6429bfd069973d6a12cf993ddedc517d438ae16f17367b3baa066db1bb549a4ae0b41c01d3957f0ce2fdc13531773dfb2c1edfb2bb72324405d5ada

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jn8tzmzx.cmdline
MD5
bcfb7e3738f4a7465c67cd1af7044553

SHA1
076b8748221016d60537bf40f2a7473eed9527c7

SHA256
90c54c59b48f1fe5b2856c6e2b1eab0af76c49c2e213cfde69ed0be5c3dc56f4

SHA512
e6ba00752c123edc6bafc865c0f140e1364c8a172f7a6699b5f6a3bed498666e35f1380e406a7f6f690b8d5db5225791c3dbb3fc6435f07896cc67fa408804e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kqdk2eny.0.cs
MD5
dff6b743b174b00302959cfeb305a19e

SHA1
f5a6fabf6d56736434487931c300b1440e172be9

SHA256
333b9b7199174b70ac86cca639ffe2f57057556c661dd81cb776c75f096a43a4

SHA512
7824e9a3057c60d3991f6bfe2c89213aa351958443c8376a5d7b9e4f66cec0fb04d7f81a5c7128217717e3fd38c041157365d66b4a685f8c1c395db42c087941

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kqdk2eny.cmdline
MD5
a717794a7399a4bac54a08a895e7b913

SHA1
42dd40d4e41565860d6dfdc34ca8e93832e31c17

SHA256
c4267bf4821e62a900d74d92fc357e8f6127184fab69418d45422029d41ad024

SHA512
4803eb49a5629cf4c80326d44061feb5accba1bcdfe1d3e1a9e03bf4566b87b4e71c7189529306ee463324b4a37564b18ace3f32ca8a9120e485da4db749beb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m4mtfz63.0.cs
MD5
b2af28535748b7f85ddba528242b61e7

SHA1
4ff628b128adbe8967203fe09f7874bf9b1aebac

SHA256
81f6d64cff510ab487104999fdcda153fd58f957b4611814259c325c361b7162

SHA512
eb0361260f6ee1a7d7201a15988b21f9adb2643d41554fde5b44138ef72acc3ed2bfd3dfb910f45ca037e237dcb7edaa12a6c56a828ac0dd095d86ad3888a51d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m4mtfz63.cmdline
MD5
0913658b424da8911e4d1ae53acf2d7a

SHA1
e9fdcfbfc2473e10d58e193a8fab094cbcfda515

SHA256
504169d202445359866030c81fb6e3d3f1959e7a125631ce829f91b029068971

SHA512
373ef79aae65191d7f3640831404b6eec05eeacdcb2e32b85ed663b3f42366e921ed9c9b8779ff547f806ba20e78215632ad1eab4a95a8459d1fd140715fda83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m7id_gsb.0.cs
MD5
eac7f468fafa04e4576fd29738dadfcc

SHA1
3122cb609a248a858ebdcd890c16482e0212d886

SHA256
cd6d7f25c9b154e4a2d418bb6c84e9b09b524bf3a023327588cd02e36a67a748

SHA512
b6e8e7777377e357c9421eca1af9ca505abbb1b02230aeb79687088f4d2063e647073caebc99c9b1a2dfeff631fe59ed56cc5a48be1ed277419e53685f23c1c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m7id_gsb.cmdline
MD5
44e67210c1a697f548153bb971a0909d

SHA1
071ae5834a9bf5cc7dcf2af4bce3f1a577a29f07

SHA256
c737b013d5aff4141213db402bd07ec90262e58146904707c890882734e03975

SHA512
376cbb748c56dab48ad390eee819c0d0faf5c6b17296c8c1be9a484d1f6db6eb117a2d938b9b5ac1eaff4c5bde267b7a8ad41dc853000f769aef8c4a8ed39e11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nsats1wg.0.cs
MD5
24f4f8e834d9f4284448460a7fe8bde8

SHA1
2143db0ae31c110d9fe01b1820b3a6999d702ab0

SHA256
b37662502f46bb1c1db631f6d0129851f7e529f7d87011c1b868bc332dd4f358

SHA512
d2182f35af3bc0a499266668c4aa233e0ce0ab235dcb2e589bebeefd68080009f6cbb4b35907d3c034b03cfd9cc20924d9933f2e773648e324f9c36b0023c299

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nsats1wg.cmdline
MD5
44687f98444efd6db3f31ed31f6af15e

SHA1
4d7362bb35fe2daabe2c00ad2c5c7d54d1641e2b

SHA256
7d46ecffc3101d61bcd433e219a3f9c077545f93b69337ed0631c7a71ebbd4ad

SHA512
0c98de214bba3eeb91be54919f99ad32148beaa79103d8b9278cae01c96b7061a5c67d58c47183c130a8442a515899a09decf5aa050b95e3f6ad996694c109d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p-npbscy.0.cs
MD5
df33fcf50b3838dd0786ac1a1d93178e

SHA1
2599aaf8f0d72a7b46b04962d19008e778b16305

SHA256
6148b41fe6f73b8efd5a5076fc369d7effc14930154f9781e7509eabdde50ff5

SHA512
db646ed811c9bf95b28ebbfb4a6c26eea1a5c865c55915222cad4706999cb3a27037ced918e7dc35700420edf7b4bbd417037f6e9e788835550f2d0800b7aacc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p-npbscy.cmdline
MD5
fa4be003039c914ead9adddcfadd3a7d

SHA1
e58221c4853b8ae60647f5c3337ab3d9d384c242

SHA256
f17b7da9c7f843c9681dda7a6f00274dd62bb2b25e27da6a7299bb7ff7d3ba2b

SHA512
2aebd22d9b1f0da4893d39c15df2951fba00008314586e8cff1c468d4938e3c3655ad818f16dc1211762f1194c8bffb2a0db4a406a5ef5b95cd845649c18398c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qolq6uuz.0.cs
MD5
d9766273ef9b048ad2e4cd052221b1c7

SHA1
55a9e023e044f12ab02507fc90291bcea165424b

SHA256
ceeb95d0ab9ad5b23fa78d15f45ef4efc457dcde01c754c0f9f490033742cab8

SHA512
5dff5e19ebb1274afec3a7b9802395ffde62538539a5e4912ecd55a831e2c519425ee79012c34934c3149203d8a275803ba63dd21e673a589e5b6c5a9000c142

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qolq6uuz.cmdline
MD5
058eb8a421e767fe242287adaa2866e8

SHA1
6fc9416617f691134b8ee74bfaaf35a081d73dea

SHA256
12bfe0586435019c98d6e3869d0b5cb625a5520bcbca5b2103749b2f8cd01605

SHA512
4a1f8619b45a1858491cad3b9d81b67660dbc424e74db5eaff8bf8aada59f9ceb52407618ee95a5b7e08c8c49e536c19f1ee9b42b2402f9b22daed6bd1f475ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skhtxiov.0.cs
MD5
ae9a66dedf3e85c3459035682f6a47b3

SHA1
6e6d37e5d0efd6f0df7f72507607a2db9c9cc465

SHA256
01630583c9aa5b65441fd5769a873d4b98496d182014c78708412a41f9562388

SHA512
ec90c718f0de04e33a1c1cae7875267dffa933b6cb0bb6cac0caebe0d1da358c7933c08a1ed008635222f2c34cbffffa7a5ed577dade0e1cb52c307b1f8122d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\skhtxiov.cmdline
MD5
3edd0a944a7b47ccd35958a25c9dfb06

SHA1
f9183bc873167ebcfd2614414177b3119002e16e

SHA256
058055006fa896029fe06cba460cbd2f216e87ca5f32950371e71bcadb5960d6

SHA512
5632d60778572854e5bd9d78dd4957fcaa099f3c16e430b66a68ffc6ef2c7cec446cd6a6402f09364a6b69a383ba55b37f83e0d35e4f614cb87624bddf738198

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ssynodi-.0.cs
MD5
4c3776b5e9218a705f3667e4dee3f564

SHA1
0751dcfda6b7e853565f23926134d08b9a26dcb9

SHA256
df5742e56a166500fecf2df9d650eef1f15614ae8b8aebcb488b587323b469c4

SHA512
f0d51912563df65c447d970b08d51d83b57b8dacf11d8eb181c90d73c773275c68af9f2f71282cb5670a7e88ed416e90efbd86eea6ea6a4051c6ce34e702a5fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ssynodi-.cmdline
MD5
5ea862167df0349e69b14a53a5973875

SHA1
0587baef49477c03e0b31545a77a7076bd1042df

SHA256
f349cbce7aaec906cc36c9f27f53e225ae41fe44164455c4f56dad964bbf7acc

SHA512
93889b4670fe2ecc280e6fc71d0421371ba33539121c55b604543c79489581dd7c6ad8823a665d9fe078ed52720836ec4a96240b9a0b9b44e61ee0f2e6cbae1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ved_q3sk.0.cs
MD5
b717315385796f003089f3012c179532

SHA1
445ba569e62ccf4a113d059f7f6c47e5bd184087

SHA256
594e510bf6dba7bac6b9bd9c6221b70a258b3039709792a95027307f3b833500

SHA512
d49e29873582d4f2ee654c7541ae25c921aefe7b1664241519691e5eac09ed501d041d31c3bd21a1241dcf709703b38f6a2cbea98735d68192633c456bc29a59

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ved_q3sk.cmdline
MD5
4dcfece45ecddf2fc0ac7f38f0ec4a0b

SHA1
27ba0fc87bb3345f83b6407a6acbe262e7c51db2

SHA256
1b5665d428a14c32fa2213ecb6defafa2ae0487572c2f4f4ca32baf4f1645d04

SHA512
e7c54df4a654f9ddbdb5c738403228517a10cec5ea2ffaf09741c59008c75947955183eefe87e45b937f31740e23412290f9fc2279931c095e8a6f2e7bdf4cb2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqbc7lke.0.cs
MD5
2d49f556d5da6b2a187330df803d3643

SHA1
2737cb29966d3979d3a1776026dcece4ffc02b66

SHA256
74bd089387e1d084aaad5ac1c5b93c822f8d296736e252cdffbd9d703d6d80d1

SHA512
760031e1bfebd5f0fd5fcd1cd1a3e1fb4da0f194e695f8083b848bd7c1fec414ed0209f95af4c13e44622587a1c101a1dbcedb363ad5f3d0dd771c058614f7ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqbc7lke.cmdline
MD5
0b6be7f8fd4036ba3d4ce9e0eb03fb5d

SHA1
582b571a7d7c4a77121592ae20375310f6b65ec2

SHA256
2847b28dc3241a796aa2979d6218dff3accfdc73b3e022003a294c3e899470b9

SHA512
840f4b27a57d822cf4a64f76b1011aadad4061afbc29b91ebceec368ad283beecd36be7725c56d5a781404c2ea64cee685e7b11ee08c0f7b6648c4ca9c4ea74f

Download Submit
memory/196-222-0x0000000000000000-mapping.dmp

Download
memory/196-246-0x0000000000000000-mapping.dmp

Download
memory/200-286-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/200-115-0x0000000000000000-mapping.dmp

Download
memory/200-125-0x0000000002240000-0x0000000002242000-memory.dmp

Filesize
8KB

Download
memory/492-219-0x0000000002330000-0x0000000002332000-memory.dmp

Filesize
8KB

Download
memory/492-209-0x0000000000000000-mapping.dmp

Download
memory/684-276-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/692-269-0x0000000000000000-mapping.dmp

Download
memory/768-170-0x0000000000000000-mapping.dmp

Download
memory/768-183-0x0000000002350000-0x0000000002352000-memory.dmp

Filesize
8KB

Download
memory/900-114-0x00000000010B0000-0x00000000010B2000-memory.dmp

Filesize
8KB

Download
memory/904-160-0x00000000023C0000-0x00000000023C2000-memory.dmp

Filesize
8KB

Download
memory/904-152-0x0000000000000000-mapping.dmp

Download
memory/908-205-0x0000000000000000-mapping.dmp

Download
memory/936-243-0x0000000000000000-mapping.dmp

Download
memory/1036-235-0x0000000000880000-0x0000000000882000-memory.dmp

Filesize
8KB

Download
memory/1036-231-0x0000000000000000-mapping.dmp

Download
memory/1116-212-0x0000000000000000-mapping.dmp

Download
memory/1120-241-0x0000000000000000-mapping.dmp

Download
memory/1212-275-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/1332-225-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download
memory/1332-221-0x0000000000000000-mapping.dmp

Download
memory/1356-126-0x0000000000000000-mapping.dmp

Download
memory/1472-300-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download
memory/1552-281-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download
memory/1648-181-0x0000000000590000-0x0000000000592000-memory.dmp

Filesize
8KB

Download
memory/1648-177-0x0000000000000000-mapping.dmp

Download
memory/1824-141-0x0000000000000000-mapping.dmp

Download
memory/1868-118-0x0000000000000000-mapping.dmp

Download
memory/1872-289-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/1872-278-0x00000000022E0000-0x00000000022E2000-memory.dmp

Filesize
8KB

Download
memory/1872-228-0x0000000000000000-mapping.dmp

Download
memory/1872-254-0x0000000000000000-mapping.dmp

Download
memory/1940-297-0x0000000002270000-0x0000000002272000-memory.dmp

Filesize
8KB

Download
memory/1992-215-0x0000000000000000-mapping.dmp

Download
memory/1992-220-0x00000000021D0000-0x00000000021D2000-memory.dmp

Filesize
8KB

Download
memory/2080-131-0x0000000000000000-mapping.dmp

Download
memory/2080-190-0x0000000000000000-mapping.dmp

Download
memory/2080-156-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/2128-182-0x0000000000000000-mapping.dmp

Download
memory/2132-277-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/2132-224-0x0000000000000000-mapping.dmp

Download
memory/2176-166-0x0000000000000000-mapping.dmp

Download
memory/2176-296-0x0000000000870000-0x0000000000872000-memory.dmp

Filesize
8KB

Download
memory/2176-285-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download
memory/2184-258-0x0000000000000000-mapping.dmp

Download
memory/2228-216-0x0000000000000000-mapping.dmp

Download
memory/2244-237-0x0000000000000000-mapping.dmp

Download
memory/2268-230-0x0000000000000000-mapping.dmp

Download
memory/2280-304-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/2376-303-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/2420-179-0x0000000000910000-0x0000000000912000-memory.dmp

Filesize
8KB

Download
memory/2420-163-0x0000000000000000-mapping.dmp

Download
memory/2448-148-0x0000000000000000-mapping.dmp

Download
memory/2796-194-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/2796-187-0x0000000000000000-mapping.dmp

Download
memory/2804-270-0x0000000000000000-mapping.dmp

Download
memory/2804-249-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/2804-155-0x0000000000000000-mapping.dmp

Download
memory/2804-274-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/2804-240-0x0000000000000000-mapping.dmp

Download
memory/2880-301-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/2880-134-0x0000000000000000-mapping.dmp

Download
memory/2920-262-0x0000000002150000-0x0000000002152000-memory.dmp

Filesize
8KB

Download
memory/2920-253-0x0000000000000000-mapping.dmp

Download
memory/2956-218-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/2956-267-0x0000000000000000-mapping.dmp

Download
memory/2956-202-0x0000000000000000-mapping.dmp

Download
memory/3024-248-0x00000000022E0000-0x00000000022E2000-memory.dmp

Filesize
8KB

Download
memory/3024-273-0x00000000008E0000-0x00000000008E2000-memory.dmp

Filesize
8KB

Download
memory/3024-295-0x0000000000870000-0x0000000000872000-memory.dmp

Filesize
8KB

Download
memory/3024-238-0x0000000000000000-mapping.dmp

Download
memory/3024-268-0x0000000000000000-mapping.dmp

Download
memory/3024-284-0x0000000002120000-0x0000000002122000-memory.dmp

Filesize
8KB

Download
memory/3032-250-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/3032-242-0x0000000000000000-mapping.dmp

Download
memory/3048-251-0x0000000000000000-mapping.dmp

Download
memory/3048-260-0x0000000000860000-0x0000000000862000-memory.dmp

Filesize
8KB

Download
memory/3384-282-0x0000000000B40000-0x0000000000B42000-memory.dmp

Filesize
8KB

Download
memory/3384-259-0x0000000000000000-mapping.dmp

Download
memory/3384-265-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download
memory/3424-223-0x0000000000000000-mapping.dmp

Download
memory/3424-226-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/3456-291-0x0000000002080000-0x0000000002082000-memory.dmp

Filesize
8KB

Download
memory/3464-217-0x00000000021A0000-0x00000000021A2000-memory.dmp

Filesize
8KB

Download
memory/3464-293-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/3464-195-0x0000000000000000-mapping.dmp

Download
memory/3504-252-0x0000000000000000-mapping.dmp

Download
memory/3508-173-0x0000000000000000-mapping.dmp

Download
memory/3672-271-0x0000000000000000-mapping.dmp

Download
memory/3780-232-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/3780-227-0x0000000000000000-mapping.dmp

Download
memory/3796-127-0x0000000002140000-0x0000000002142000-memory.dmp

Filesize
8KB

Download
memory/3796-299-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download
memory/3796-122-0x0000000000000000-mapping.dmp

Download
memory/3804-247-0x00000000008C0000-0x00000000008C2000-memory.dmp

Filesize
8KB

Download
memory/3804-287-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/3804-244-0x0000000000000000-mapping.dmp

Download
memory/3820-256-0x0000000000000000-mapping.dmp

Download
memory/3824-290-0x0000000002140000-0x0000000002142000-memory.dmp

Filesize
8KB

Download
memory/3824-279-0x0000000002300000-0x0000000002302000-memory.dmp

Filesize
8KB

Download
memory/3852-298-0x0000000002280000-0x0000000002282000-memory.dmp

Filesize
8KB

Download
memory/3908-280-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/3908-302-0x0000000002200000-0x0000000002202000-memory.dmp

Filesize
8KB

Download
memory/3912-292-0x0000000002330000-0x0000000002332000-memory.dmp

Filesize
8KB

Download
memory/3928-239-0x0000000000000000-mapping.dmp

Download
memory/3948-138-0x0000000000000000-mapping.dmp

Download
memory/3948-157-0x0000000000A90000-0x0000000000A92000-memory.dmp

Filesize
8KB

Download
memory/3972-263-0x00000000008C0000-0x00000000008C2000-memory.dmp

Filesize
8KB

Download
memory/3972-255-0x0000000000000000-mapping.dmp

Download
memory/4000-288-0x0000000002350000-0x0000000002352000-memory.dmp

Filesize
8KB

Download
memory/4020-283-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

Filesize
8KB

Download
memory/4020-145-0x0000000000000000-mapping.dmp

Download
memory/4020-294-0x0000000000930000-0x0000000000932000-memory.dmp

Filesize
8KB

Download
memory/4020-158-0x00000000021A0000-0x00000000021A2000-memory.dmp

Filesize
8KB

Download
memory/4024-234-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/4024-264-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/4024-229-0x0000000000000000-mapping.dmp

Download
memory/4024-257-0x0000000000000000-mapping.dmp

Download
memory/4048-233-0x0000000000000000-mapping.dmp

Download
memory/4068-261-0x0000000000000000-mapping.dmp

Download
memory/4080-305-0x0000000002330000-0x0000000002332000-memory.dmp

Filesize
8KB

Download
memory/4088-236-0x0000000000000000-mapping.dmp

Download
memory/4088-198-0x0000000000000000-mapping.dmp

Download
memory/4088-272-0x0000000000880000-0x0000000000882000-memory.dmp

Filesize
8KB

Download
memory/4088-245-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/4088-266-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads