hawkeye_reborn | 53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2

Analysis

max time kernel
139s
max time network
20s
platform
windows7_x64
resource
win7v20210410
submitted
17-05-2021 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Size

1.9MB
MD5

0ed89a2b994f5971723fcaf56524e2ea
SHA1

0337eda7964ae4ab9a8738edfa04ef29d7b8209c
SHA256

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2
SHA512

2010cd5d65f4bfd3eb62f8c2bd3b790576253fc4663dcb00560ff026e24b52ce84ef5c2b3af85bfdbab6a74e2a2a008c55f958502306e3374ce503895715b591

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.crestpak.com
Port:
587
Username:
reception@crestpak.com
Password:
I-rec2018@30crest

Mutex

95f0b856-dab1-4e72-9e89-97c695819f8b

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:I-rec2018@30crest _EmailPort:587 _EmailSSL:false _EmailServer:mail.crestpak.com _EmailUsername:reception@crestpak.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:32800 _MeltFile:false _Mutex:95f0b856-dab1-4e72-9e89-97c695819f8b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1724-75-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1724-77-0x0000000000D00000-0x0000000000D72000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1724-77-0x0000000000D00000-0x0000000000D72000-memory.dmp	WebBrowserPassView
behavioral1/memory/2240-254-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/2224-259-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2224-256-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/2516-268-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/2872-286-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/668-299-0x000000000044472E-mapping.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-77-0x0000000000D00000-0x0000000000D72000-memory.dmp	Nirsoft
behavioral1/memory/2240-254-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/2224-259-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2224-256-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/2516-268-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/2872-286-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/668-299-0x000000000044472E-mapping.dmp	Nirsoft

Drops startup file 64 IoCs

Processes:

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 64 IoCs

Processes:

description	pid	process	target process
PID 1936 set thread context of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 set thread context of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 set thread context of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 572 set thread context of 1640	572	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1160 set thread context of 1316	1160	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1220 set thread context of 340	1220	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 524 set thread context of 332	524	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1072 set thread context of 1196	1072	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 316 set thread context of 1532	316	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1100 set thread context of 2180	1100	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1724 set thread context of 2240	1724	RegAsm.exe	vbc.exe
PID 1356 set thread context of 2224	1356	RegAsm.exe	vbc.exe
PID 2232 set thread context of 2488	2232	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1548 set thread context of 2516	1548	RegAsm.exe	vbc.exe
PID 2548 set thread context of 2636	2548	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2676 set thread context of 2784	2676	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1640 set thread context of 2872	1640	RegAsm.exe	vbc.exe
PID 2844 set thread context of 2980	2844	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1316 set thread context of 668	1316	RegAsm.exe	vbc.exe
PID 3040 set thread context of 2272	3040	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2320 set thread context of 2616	2320	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 340 set thread context of 2176	340	RegAsm.exe	vbc.exe
PID 2748 set thread context of 2920	2748	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 332 set thread context of 632	332	RegAsm.exe	vbc.exe
PID 2972 set thread context of 2172	2972	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2836 set thread context of 2864	2836	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1196 set thread context of 2824	1196	RegAsm.exe	vbc.exe
PID 2252 set thread context of 2536	2252	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1532 set thread context of 964	1532	RegAsm.exe	vbc.exe
PID 1620 set thread context of 2524	1620	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2180 set thread context of 1364	2180	RegAsm.exe	vbc.exe
PID 2716 set thread context of 2396	2716	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2488 set thread context of 1928	2488	RegAsm.exe	vbc.exe
PID 2256 set thread context of 2688	2256	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2636 set thread context of 3028	2636	RegAsm.exe	vbc.exe
PID 2912 set thread context of 3108	2912	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2784 set thread context of 3244	2784	RegAsm.exe	vbc.exe
PID 3148 set thread context of 3256	3148	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2980 set thread context of 3412	2980	RegAsm.exe	vbc.exe
PID 3324 set thread context of 3432	3324	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2272 set thread context of 3600	2272	RegAsm.exe	vbc.exe
PID 3504 set thread context of 3644	3504	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2616 set thread context of 3768	2616	RegAsm.exe	vbc.exe
PID 3696 set thread context of 3812	3696	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2920 set thread context of 3944	2920	RegAsm.exe	vbc.exe
PID 3868 set thread context of 3992	3868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2172 set thread context of 3088	2172	RegAsm.exe	vbc.exe
PID 4056 set thread context of 3240	4056	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2864 set thread context of 3192	2864	RegAsm.exe	vbc.exe
PID 2536 set thread context of 1996	2536	RegAsm.exe	vbc.exe
PID 3300 set thread context of 2284	3300	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3584 set thread context of 3168	3584	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2524 set thread context of 3748	2524	RegAsm.exe	vbc.exe
PID 3328 set thread context of 3508	3328	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2396 set thread context of 3980	2396	RegAsm.exe	vbc.exe
PID 2688 set thread context of 2356	2688	RegAsm.exe	vbc.exe
PID 3056 set thread context of 1672	3056	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3108 set thread context of 3636	3108	RegAsm.exe	vbc.exe
PID 4080 set thread context of 3344	4080	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3256 set thread context of 4040	3256	RegAsm.exe	vbc.exe
PID 3296 set thread context of 3308	3296	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3432 set thread context of 3092	3432	RegAsm.exe	vbc.exe
PID 2280 set thread context of 3132	2280	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3644 set thread context of 3476	3644	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

pid	process
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
572	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1160	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1220	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
524	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1072	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
316	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1100	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2232	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2548	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2676	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2844	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3040	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2320	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2748	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2972	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2836	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2252	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1620	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2716	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2256	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2912	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3148	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3324	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3504	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3696	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4056	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3300	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3584	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3328	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3056	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4080	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4080	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4080	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3296	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2280	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3084	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2820	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4196	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4376	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4568	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4740	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4740	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4888	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5076	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3096	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4516	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4396	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
940	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4200	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4524	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2740	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4232	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2772	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3684	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3684	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5296	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5440	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5624	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5812	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5972	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	572	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	1160	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	1220	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	524	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	1072	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	316	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	1100	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2232	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2548	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2676	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2844	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3040	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2320	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2748	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2972	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2836	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2252	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	1620	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2716	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2256	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2912	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3148	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3324	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3504	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3696	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4056	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3300	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3584	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3328	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3056	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4080	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3296	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2280	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3084	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2820	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4196	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4376	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4568	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4740	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4888	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5076	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3096	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4516	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4396	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	940	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4200	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4524	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2740	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4232	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2772	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3684	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5296	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5440	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5624	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5812	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5972	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5164	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5100	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4048	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5636	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

description	pid	process	target process
PID 1936 wrote to memory of 1152	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1936 wrote to memory of 1152	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1936 wrote to memory of 1152	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1936 wrote to memory of 1152	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1152 wrote to memory of 1660	1152	csc.exe	cvtres.exe
PID 1152 wrote to memory of 1660	1152	csc.exe	cvtres.exe
PID 1152 wrote to memory of 1660	1152	csc.exe	cvtres.exe
PID 1152 wrote to memory of 1660	1152	csc.exe	cvtres.exe
PID 1936 wrote to memory of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1936 wrote to memory of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1936 wrote to memory of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1936 wrote to memory of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1936 wrote to memory of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1936 wrote to memory of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1936 wrote to memory of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1936 wrote to memory of 1724	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1936 wrote to memory of 436	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1936 wrote to memory of 436	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1936 wrote to memory of 436	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1936 wrote to memory of 436	1936	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 436 wrote to memory of 740	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 436 wrote to memory of 740	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 436 wrote to memory of 740	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 436 wrote to memory of 740	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 740 wrote to memory of 920	740	csc.exe	cvtres.exe
PID 740 wrote to memory of 920	740	csc.exe	cvtres.exe
PID 740 wrote to memory of 920	740	csc.exe	cvtres.exe
PID 740 wrote to memory of 920	740	csc.exe	cvtres.exe
PID 436 wrote to memory of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 wrote to memory of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 wrote to memory of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 wrote to memory of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 wrote to memory of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 wrote to memory of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 wrote to memory of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 wrote to memory of 1356	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 436 wrote to memory of 1868	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 436 wrote to memory of 1868	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 436 wrote to memory of 1868	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 436 wrote to memory of 1868	436	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1868 wrote to memory of 1620	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1868 wrote to memory of 1620	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1868 wrote to memory of 1620	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1868 wrote to memory of 1620	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1620 wrote to memory of 1984	1620	csc.exe	cvtres.exe
PID 1620 wrote to memory of 1984	1620	csc.exe	cvtres.exe
PID 1620 wrote to memory of 1984	1620	csc.exe	cvtres.exe
PID 1620 wrote to memory of 1984	1620	csc.exe	cvtres.exe
PID 1868 wrote to memory of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 wrote to memory of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 wrote to memory of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 wrote to memory of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 wrote to memory of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 wrote to memory of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 wrote to memory of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 wrote to memory of 1548	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1868 wrote to memory of 572	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1868 wrote to memory of 572	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1868 wrote to memory of 572	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1868 wrote to memory of 572	1868	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 572 wrote to memory of 948	572	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 572 wrote to memory of 948	572	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 572 wrote to memory of 948	572	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 572 wrote to memory of 948	572	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcyflees\xcyflees.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2952.tmp" "c:\Users\Admin\AppData\Local\Temp\xcyflees\CSC3F3A30B239A74E75A32EBC49544268C.TMP"
3⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5F8E.tmp"
3⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp64AD.tmp"
3⤵
PID:6856

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ldbkuqzq\ldbkuqzq.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3092.tmp" "c:\Users\Admin\AppData\Local\Temp\ldbkuqzq\CSC7C6BD0EB37EA4CDFB752E23E4BF02A88.TMP"
4⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
PID:1356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5F9D.tmp"
4⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6623.tmp"
4⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d0w0aod2\d0w0aod2.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES368B.tmp" "c:\Users\Admin\AppData\Local\Temp\d0w0aod2\CSC5CEFE542FD144E37A81DFD12B90752.TMP"
5⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
PID:1548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6393.tmp"
5⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp698D.tmp"
5⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
4⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4l12vfml\4l12vfml.cmdline"
5⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E58.tmp" "c:\Users\Admin\AppData\Local\Temp\4l12vfml\CSCB8D097EB7FE0495EBD028A467424958.TMP"
6⤵
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6BBE.tmp"
6⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp708F.tmp"
6⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ob54a3ue\ob54a3ue.cmdline"
6⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42F9.tmp" "c:\Users\Admin\AppData\Local\Temp\ob54a3ue\CSCB174E02C4D634D14A72F11E380BE53B4.TMP"
7⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
PID:1316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp705F.tmp"
7⤵
PID:668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7678.tmp"
7⤵
PID:6708

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
6⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0hz5ahc3\0hz5ahc3.cmdline"
7⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4875.tmp" "c:\Users\Admin\AppData\Local\Temp\0hz5ahc3\CSCCE1DB536AE574EA486D46058AFE06385.TMP"
8⤵
PID:276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
PID:340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7668.tmp"
8⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7B78.tmp"
8⤵
PID:7068

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
7⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5csqsiio\5csqsiio.cmdline"
8⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EAC.tmp" "c:\Users\Admin\AppData\Local\Temp\5csqsiio\CSCBAEB31180D04696AE1F4FFF532B52F0.TMP"
9⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
PID:332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7C61.tmp"
9⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp822C.tmp"
9⤵
PID:6508

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
8⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yp2f4vbz\yp2f4vbz.cmdline"
9⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54A5.tmp" "c:\Users\Admin\AppData\Local\Temp\yp2f4vbz\CSC485FD26163E341828C409F548095FF8A.TMP"
10⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
PID:1196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp"
10⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8798.tmp"
10⤵
PID:6784

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
9⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\23jedbmp\23jedbmp.cmdline"
10⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5976.tmp" "c:\Users\Admin\AppData\Local\Temp\23jedbmp\CSCB5C7C0271B11438C9D987FF36766ABEA.TMP"
11⤵
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
PID:1532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp85A4.tmp"
11⤵
PID:964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8B30.tmp"
11⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jt5tdhai\jt5tdhai.cmdline"
11⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DD9.tmp" "c:\Users\Admin\AppData\Local\Temp\jt5tdhai\CSCC5388181224E4D978D4265A6C2AD1D2.TMP"
12⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8A17.tmp"
12⤵
PID:1364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8EF8.tmp"
12⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
11⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ubzalneg\ubzalneg.cmdline"
12⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES620D.tmp" "c:\Users\Admin\AppData\Local\Temp\ubzalneg\CSCB4AB47B84709456C953EE2135C511D6.TMP"
13⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8D61.tmp"
13⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp92CE.tmp"
13⤵
PID:6940

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
12⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mc2z0nn0\mc2z0nn0.cmdline"
13⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65E4.tmp" "c:\Users\Admin\AppData\Local\Temp\mc2z0nn0\CSC4F0B6E0847904EE8A66C491D26B94D4.TMP"
14⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp908C.tmp"
14⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp96C4.tmp"
14⤵
PID:7196

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
13⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gc52vsrj\gc52vsrj.cmdline"
14⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES692E.tmp" "c:\Users\Admin\AppData\Local\Temp\gc52vsrj\CSCED733F42256F4007B3607146FBC39ACE.TMP"
15⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
PID:2784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp94D0.tmp"
15⤵
PID:3244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9B08.tmp"
15⤵
PID:7368

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
14⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vqfedi0i\vqfedi0i.cmdline"
15⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D44.tmp" "c:\Users\Admin\AppData\Local\Temp\vqfedi0i\CSC1149E253894745919186EBE434E8892B.TMP"
16⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
PID:2980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp"
16⤵
PID:3412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9F4C.tmp"
16⤵
PID:7484

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
15⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxcca251\uxcca251.cmdline"
16⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70AD.tmp" "c:\Users\Admin\AppData\Local\Temp\uxcca251\CSCDD7790F9E429422FA35FFF9E678BB919.TMP"
17⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
PID:2272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9C3F.tmp"
17⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA19D.tmp"
17⤵
PID:7576

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
16⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\actchicz\actchicz.cmdline"
17⤵
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7436.tmp" "c:\Users\Admin\AppData\Local\Temp\actchicz\CSCCD60798E4C5548269661AC3789B56D48.TMP"
18⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA110.tmp"
18⤵
PID:3768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA70A.tmp"
18⤵
PID:7780

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
17⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pilnf3uj\pilnf3uj.cmdline"
18⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78F7.tmp" "c:\Users\Admin\AppData\Local\Temp\pilnf3uj\CSCFFE05F3F56ED42A58C5D981959C32E81.TMP"
19⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
PID:2920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA46A.tmp"
19⤵
PID:3944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA9D7.tmp"
19⤵
PID:7904

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rr1t4jpf\rr1t4jpf.cmdline"
19⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C13.tmp" "c:\Users\Admin\AppData\Local\Temp\rr1t4jpf\CSC19524C17DF6A42A58D7570CD8DCBE0E2.TMP"
20⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
PID:2172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA802.tmp"
20⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAD8F.tmp"
20⤵
PID:7992

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
19⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uy5g2get\uy5g2get.cmdline"
20⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F1F.tmp" "c:\Users\Admin\AppData\Local\Temp\uy5g2get\CSC4ED50AC1E2E4DFFB96A8F8F3712166A.TMP"
21⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
PID:2864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp"
21⤵
PID:3192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB09B.tmp"
21⤵
PID:8128

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbvkz4za\lbvkz4za.cmdline"
21⤵
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES823A.tmp" "c:\Users\Admin\AppData\Local\Temp\lbvkz4za\CSC57646505BE9F45CCB634B41FA8151065.TMP"
22⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpADAD.tmp"
22⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB3E5.tmp"
22⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
21⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\idhtlo3h\idhtlo3h.cmdline"
22⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85E2.tmp" "c:\Users\Admin\AppData\Local\Temp\idhtlo3h\CSCCAF70E6F110643E2BBC6337868124B8.TMP"
23⤵
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of SetThreadContext
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB29D.tmp"
23⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB904.tmp"
23⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
22⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zop3azby\zop3azby.cmdline"
23⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A55.tmp" "c:\Users\Admin\AppData\Local\Temp\zop3azby\CSC79301459EB5A4A0D9F9E2A88239F330.TMP"
24⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of SetThreadContext
PID:2396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB5C8.tmp"
24⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBBC2.tmp"
24⤵
PID:7696

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\33g1htnr\33g1htnr.cmdline"
24⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DCE.tmp" "c:\Users\Admin\AppData\Local\Temp\33g1htnr\CSCB3D7A3B956D54F01BAB6349A185738E.TMP"
25⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of SetThreadContext
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB912.tmp"
25⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBE41.tmp"
25⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
24⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xjqnjove\xjqnjove.cmdline"
25⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90EA.tmp" "c:\Users\Admin\AppData\Local\Temp\xjqnjove\CSC808DED735D834A8F9ABA1ABFA5E2A59.TMP"
26⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of SetThreadContext
PID:3108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBC0F.tmp"
26⤵
PID:3636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC18C.tmp"
26⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
25⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3r3dsar\z3r3dsar.cmdline"
26⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94B1.tmp" "c:\Users\Admin\AppData\Local\Temp\z3r3dsar\CSC312279DBF9414CB4B12F41F371CC511.TMP"
27⤵
PID:3236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of SetThreadContext
PID:3256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBF59.tmp"
27⤵
PID:4040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC505.tmp"
27⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jyqqxdcw\jyqqxdcw.cmdline"
27⤵
PID:3372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98E5.tmp" "c:\Users\Admin\AppData\Local\Temp\jyqqxdcw\CSC25FD8FFC4FB64CBBB6806E71909A80.TMP"
28⤵
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of SetThreadContext
PID:3432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC497.tmp"
28⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCA14.tmp"
28⤵
PID:8048

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c3tqrgm3\c3tqrgm3.cmdline"
28⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CFB.tmp" "c:\Users\Admin\AppData\Local\Temp\c3tqrgm3\CSCED640C859C3E4C699BD1B1161B51C1E6.TMP"
29⤵
PID:3616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of SetThreadContext
PID:3644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC8BB.tmp"
29⤵
PID:3476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCE77.tmp"
29⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
28⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n54nlpj4\n54nlpj4.cmdline"
29⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA13F.tmp" "c:\Users\Admin\AppData\Local\Temp\n54nlpj4\CSC8598CAAD9C434EAE8AA95BA75A604F5F.TMP"
30⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCD9B.tmp"
30⤵
PID:4132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD318.tmp"
30⤵
PID:6764

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
29⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\10gisdel\10gisdel.cmdline"
30⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA525.tmp" "c:\Users\Admin\AppData\Local\Temp\10gisdel\CSC15F32517B284B279FADE050142F4179.TMP"
31⤵
PID:3972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD098.tmp"
31⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD72E.tmp"
31⤵
PID:7868

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eshunglv\eshunglv.cmdline"
31⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA90B.tmp" "c:\Users\Admin\AppData\Local\Temp\eshunglv\CSCBD54BD8F118945179136D2C637853F7.TMP"
32⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:3240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD4FB.tmp"
32⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDB72.tmp"
32⤵
PID:7204

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
31⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ldv554ph\ldv554ph.cmdline"
32⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF2.tmp" "c:\Users\Admin\AppData\Local\Temp\ldv554ph\CSC76457F128A64693906176B2D57180C7.TMP"
33⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD874.tmp"
33⤵
PID:4652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDE10.tmp"
33⤵
PID:8264

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
32⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fj0sup4z\fj0sup4z.cmdline"
33⤵
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B9.tmp" "c:\Users\Admin\AppData\Local\Temp\fj0sup4z\CSC1F48F41BE4254455B7E2EFDDA4BD793.TMP"
34⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp"
34⤵
PID:4840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE300.tmp"
34⤵
PID:8452

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z5h2jfxr\z5h2jfxr.cmdline"
34⤵
PID:3552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4ED.tmp" "c:\Users\Admin\AppData\Local\Temp\z5h2jfxr\CSC352BB884A2A431C92F82FC3CEDAEE5.TMP"
35⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE0AE.tmp"
35⤵
PID:4996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE754.tmp"
35⤵
PID:8632

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cpcsibwo\cpcsibwo.cmdline"
35⤵
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8E3.tmp" "c:\Users\Admin\AppData\Local\Temp\cpcsibwo\CSC535376D0A6764423903987CC69FE75D.TMP"
36⤵
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE456.tmp"
36⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp"
36⤵
PID:8796

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgnwkouw\zgnwkouw.cmdline"
36⤵
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC8B.tmp" "c:\Users\Admin\AppData\Local\Temp\zgnwkouw\CSC54696457DB6D4EF7BF7BB6AB80422C53.TMP"
37⤵
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:3344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp"
37⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEE08.tmp"
37⤵
PID:8872

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\po1n0bqm\po1n0bqm.cmdline"
37⤵
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC014.tmp" "c:\Users\Admin\AppData\Local\Temp\po1n0bqm\CSC719DA1A84143460CA329D790A1CD9F8D.TMP"
38⤵
PID:3132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:3308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpECEE.tmp"
38⤵
PID:4660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF307.tmp"
38⤵
PID:9068

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uz5k0hnr\uz5k0hnr.cmdline"
38⤵
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC458.tmp" "c:\Users\Admin\AppData\Local\Temp\uz5k0hnr\CSC6940E939871A4FC0B360712315CE0FB.TMP"
39⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF086.tmp"
39⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF603.tmp"
39⤵
PID:9196

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
38⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xb01pryd\xb01pryd.cmdline"
39⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC81F.tmp" "c:\Users\Admin\AppData\Local\Temp\xb01pryd\CSC26E7625ADF748A8B04D9336B0FE5695.TMP"
40⤵
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF3B1.tmp"
40⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF9BB.tmp"
40⤵
PID:8336

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
39⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4g5tyu3g\4g5tyu3g.cmdline"
40⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC54.tmp" "c:\Users\Admin\AppData\Local\Temp\4g5tyu3g\CSCC6F8EF8C64494282B553628B959BA827.TMP"
41⤵
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:4124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF824.tmp"
41⤵
PID:5084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFDC1.tmp"
41⤵
PID:8252

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
40⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zb0konux\zb0konux.cmdline"
41⤵
PID:4236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD059.tmp" "c:\Users\Admin\AppData\Local\Temp\zb0konux\CSC36A8644E90CF4E318A6834DD2CE5D.TMP"
42⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFB50.tmp"
42⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEC.tmp"
42⤵
PID:8784

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
41⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\53bgl0db\53bgl0db.cmdline"
42⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3F2.tmp" "c:\Users\Admin\AppData\Local\Temp\53bgl0db\CSC3D2AC6E0DFB747B295F9829052F1D8A9.TMP"
43⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFF07.tmp"
43⤵
PID:4400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp"
43⤵
PID:8548

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
42⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xxmrjvlz\xxmrjvlz.cmdline"
43⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD836.tmp" "c:\Users\Admin\AppData\Local\Temp\xxmrjvlz\CSC8969DD7DB6934A5BB53FF94F84B2F5.TMP"
44⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:4684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp399.tmp"
44⤵
PID:896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp955.tmp"
44⤵
PID:7968

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
43⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fhspvah0\fhspvah0.cmdline"
44⤵
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBCE.tmp" "c:\Users\Admin\AppData\Local\Temp\fhspvah0\CSC5AAD82C8129640C1BD346F9A7AE554B.TMP"
45⤵
PID:4804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6C4.tmp"
45⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCBE.tmp"
45⤵
PID:8888

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
44⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e0z0fatm\e0z0fatm.cmdline"
45⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFE3.tmp" "c:\Users\Admin\AppData\Local\Temp\e0z0fatm\CSC49C8694BA5E54403921D619F88D877.TMP"
46⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpACA.tmp"
46⤵
PID:4512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1057.tmp"
46⤵
PID:8716

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
45⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\puitjcis\puitjcis.cmdline"
46⤵
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE485.tmp" "c:\Users\Admin\AppData\Local\Temp\puitjcis\CSCCFABC3228D4741B6B1AF15D91B45582B.TMP"
47⤵
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:4164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF9A.tmp"
47⤵
PID:5204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp15C3.tmp"
47⤵
PID:8360

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
46⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aglwnyxv\aglwnyxv.cmdline"
47⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE955.tmp" "c:\Users\Admin\AppData\Local\Temp\aglwnyxv\CSC33E1BED9771D4644AAC5FA7852811BB5.TMP"
48⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp15A3.tmp"
48⤵
PID:5412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp"
48⤵
PID:8960

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
47⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hxgbxosb\hxgbxosb.cmdline"
48⤵
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED3C.tmp" "c:\Users\Admin\AppData\Local\Temp\hxgbxosb\CSC927A344FEFAD42C29CE15C6FA7CC39C7.TMP"
49⤵
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1890.tmp"
49⤵
PID:5548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1EE7.tmp"
49⤵
PID:9320

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
48⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rrqwzrfu\rrqwzrfu.cmdline"
49⤵
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF113.tmp" "c:\Users\Admin\AppData\Local\Temp\rrqwzrfu\CSC5968E598E59244EE92325952102CD3FF.TMP"
50⤵
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1C66.tmp"
50⤵
PID:5728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2222.tmp"
50⤵
PID:9472

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
49⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1i21cz3g\1i21cz3g.cmdline"
50⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4CA.tmp" "c:\Users\Admin\AppData\Local\Temp\1i21cz3g\CSC185BA335F67E46FABB9229C75D54CD7.TMP"
51⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp225F.tmp"
51⤵
PID:5940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2888.tmp"
51⤵
PID:9640

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
50⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dhjsg13w\dhjsg13w.cmdline"
51⤵
PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA18.tmp" "c:\Users\Admin\AppData\Local\Temp\dhjsg13w\CSC72CAEEAB75B04DFAAF66B5BEF61B2F8.TMP"
52⤵
PID:4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp256B.tmp"
52⤵
PID:6080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp29B0.tmp"
52⤵
PID:9696

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
51⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uk30n1jz\uk30n1jz.cmdline"
52⤵
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEE8.tmp" "c:\Users\Admin\AppData\Local\Temp\uk30n1jz\CSC6ECAC47E87BB4841AE919DEC97394EE2.TMP"
53⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2B06.tmp"
53⤵
PID:4552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2FE7.tmp"
53⤵
PID:9900

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
52⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vp2gj0jf\vp2gj0jf.cmdline"
53⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32C.tmp" "c:\Users\Admin\AppData\Local\Temp\vp2gj0jf\CSC3FE6D19DCAD54964A5D0A85B8238EF15.TMP"
54⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:4608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2E32.tmp"
54⤵
PID:5724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp33ED.tmp"
54⤵
PID:10036

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
53⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vjqjpsxh\vjqjpsxh.cmdline"
54⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D4.tmp" "c:\Users\Admin\AppData\Local\Temp\vjqjpsxh\CSC9924B308721E4A8C94791613C9B9DF2D.TMP"
55⤵
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp33CD.tmp"
55⤵
PID:6008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3998.tmp"
55⤵
PID:10232

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
54⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlpxgmnt\jlpxgmnt.cmdline"
55⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADA.tmp" "c:\Users\Admin\AppData\Local\Temp\jlpxgmnt\CSC91E3F0AFA3E3450394DD68A92D987C8F.TMP"
56⤵
PID:3228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp35DF.tmp"
56⤵
PID:6128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3C85.tmp"
56⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
55⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1eoctz3n\1eoctz3n.cmdline"
56⤵
PID:5136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED0.tmp" "c:\Users\Admin\AppData\Local\Temp\1eoctz3n\CSC9E7F2E6E15BB4DA9A4A3E76094E7172B.TMP"
57⤵
PID:5160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:5220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp"
57⤵
PID:5452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3ED5.tmp"
57⤵
PID:9132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
56⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iukm2mmz\iukm2mmz.cmdline"
57⤵
PID:5316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1323.tmp" "c:\Users\Admin\AppData\Local\Temp\iukm2mmz\CSCD6553A9541DD4D5F84F7DB14CDF5B9B4.TMP"
58⤵
PID:5340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:5372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp"
58⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp46C1.tmp"
58⤵
PID:9856

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
57⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4jvqqmgh\4jvqqmgh.cmdline"
58⤵
PID:5484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17A6.tmp" "c:\Users\Admin\AppData\Local\Temp\4jvqqmgh\CSC31DE6EBBAF5441DE8893DEA7718F34E.TMP"
59⤵
PID:5512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:5560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp42DA.tmp"
59⤵
PID:5980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4895.tmp"
59⤵
PID:10012

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
58⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15ktnabg\15ktnabg.cmdline"
59⤵
PID:5672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C47.tmp" "c:\Users\Admin\AppData\Local\Temp\15ktnabg\CSCD75DD03FE62E49AEA938A79325A9B9.TMP"
60⤵
PID:5720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:5740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp46C0.tmp"
60⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4D95.tmp"
60⤵
PID:9228

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
59⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aoxpq043\aoxpq043.cmdline"
60⤵
PID:5848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FEF.tmp" "c:\Users\Admin\AppData\Local\Temp\aoxpq043\CSC115ED1DED75945549C9D903C761E6CAD.TMP"
61⤵
PID:5872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:5912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4BC0.tmp"
61⤵
PID:5664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp51D9.tmp"
61⤵
PID:9952

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
60⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvyquljr\yvyquljr.cmdline"
61⤵
PID:6012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2462.tmp" "c:\Users\Admin\AppData\Local\Temp\yvyquljr\CSC6CE0A6634DBD4997AF2DAE95353247.TMP"
62⤵
PID:6040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:6088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4FD5.tmp"
62⤵
PID:5968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5571.tmp"
62⤵
PID:9832

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
61⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:5164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kyjsx0cr\kyjsx0cr.cmdline"
62⤵
PID:3632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES281A.tmp" "c:\Users\Admin\AppData\Local\Temp\kyjsx0cr\CSCC1A52B0FDBB645039975AAC236DAD2BC.TMP"
63⤵
PID:5272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:5328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp53CB.tmp"
63⤵
PID:6172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5A70.tmp"
63⤵
PID:10132

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
62⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nzukg2kk\nzukg2kk.cmdline"
63⤵
PID:5456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C3E.tmp" "c:\Users\Admin\AppData\Local\Temp\nzukg2kk\CSC94A531D73E2C4A658978E6EDA92E7AAC.TMP"
64⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:5596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp"
64⤵
PID:6308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5D4D.tmp"
64⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
63⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trw5v1y0\trw5v1y0.cmdline"
64⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3034.tmp" "c:\Users\Admin\AppData\Local\Temp\trw5v1y0\CSC9C4DA76FDC8C4053BC55B4310B7A376.TMP"
65⤵
PID:5804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:5856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5C53.tmp"
65⤵
PID:6524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp624D.tmp"
65⤵
PID:9920

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
64⤵
- Suspicious use of AdjustPrivilegeToken
PID:5636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gemy3hld\gemy3hld.cmdline"
65⤵
PID:5968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34E6.tmp" "c:\Users\Admin\AppData\Local\Temp\gemy3hld\CSC4B580ADFDE34C17B279F681A1CFE6E8.TMP"
66⤵
PID:5736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:6112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6171.tmp"
66⤵
PID:6696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp673C.tmp"
66⤵
PID:9236

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
65⤵
- Drops startup file
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0enbxqno\0enbxqno.cmdline"
66⤵
PID:5980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38BC.tmp" "c:\Users\Admin\AppData\Local\Temp\0enbxqno\CSC7B23EADF2029417CA4394639947600.TMP"
67⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:5464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp650A.tmp"
67⤵
PID:6892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6AE4.tmp"
67⤵
PID:9836

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
66⤵
PID:5432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fzfsuwpf\fzfsuwpf.cmdline"
67⤵
PID:5860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D3F.tmp" "c:\Users\Admin\AppData\Local\Temp\fzfsuwpf\CSC82226E8926774D34AF638383E9E585B3.TMP"
68⤵
PID:5780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:3568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp699C.tmp"
68⤵
PID:7084

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
67⤵
- Drops startup file
PID:5808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcm4qtdf\hcm4qtdf.cmdline"
68⤵
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41E0.tmp" "c:\Users\Admin\AppData\Local\Temp\hcm4qtdf\CSC77E6083EEF54ADF9CBECB84DB591DE9.TMP"
69⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6DA1.tmp"
69⤵
PID:5644

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
68⤵
- Drops startup file
PID:5144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4aee0fmu\4aee0fmu.cmdline"
69⤵
PID:5784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46E0.tmp" "c:\Users\Admin\AppData\Local\Temp\4aee0fmu\CSCBF9F2601DE75479D91997B98AA7881B1.TMP"
70⤵
PID:5844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:6024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp734C.tmp"
70⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
69⤵
- Drops startup file
PID:4112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4aevl2v\x4aevl2v.cmdline"
70⤵
PID:5672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BA0.tmp" "c:\Users\Admin\AppData\Local\Temp\x4aevl2v\CSCF43D7ACE441D46E2AEBC4F1BC6B8A588.TMP"
71⤵
PID:5908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp77FD.tmp"
71⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
70⤵
PID:6000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qeoao5cm\qeoao5cm.cmdline"
71⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5052.tmp" "c:\Users\Admin\AppData\Local\Temp\qeoao5cm\CSCA6B3B760BB5242E4853AD2357168336.TMP"
72⤵
PID:6136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:6136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7C41.tmp"
72⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
71⤵
- Drops startup file
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kzksc0om\kzksc0om.cmdline"
72⤵
PID:6156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5486.tmp" "c:\Users\Admin\AppData\Local\Temp\kzksc0om\CSC368EEAC853E14C898D5532BF7FC4EA2E.TMP"
73⤵
PID:6208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:6224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp81CD.tmp"
73⤵
PID:6992

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
72⤵
- Drops startup file
PID:6300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqxgmxh5\cqxgmxh5.cmdline"
73⤵
PID:6332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58F9.tmp" "c:\Users\Admin\AppData\Local\Temp\cqxgmxh5\CSC3DC5DDC3896648C7B6262AAACFA08651.TMP"
74⤵
PID:6356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:6392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:6400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp840E.tmp"
74⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
73⤵
- Drops startup file
PID:6444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14nnohp0\14nnohp0.cmdline"
74⤵
PID:6500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D3D.tmp" "c:\Users\Admin\AppData\Local\Temp\14nnohp0\CSC145B4DC23B2D4953BCE5584261FE3DCF.TMP"
75⤵
PID:6544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:6568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp896B.tmp"
75⤵
PID:7104

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
74⤵
- Drops startup file
PID:6648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yajartx4\yajartx4.cmdline"
75⤵
PID:6672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES620D.tmp" "c:\Users\Admin\AppData\Local\Temp\yajartx4\CSC55142DB6F6354BEE966BB115B3BDC1BB.TMP"
76⤵
PID:6704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:6740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8CC5.tmp"
76⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
75⤵
- Drops startup file
PID:6812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t4zrpdo2\t4zrpdo2.cmdline"
76⤵
PID:6868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6596.tmp" "c:\Users\Admin\AppData\Local\Temp\t4zrpdo2\CSC28305362610447C4B2A52D2E5337883C.TMP"
77⤵
PID:6900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:6948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp91B5.tmp"
77⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
76⤵
PID:7000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j0d03hwz\j0d03hwz.cmdline"
77⤵
PID:7040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A09.tmp" "c:\Users\Admin\AppData\Local\Temp\j0d03hwz\CSCBA0CE488AFF14809B598235A4FBDBB15.TMP"
78⤵
PID:7096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:7132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp956C.tmp"
78⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
77⤵
- Drops startup file
PID:6184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gqdv5r1v\gqdv5r1v.cmdline"
78⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E3D.tmp" "c:\Users\Admin\AppData\Local\Temp\gqdv5r1v\CSCF109DEDEB4744807B0EC642869E73148.TMP"
79⤵
PID:3732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:6332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9A0E.tmp"
79⤵
PID:7308

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
78⤵
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hlkvd1ke\hlkvd1ke.cmdline"
79⤵
PID:6504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73B9.tmp" "c:\Users\Admin\AppData\Local\Temp\hlkvd1ke\CSC558B833C6A774752A424426D4245D27.TMP"
80⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:6292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9FD8.tmp"
80⤵
PID:7532

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
79⤵
PID:6320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gbcp2skk\gbcp2skk.cmdline"
80⤵
PID:6788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78F7.tmp" "c:\Users\Admin\AppData\Local\Temp\gbcp2skk\CSCD1227201BF2F47BDA5CC7EAACCCB276E.TMP"
81⤵
PID:6940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:6912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA479.tmp"
81⤵
PID:7712

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
80⤵
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ly4jdr5u\ly4jdr5u.cmdline"
81⤵
PID:7040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D5A.tmp" "c:\Users\Admin\AppData\Local\Temp\ly4jdr5u\CSC3292B7A69A664D098D82D3E41F6C5E7D.TMP"
82⤵
PID:6832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:6848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA9A7.tmp"
82⤵
PID:7896

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
81⤵
PID:6344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vc0ki5zh\vc0ki5zh.cmdline"
82⤵
PID:6200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82E6.tmp" "c:\Users\Admin\AppData\Local\Temp\vc0ki5zh\CSCE432AAF0128540A3B9CEDBA31DFFF665.TMP"
83⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:7016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAF62.tmp"
83⤵
PID:8088

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
82⤵
- Drops startup file
PID:6872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykbtprmh\ykbtprmh.cmdline"
83⤵
PID:6160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87F5.tmp" "c:\Users\Admin\AppData\Local\Temp\ykbtprmh\CSC1BBA81788E284F0C8A1EF4FBCF4A5861.TMP"
84⤵
PID:7112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:7116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB367.tmp"
84⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
83⤵
PID:6516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqtrteb1\qqtrteb1.cmdline"
84⤵
PID:6200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CC5.tmp" "c:\Users\Admin\AppData\Local\Temp\qqtrteb1\CSC16D8B826FFB64CA780F66933285C2864.TMP"
85⤵
PID:5584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:5392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB828.tmp"
85⤵
PID:7496

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
84⤵
PID:6844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rq4j32ub\rq4j32ub.cmdline"
85⤵
PID:6432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91F3.tmp" "c:\Users\Admin\AppData\Local\Temp\rq4j32ub\CSC488DAA40970340DA878AAB87EDB187E3.TMP"
86⤵
PID:6200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:6944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBE11.tmp"
86⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
85⤵
PID:5304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ljdojcq\4ljdojcq.cmdline"
86⤵
PID:6868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9685.tmp" "c:\Users\Admin\AppData\Local\Temp\4ljdojcq\CSC54A724AA34F8420B979744C64C264740.TMP"
87⤵
PID:7184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:7212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC255.tmp"
87⤵
PID:8104

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
86⤵
PID:7292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxekyzgp\uxekyzgp.cmdline"
87⤵
PID:7320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B55.tmp" "c:\Users\Admin\AppData\Local\Temp\uxekyzgp\CSCFFD773CE3F504FAFA22D8E59E2365313.TMP"
88⤵
PID:7380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:7392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC716.tmp"
88⤵
PID:7544

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
87⤵
PID:7440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kskiobmx\kskiobmx.cmdline"
88⤵
PID:7492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA093.tmp" "c:\Users\Admin\AppData\Local\Temp\kskiobmx\CSCE37E405E4EE14407AFFCA32244A32C4.TMP"
89⤵
PID:7560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:7584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCCC1.tmp"
89⤵
PID:7272

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
88⤵
- Drops startup file
PID:7644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1d5vtn0e\1d5vtn0e.cmdline"
89⤵
PID:7684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4F6.tmp" "c:\Users\Admin\AppData\Local\Temp\1d5vtn0e\CSCC2AC2BD394AA4860AC1D53366ABA518.TMP"
90⤵
PID:7720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:7756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD1A1.tmp"
90⤵
PID:7316

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
89⤵
PID:7812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wfpjdrmp\wfpjdrmp.cmdline"
90⤵
PID:7860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA53.tmp" "c:\Users\Admin\AppData\Local\Temp\wfpjdrmp\CSC3953798EFB0647F3AADABB308F933B98.TMP"
91⤵
PID:7932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:7948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD6CF.tmp"
91⤵
PID:7668

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
90⤵
PID:8032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\thaoxcpi\thaoxcpi.cmdline"
91⤵
PID:8064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFA0.tmp" "c:\Users\Admin\AppData\Local\Temp\thaoxcpi\CSC60F77124DD64468EBF7CD627EDB399D.TMP"
92⤵
PID:8096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:8140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDBCE.tmp"
92⤵
PID:8196

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
91⤵
- Drops startup file
PID:5984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xkfwvtrd\xkfwvtrd.cmdline"
92⤵
PID:5480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB49F.tmp" "c:\Users\Admin\AppData\Local\Temp\xkfwvtrd\CSCDB11A149ABAD439899D19BF9D3167DDB.TMP"
93⤵
PID:7352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:7348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDFB5.tmp"
93⤵
PID:8348

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
92⤵
PID:5280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sw5pjx32\sw5pjx32.cmdline"
93⤵
PID:7560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB903.tmp" "c:\Users\Admin\AppData\Local\Temp\sw5pjx32\CSCE58BDD999444A01A431EE6AB3638CB.TMP"
94⤵
PID:7592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:7284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE56F.tmp"
94⤵
PID:8564

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
93⤵
- Drops startup file
PID:7296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14gg1qpu\14gg1qpu.cmdline"
94⤵
PID:7436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF0B.tmp" "c:\Users\Admin\AppData\Local\Temp\14gg1qpu\CSC3B44F60FCA4849D4908D48A4AF29CCCB.TMP"
95⤵
PID:7924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:7940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEA40.tmp"
95⤵
PID:8744

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
94⤵
- Drops startup file
PID:8068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wpfqy3sr\wpfqy3sr.cmdline"
95⤵
PID:8120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC34F.tmp" "c:\Users\Admin\AppData\Local\Temp\wpfqy3sr\CSC3374716FA8844340B4CBBD85B3DB12B.TMP"
96⤵
PID:6764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:5476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF029.tmp"
96⤵
PID:8992

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
95⤵
PID:7176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mjuyi13d\mjuyi13d.cmdline"
96⤵
PID:5316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC810.tmp" "c:\Users\Admin\AppData\Local\Temp\mjuyi13d\CSC354F9E7DE8A49E6B1985FAB32BEF13D.TMP"
97⤵
PID:7208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:6164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:7184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF538.tmp"
97⤵
PID:9156

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
96⤵
- Drops startup file
PID:7944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cnnvtjqc\cnnvtjqc.cmdline"
97⤵
PID:6592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDAB.tmp" "c:\Users\Admin\AppData\Local\Temp\cnnvtjqc\CSC6BE7CC472DB6403CB7E928F695BF767.TMP"
98⤵
PID:6764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:6552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFA37.tmp"
98⤵
PID:8444

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
97⤵
PID:5316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eja0hsjt\eja0hsjt.cmdline"
98⤵
PID:7520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD25C.tmp" "c:\Users\Admin\AppData\Local\Temp\eja0hsjt\CSC9B41B247DD2454C9862ACD13B51EB6.TMP"
99⤵
PID:7432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:7172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFDA0.tmp"
99⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
98⤵
- Drops startup file
PID:8112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xo2wbjsk\xo2wbjsk.cmdline"
99⤵
PID:7432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD77B.tmp" "c:\Users\Admin\AppData\Local\Temp\xo2wbjsk\CSC13DA5A65E4A6483DBAD8F94EE76CD76D.TMP"
100⤵
PID:4856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:5900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp36A.tmp"
100⤵
PID:9020

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
99⤵
PID:6560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfcdz15o\mfcdz15o.cmdline"
100⤵
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCC8.tmp" "c:\Users\Admin\AppData\Local\Temp\mfcdz15o\CSCEBFE079F6F2B4953AF61B4EBEFEDEAFA.TMP"
101⤵
PID:8220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:8256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp81C.tmp"
101⤵
PID:8948

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
100⤵
PID:8356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u3ii133i\u3ii133i.cmdline"
101⤵
PID:8392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE11B.tmp" "c:\Users\Admin\AppData\Local\Temp\u3ii133i\CSCA435C657E8D144E5842EFF86C255958.TMP"
102⤵
PID:8440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:8460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD2A.tmp"
102⤵
PID:8448

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
101⤵
- Drops startup file
PID:8544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvneu54b\rvneu54b.cmdline"
102⤵
PID:8572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE688.tmp" "c:\Users\Admin\AppData\Local\Temp\rvneu54b\CSC6A0B1B216C564361BB2FFC1DF4B5C3A3.TMP"
103⤵
PID:8616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:8648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1287.tmp"
103⤵
PID:8720

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
102⤵
PID:8728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ppphwmcy\ppphwmcy.cmdline"
103⤵
PID:8768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB97.tmp" "c:\Users\Admin\AppData\Local\Temp\ppphwmcy\CSC677CDD4D339E42B8A07FFCB77D6C9068.TMP"
104⤵
PID:8828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:8840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp17F4.tmp"
104⤵
PID:9204

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
103⤵
- Drops startup file
PID:8924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kljx3ale\kljx3ale.cmdline"
104⤵
PID:8968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0A6.tmp" "c:\Users\Admin\AppData\Local\Temp\kljx3ale\CSCDDC2AC31A33E4C8995AB4EF1892C2C7A.TMP"
105⤵
PID:9000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:9036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:9044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1C67.tmp"
105⤵
PID:9244

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
104⤵
- Drops startup file
PID:9140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r4vont5g\r4vont5g.cmdline"
105⤵
PID:9168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF660.tmp" "c:\Users\Admin\AppData\Local\Temp\r4vont5g\CSCBC5D7A5ECA744D1E82ACCCF93C56EB7A.TMP"
106⤵
PID:8220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:8204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2118.tmp"
106⤵
PID:9412

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
105⤵
PID:8412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eust5fwd\eust5fwd.cmdline"
106⤵
PID:6644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBBD.tmp" "c:\Users\Admin\AppData\Local\Temp\eust5fwd\CSCDDDE5D0DB3724497963E827FD1177AA.TMP"
107⤵
PID:8588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:8640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2887.tmp"
107⤵
PID:9632

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
106⤵
- Drops startup file
PID:8768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\guj2uhv3\guj2uhv3.cmdline"
107⤵
PID:8368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES232.tmp" "c:\Users\Admin\AppData\Local\Temp\guj2uhv3\CSC10AF3BF88EA646F6B0F7D188403157BB.TMP"
108⤵
PID:8888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:9028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2DB5.tmp"
108⤵
PID:9824

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
107⤵
- Drops startup file
PID:9180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hy2wb0jb\hy2wb0jb.cmdline"
108⤵
PID:9184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ED.tmp" "c:\Users\Admin\AppData\Local\Temp\hy2wb0jb\CSCB1F57E85EA914D5A89978FFFF335D48.TMP"
109⤵
PID:8932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:8332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp33EC.tmp"
109⤵
PID:10044

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
108⤵
- Drops startup file
PID:9032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jirsqkcb\jirsqkcb.cmdline"
109⤵
PID:8820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD98.tmp" "c:\Users\Admin\AppData\Local\Temp\jirsqkcb\CSC4FA170A8C4B14A86877DCB9B1E896D46.TMP"
110⤵
PID:8556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:8116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp391A.tmp"
110⤵
PID:10224

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
109⤵
- Drops startup file
PID:9168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v3a455cc\v3a455cc.cmdline"
110⤵
PID:6644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12C6.tmp" "c:\Users\Admin\AppData\Local\Temp\v3a455cc\CSCA1515513F14B91B8E31AD6B287ACC5.TMP"
111⤵
PID:8916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:8400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3E29.tmp"
111⤵
PID:9448

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
110⤵
PID:8368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ff0ab5ad\ff0ab5ad.cmdline"
111⤵
PID:8776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1861.tmp" "c:\Users\Admin\AppData\Local\Temp\ff0ab5ad\CSC3956578B28C42DABFA26382FE493CA.TMP"
112⤵
PID:8216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:9144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp449E.tmp"
112⤵
PID:9688

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
111⤵
- Drops startup file
PID:8388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\frj0pgdu\frj0pgdu.cmdline"
112⤵
PID:9224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D31.tmp" "c:\Users\Admin\AppData\Local\Temp\frj0pgdu\CSCA4D24FDB7D924BE4967C8D6BDA5DA1E.TMP"
113⤵
PID:9260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:9296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4846.tmp"
113⤵
PID:10004

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
112⤵
PID:9396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q5eovxqa\q5eovxqa.cmdline"
113⤵
PID:9424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2250.tmp" "c:\Users\Admin\AppData\Local\Temp\q5eovxqa\CSC190105DA9A4745679C9486196F94FB93.TMP"
114⤵
PID:9484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:9496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp"
114⤵
PID:9256

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
113⤵
- Drops startup file
PID:9548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3n2ei3wz\3n2ei3wz.cmdline"
114⤵
PID:9568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27AC.tmp" "c:\Users\Admin\AppData\Local\Temp\3n2ei3wz\CSCF7ADFA305CF54325891FC6FE7E53ECC7.TMP"
115⤵
PID:9612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:9652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp53FA.tmp"
115⤵
PID:10072

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
114⤵
PID:9748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qlahycit\qlahycit.cmdline"
115⤵
PID:9772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E03.tmp" "c:\Users\Admin\AppData\Local\Temp\qlahycit\CSCFC65EACAED4C4325BFEE48B2841D2016.TMP"
116⤵
PID:9832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:9872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5A6F.tmp"
116⤵
PID:3968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:9864

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
115⤵
PID:9940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fk4m2q3q\fk4m2q3q.cmdline"
116⤵
PID:9992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33AE.tmp" "c:\Users\Admin\AppData\Local\Temp\fk4m2q3q\CSCD416A21842584A26A1C849F9E82AACA2.TMP"
117⤵
PID:10028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:10088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5F8E.tmp"
117⤵
PID:10052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:10080

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
116⤵
PID:10168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wq55ycsv\wq55ycsv.cmdline"
117⤵
PID:10200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39D5.tmp" "c:\Users\Admin\AppData\Local\Temp\wq55ycsv\CSCFF030C49610F4D69AE92257A49DBBE6.TMP"
118⤵
PID:536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:9288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp65D5.tmp"
118⤵
PID:9404

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
117⤵
PID:9464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tcch04ne\tcch04ne.cmdline"
118⤵
PID:7412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES404B.tmp" "c:\Users\Admin\AppData\Local\Temp\tcch04ne\CSCAAFCDB4844C43529068BCE95AF6CB71.TMP"
119⤵
PID:9612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:9588

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
118⤵
PID:9732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gqua0x03\gqua0x03.cmdline"
119⤵
PID:9776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46D0.tmp" "c:\Users\Admin\AppData\Local\Temp\gqua0x03\CSCD110609BDC6C469F96D0E06236C6E28.TMP"
120⤵
PID:9400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:7732

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
119⤵
PID:9564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxtfwq1l\uxtfwq1l.cmdline"
120⤵
PID:9920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D74.tmp" "c:\Users\Admin\AppData\Local\Temp\uxtfwq1l\CSCE18FF50B7FC041FE9F5233144C69193.TMP"
121⤵
PID:10208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:8028

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
120⤵
PID:8136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oykyebf0\oykyebf0.cmdline"
121⤵
PID:7916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5457.tmp" "c:\Users\Admin\AppData\Local\Temp\oykyebf0\CSC885D76E42D0545B287F2B04B5671EA17.TMP"
122⤵
PID:10140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:9808

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
121⤵
PID:9992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ow0ci154\ow0ci154.cmdline"
122⤵
PID:9432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A6F.tmp" "c:\Users\Admin\AppData\Local\Temp\ow0ci154\CSC24E743596F58483B98EC386858F224E1.TMP"
123⤵
PID:10204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:9860

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
122⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbd4qawe\jbd4qawe.cmdline"
123⤵
PID:9468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES602A.tmp" "c:\Users\Admin\AppData\Local\Temp\jbd4qawe\CSCC6E7AE8FA36D40138AE9E44214ACC487.TMP"
124⤵
PID:9556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:10204

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
123⤵
PID:9740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sjpdmm1o\sjpdmm1o.cmdline"
124⤵
PID:8708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6680.tmp" "c:\Users\Admin\AppData\Local\Temp\sjpdmm1o\CSCAD484EA7F9B84D18A6BDE71840F81AC4.TMP"
125⤵
PID:10208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:9584

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
124⤵
PID:9116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "74578603810443607601851474354744201006288589034-98182809-1721509913-867406101"
1⤵
PID:868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6036479411609802236-3515108161902730754-1639962423-665894405-1885368543-1805471533"
1⤵
PID:3428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "37091848722533173714878322-840356657-12345876621584112128-685497862647377935"
1⤵
PID:2132

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0hz5ahc3\0hz5ahc3.dll
MD5
53debff7df4388a77a155a0eae928242

SHA1
c89788cd900a2017a76294a0a51765d595ea43db

SHA256
a36980ea44224c022dab1e2eec235c836b8d934c9b7d229f665349227573fe31

SHA512
0efada8e4a181b776d7371c0978358e799fd42d87c8bf32c6c79d02c6817be6d0791f9af8616505e1aabf2b9b5fb9e876472b23609de4bc56056e759e77335a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\23jedbmp\23jedbmp.dll
MD5
2b2d05cef4b4d0de3ef9d0e86b5331f8

SHA1
161206a85be8872b9410a1ae3fe984ed2531854b

SHA256
41077759b174c274c6128382a6f4644611762ff7f2986c11351e8b6fa561a152

SHA512
40cae9bfe7a79179e222889e02843539e082ca740e27db781317c70cee57628860c2ed1a661ee2d52f338717846e8e54484723f26c9986be694591219957bb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4l12vfml\4l12vfml.dll
MD5
5b81ac06b4913b9bf7d703d953422b58

SHA1
37ac5e1c4c8c208062999d4a3bae0445360998e7

SHA256
b9084264aeac983e9b4b410f7717dfa6133771800195422e56b5f02d6a1c5300

SHA512
b772b8ddf9da340be94237c49993e22ed93c1b47cbd39115e42e45c0894349ab6e5dc319651fca0eef764f2198c6b560bad237aa6aad0a4eac0dc6a34b11a4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5csqsiio\5csqsiio.dll
MD5
e91072cfde54cf191c24838bd9653899

SHA1
5787a2b195ca83376fa7543f3fcf6499772f703a

SHA256
680feff5d60a9b4124c1ba5b26547f6d4c5f3d45e58b2d3e6e4de3cc83ba155a

SHA512
550ee51fb5d55440078255ef85f57e3e924a4d6a46da951c3ee1ad7145302f46315c99d4f7cd65d0eb38078f4f5b86a83f5bd4888ff0545e844fd4b9e9f30f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2952.tmp
MD5
1db1111d12bb367073b37fb4e3f179b0

SHA1
fcb4203eb68c02bd31dc286e917ba374e31430f9

SHA256
243cb765663866115b97ad1710d9d165d084bad01ac71bc7ceb30b375045a65a

SHA512
861e450200f2c903be6055a707cf5f4aed9ec5988515613c5870bdbc56ea732a1942e6c2d1b94397a93ad735f3770dc975724971f419443ffa7d47f87883333c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3092.tmp
MD5
9001f84485b03068a86c949fd5c7cfed

SHA1
e4215670790501deb5a4d932d68d81b56f2b3deb

SHA256
f4b8fd40b894970d16b90bc0c479567667acbc97527287676a2bcdf9fb7de94b

SHA512
701ca5f5b1ba6d8c6ea6ac28fec6bcb24db5fc94587f1b38710e99a2d2ed3b40bc8cfdfd7c937cc1fb2865c49ee0e4d50ce2fcb3aff2483b91ced0e41d181b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES368B.tmp
MD5
55d0412ec4738cdf099411fc436927c7

SHA1
51530054f1e15a1cd07a7021db09c9b8634e74f6

SHA256
1373c66037788a706e966205c7262b742a4802d35fb8bbe4b1ff05bddfa18e84

SHA512
24ae4db9a8b8b7e24ffc28f8288c7edaaa3263bb77ea4037abb7c7157bb7de320c69efbd7b78b908a455229076db8f279310d22cfd8e46a70945b316ea29b3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E58.tmp
MD5
1692cef318c02d4d14cf447582c8aa73

SHA1
2a01da95cc0fa1e1e4e228b73faafce3d8706539

SHA256
3ef0463fce47f957cff549ba60f9f41f2fbddb0bc71b3f7031ab450909a760e6

SHA512
102a26bce6cc122a96f1e4705e02bff0a19c87233827edf4d0999dda44be80eecf9632bc6be1fde0d470655a622d1318511d3ae1b5fdd985ea0e80fca70cabeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES42F9.tmp
MD5
de94018360cf5d866c0b85cba0f6c878

SHA1
5738768af2f31ba9b52d553036352ed3438da20a

SHA256
7acea6ce15d5618fb075d4163398a43ad7b0290d1811baf82ba0e2acb1666f9a

SHA512
cbf2d997d46f210a9754f092c44db98eb716ed813fc4f6d812188aab099d80c367f2ac290fda09a1a4b5a4c46e633834f5790d90f479abfa4496a9d9d1dcaa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4875.tmp
MD5
e66c807e0d79a38f456ca62b64b85df5

SHA1
ffbd9d6b7fea3ca547ad652520607aa8d340c62b

SHA256
485abb921935c9c5437182462c58ff15728428da6bee8ec16e7d935320c5038a

SHA512
1ec0aaad2f9ce95758d1c7ad6c096350eee8677d12d0dc4ec9a30c28b5d8ef6ac76fe47f2c921adcfe551c590250adff67ad4a78872da41d5418e6f397010b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4EAC.tmp
MD5
5641e09905f7579ff30d5f1e2444d5e2

SHA1
c8a4c18fa985c553a01f89868194607c23c31a67

SHA256
0026b0034956044bec4cce024894fe51079fc887aac3d47728af15a7a7a0d8b1

SHA512
f1fa60e244bff72a18072ad4761f4e203ec8e7abbc0b44cf69a656b754e00e847c5f7fa3cca1a417a0c3e44ed8c2534e46641fa71d6d3462647c192a540df6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES54A5.tmp
MD5
113b06c5c0536655306e83fbee0b76a5

SHA1
31bdbbec28a6600add3426e98ccd66e3941303e3

SHA256
6afae3f22e04ef138ef31c6d79c640de55ee7157f23cf020dd398ff1b96b100b

SHA512
72b0fb1a40dae005bc986871586f39cb9d6fff1c3918058ad1a9bd1db42e9eceb48e5d861522ab02dde8aa37dfad8f3d6196ab570277322e751536dfdf45f206

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5976.tmp
MD5
4c1a70c17a4a984332fc4d4e5079c3ea

SHA1
8ee4cddb2af0ccc175463e3e58d4b4bc6126a16d

SHA256
305094ca151763c75705388c3d94b9c8037c51db389ee148d8a53da847127248

SHA512
800fd7094d839a09dfe8950d359bdc007205d6643fbf4565050374ed4e0503a23300fbc52c832ba0468dde73c41ae86835c2bb7143d3ad8ce500a913cddb780e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0w0aod2\d0w0aod2.dll
MD5
1ac2695c39711323439c2e3ba0cc169f

SHA1
cf64b71cf02bfe231a2ef4be1fde2502a15bd844

SHA256
989162f27102a7e60b31702f9c1044f8ee6ca17453f0966af059ea315d0f12b3

SHA512
64267a62a4c56150aacdbf7285a0f74e582d7d50f4bfd9c20030b3040d07748087f4741a77de9a84fe5bd0f10edbda97ff3269a15026346bd90efc926bbc693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldbkuqzq\ldbkuqzq.dll
MD5
02f92a41ba1b26a92e66d166837dcd89

SHA1
c53072f99adc782c4154175d8defd9915b188881

SHA256
6e17d290bca4afe55e079aa789d09fc63257d867d86adffe3cc522e195129596

SHA512
e38666f1c1b855822109cc4b0a9436d8c460a1390d5eb065edcd17b578e38b9e4c7d69010e611597ac25a980d486278bf4626f527b36ddde45470d2f12d139a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ob54a3ue\ob54a3ue.dll
MD5
8b9663b7feb665c4bc77d5a3e7f472d9

SHA1
2d3e9598bbb652aee78f1ce4eb7e83fd371d8cf5

SHA256
9a12d46415c881ada22dbb05f488df05815de961eff9528d8ec997f4593472ad

SHA512
fe7d79a4932710371caa093fbf6fc699d22c2bbf0f3a7ee7ba2e5ae024c56208b30b6b8aa900fefaee8174ca510562f5684fdcf6ba69d8ff8c24e8bb61df21f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcyflees\xcyflees.dll
MD5
4593aae3373938d0627ce074dfa554e9

SHA1
c6de6098b081cd36579697dcdc094d16bad47750

SHA256
ed6304e75a9e331014c2043170e305fb7ee8da2d5c7a1c2eab51a1863d6dd2ff

SHA512
b99f8e57973ce44aac9d9f8efb6ca2c5da795bc5400c1acd06c392a547efb96420d869cc01447f352042181b9ba2c492831339f8dba51daff611e8b8cce61d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yp2f4vbz\yp2f4vbz.dll
MD5
a687ac9ae74ece666b2d2e3b85ac2a73

SHA1
8e22dc4c718f1bcd5a3377fe05479876ae74ba86

SHA256
3c254a2cb4788a27b7baf39564c392cd257ded6824b8f966b0d93ebde01acf3e

SHA512
503ea658953cf4217522ad35210a494cb0721d8826da0701a5de87e3ca54431297539395be619c54ce6c4cd36a92a820d583142c3a576e54fb37b95a0e980f7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0hz5ahc3\0hz5ahc3.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0hz5ahc3\0hz5ahc3.cmdline
MD5
2265f9cc255e65fc72a44886f628887e

SHA1
9483c435014348a684f8d9ca7c3b6a43c3f30e2a

SHA256
b62d039f4653f61042c4dec5c528d14d5f3e7d2a8567700998bfe673edabdcff

SHA512
e9f5c684160aada1658c9739b73307636fa7c06cedb0c8e7aad4719de136e4d904b70a3eff51eeb8efd0c81d5891419f373bac5dfce7dec4b02a0a250b162e2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0hz5ahc3\CSCCE1DB536AE574EA486D46058AFE06385.TMP
MD5
7015c8cfd284d233651a115006bbf936

SHA1
81428cc426efd6e4dcb97f557484d78b5e16e79b

SHA256
02f93e339d5d9cf0b33b93d8c0467e41773abf0a4a08c10d92e4ab50df934580

SHA512
d055e38d4eea680d95a6cbe72d79a67f65dd0418c3fe0e6eb8561de2bc89165530bd2fa884149db014f0b42ad2df65ff04807f8f61201c915644c91c21da8d7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\23jedbmp\23jedbmp.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\23jedbmp\23jedbmp.cmdline
MD5
8c7704c71cf48468ffaf4800a8500246

SHA1
3571353210a1f5694807c5fe88b4d6e73a7da1af

SHA256
9dd140f409cb6e4b1495ee2489a797ea72dc8b53f72247c41cc93d625f21dc69

SHA512
5129c73dad0b21c6df4bf33975a98a594c514e4749e4ed13775e107afac46840730f19c88e227a828cb20c9d6d908f89554223d9215406ff2f4d8e7352ca744f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\23jedbmp\CSCB5C7C0271B11438C9D987FF36766ABEA.TMP
MD5
be28088fe05cc91b2934bcd1b7b4ac75

SHA1
c8f6744987a873d2d373c51e70b704179ba08447

SHA256
cdb6f755e1bad2dde8de02daf9c50d4518a7ab1eec11e39702e7362b0782ecba

SHA512
94448d7f87443c2405c439696d22b688dfd5841833bed8ba9d54326009192039f285a06258107c21234610916870f3e23074fdcfa3be9c19bf4ca777f416d5ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4l12vfml\4l12vfml.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4l12vfml\4l12vfml.cmdline
MD5
708151d570581e6919311548928e0951

SHA1
3815cf17c4545afafcd1a1fda6e39bb308245257

SHA256
48aacdb4c2ce203d08bc7abf3dcb8c833549184388976446038603d9389ed011

SHA512
cc3ada770504e5fa78db50f1502377b753695d02c50bb73a73142d866aa1f25912d8d2709b39b2370c11e72fab8c0b209a9f8a965f3cc34b6cf99497c5966d1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4l12vfml\CSCB8D097EB7FE0495EBD028A467424958.TMP
MD5
86b790d3d67d70f00e98e6ef08788e45

SHA1
4c984cbf725613a5c54267ec1e6da25d89f7242b

SHA256
0d016056dca9387effdfd258ceb70cd4ec1b5497ab260657e984f8386563d9b2

SHA512
502ce9d8f37950e48c39b90a0023a9924a6bf540f10b4fb7283d4f748a233ee1a427c9fe751f3431d502c8a68819506c7360c939ef85f1e950187c1032f6b4d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5csqsiio\5csqsiio.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5csqsiio\5csqsiio.cmdline
MD5
631219ed3c3edb1e45cb2fcc39a103d9

SHA1
f896b877cedcc3e84e1dced16e6ca21ed6f3bc49

SHA256
2cf9ff6dfc07b8cfeb79db5f1201c77fd9f3d231f09e6cbd89fe02a0619c59bc

SHA512
4457c43113c0f5249d4b281228a91e8c6fa302e6e1dd3d1fdb145396022c19d8238d6aba9d07d47062bb550a19668ede0bfdf09ea934632824a976da3525f26d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5csqsiio\CSCBAEB31180D04696AE1F4FFF532B52F0.TMP
MD5
a6e2638bae4f6dbb04212bf85b6560e6

SHA1
8077f98bd29a3e05530280dbc308ad46687107ed

SHA256
240081891c8176d5106db6a468a5e632d082fa308879661a279d73570e3492c4

SHA512
e17734b4dcdb2b3fbf27d87022ab85519a9d5f9c67399bd44a59903112dd26e24a1336edd344c84085027fa64a726fd032dec1fd6a30ea60b236e626bfe9f41f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d0w0aod2\CSC5CEFE542FD144E37A81DFD12B90752.TMP
MD5
75a85735ad657e009e5fafab99aacba9

SHA1
9a18e2910ee0df8d86c40683ccb99638b6ff2342

SHA256
7999044bc749eeacec5bfff681ecd60a07eba872944bb087eef449cc11cd30fa

SHA512
eb7f6f5958e37bfa8fb0175e39fb4eb22103026ca04c40a82844e05de7d6eb6492cf16dcbb05e1e0a1982b6c6d6eb42e441c4d054b5ac41fc100bb5947a372b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d0w0aod2\d0w0aod2.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d0w0aod2\d0w0aod2.cmdline
MD5
1d4fa5f7e9cc1c59a731c0f611b05645

SHA1
67c220da5c6057e1578986f1a3effdae9ae8e1ed

SHA256
e56ba3cbd3f088ef79e39d2bdf091bfd3c95d2106955cc5d11ee6068f7858b36

SHA512
ac8845788bc1240b21f06156e63c3720e21f20dca7b1bdbe4e62b5c9b03c47ee85f1570131cc470ff215100c5539a0b496fa0cda7e8b5e62a2e842d99e2e3a73

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jt5tdhai\jt5tdhai.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jt5tdhai\jt5tdhai.cmdline
MD5
4259737e52be0aa4624b077b018833f0

SHA1
72d93e1107fc8b44ed62e21d95f9fb28a48c1f57

SHA256
9dbf6a303fdab1dc247c96d059ea9e5a51d4a2e542cf8f4176db64185787876f

SHA512
ee12e63666107aa4328ba106e0f588e0aa648608f32762ac85c331b0817e976b9bfd4546d3a0d77e0d2c977213e402dea0ba75070220e729cd9e7897099babe1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ldbkuqzq\CSC7C6BD0EB37EA4CDFB752E23E4BF02A88.TMP
MD5
5c1561121a62afb8eb3bbc1750273004

SHA1
887b62c2666db04fdf52531449a3cf186dda2ab9

SHA256
450548092efe9e78799cae868678bacd195b6fa62b56464aab589d7c15f78ae0

SHA512
7b252ceeca8163b3bb9a25038510dafa5d9c139f8e496fb4edd02f580d4997c71c564998ba2ea54cab4aa4e42caff742536d4ea22900d357de01b4fa475c3ed3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ldbkuqzq\ldbkuqzq.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ldbkuqzq\ldbkuqzq.cmdline
MD5
82f97fdf4ac5e98dba2f7dbd1b7383ca

SHA1
87c6d02830b34c1f8318f0cdb7e54c066d90592a

SHA256
17ef53bdb8e13c523ca42f6e862f29d861f75fea0e4af28846bb2d50d85daff5

SHA512
b6cbe3d8b11230e9a7d121fd1051951e0561a55e31902d98bbfea0fd18c3b69ec21cff92cb1707dd8ef150e1359d15fd0ae63378b7eacf4485d176066f190b99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ob54a3ue\CSCB174E02C4D634D14A72F11E380BE53B4.TMP
MD5
6f0d20ce2cdbacb4036a04141d103340

SHA1
cd2f5634868552c095602bc3cbf02141a2aa8331

SHA256
50b4cd83f4a2251fdc4f25aef591c4ad077589fd6f847c653689b6516d777c70

SHA512
dd795a94a00da7816039db72140800245dd3472dad67713d17aab3ae045237f73785fde0e7f2211e23d192ce0dcecd0ef2b7bc5aca29f2329a02d2d74983ca93

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ob54a3ue\ob54a3ue.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ob54a3ue\ob54a3ue.cmdline
MD5
213594a5f64d1674a1b17e09f73c8e61

SHA1
fcd70fe8a956a31427dbfa47a58c9d819cfaddc2

SHA256
672d134f7558b926b6fd4c50d190fe10e8754cfd349b742c6c1a75a27944b4f4

SHA512
4c48b08eb5142b4e36e0c28a9facddc7837f135805b158fe3c5b2f79d0a74802ac5cd50cd1aad8733bcc3a02f112a3327f3dfa66e691b436116a09fb190f72be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcyflees\CSC3F3A30B239A74E75A32EBC49544268C.TMP
MD5
a488c86dc18441d047ce56d6e91dcdde

SHA1
3713e3c74160fe68ba0df011081e3b4ae648093f

SHA256
7b4e4a127b65401cb6d80178dd821bc0316ce9697f31c9e6f5986518ad8c39ae

SHA512
572679fd8ff3c2ae193381dfcd9bb55f6ff9ef74d87d60bf2196f17cdc01546939f23f0ceb0c7192a340dd787d06fee7eb03e019c72d4d97b21060e31efe1934

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcyflees\xcyflees.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xcyflees\xcyflees.cmdline
MD5
434bd069f8cf8893dd65c2c0ed68f9f0

SHA1
4d85325f026bf9f5c9e54cd5895cb5f295a9d07a

SHA256
21c0606e708145d5cdcaca3b05c7c1bf407bbf52bc8957fb00680969e2224311

SHA512
5019f6096cf3a883524c33ada721db83e3a543865c010b76d8a11b2d85f6892269e7ea25564d71a579b8d5300556b4ce71c44f1686e658bd471d7d96c67b9bb3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yp2f4vbz\CSC485FD26163E341828C409F548095FF8A.TMP
MD5
97e9733dba80e1ab804afb673f4f0373

SHA1
7561a0e278b04124cee13a32faca7ee1f288dc3a

SHA256
6b1821069f686d95ac807b8d87a93de95d17f02eee0671674ce0030d2bd8a8c6

SHA512
78bbde4513e42d8bc2339c4fb3bff285e175b9b55a736969c7259cfb8d7c7906388131401ad9b912798832ebf7994ec563a6ad5eafc935c18a59264d22dbd652

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yp2f4vbz\yp2f4vbz.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yp2f4vbz\yp2f4vbz.cmdline
MD5
f445443e99b2686aa65e919909c5c773

SHA1
664e03533df16b3ee73170a04a364ef9461b2a95

SHA256
6bc2fe6e4b8573fda0e5af36c621d784a730ea05d2d0e5aff0e100956daba722

SHA512
03c16caf7a4d4426c192f476827627b0d7728c708a19d3d2e57c3e89fd3d4dd8074306e595d34e96e3dd5285bfeca803e48217755de5dcd1176cdd53f60c8eb9

Download Submit
memory/276-179-0x0000000000000000-mapping.dmp

Download
memory/316-244-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/316-225-0x0000000000000000-mapping.dmp

Download
memory/316-231-0x0000000000000000-mapping.dmp

Download
memory/332-315-0x00000000007F5000-0x0000000000806000-memory.dmp

Filesize
68KB

Download
memory/332-211-0x000000000048B2FE-mapping.dmp

Download
memory/332-221-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/340-200-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/340-188-0x000000000048B2FE-mapping.dmp

Download
memory/340-308-0x0000000002625000-0x0000000002636000-memory.dmp

Filesize
68KB

Download
memory/436-78-0x0000000000000000-mapping.dmp

Download
memory/436-85-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/436-93-0x0000000004C60000-0x0000000004DEB000-memory.dmp

Filesize
1.5MB

Download
memory/524-208-0x0000000004B80000-0x0000000004D0B000-memory.dmp

Filesize
1.5MB

Download
memory/524-192-0x0000000000000000-mapping.dmp

Download
memory/524-203-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/572-124-0x0000000000000000-mapping.dmp

Download
memory/572-134-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/572-139-0x0000000004D70000-0x0000000004EFB000-memory.dmp

Filesize
1.5MB

Download
memory/644-237-0x0000000000000000-mapping.dmp

Download
memory/668-299-0x000000000044472E-mapping.dmp

Download
memory/740-86-0x0000000000000000-mapping.dmp

Download
memory/868-156-0x0000000000000000-mapping.dmp

Download
memory/920-89-0x0000000000000000-mapping.dmp

Download
memory/948-130-0x0000000000000000-mapping.dmp

Download
memory/1072-220-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1072-215-0x0000000000000000-mapping.dmp

Download
memory/1092-198-0x0000000000000000-mapping.dmp

Download
memory/1100-245-0x0000000000000000-mapping.dmp

Download
memory/1100-260-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/1152-63-0x0000000000000000-mapping.dmp

Download
memory/1160-160-0x0000000004EC0000-0x000000000504B000-memory.dmp

Filesize
1.5MB

Download
memory/1160-148-0x0000000000000000-mapping.dmp

Download
memory/1160-166-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1196-230-0x000000000048B2FE-mapping.dmp

Download
memory/1196-204-0x0000000000000000-mapping.dmp

Download
memory/1196-243-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1220-185-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1220-170-0x0000000000000000-mapping.dmp

Download
memory/1220-183-0x0000000004E40000-0x0000000004FCB000-memory.dmp

Filesize
1.5MB

Download
memory/1316-302-0x0000000004C35000-0x0000000004C46000-memory.dmp

Filesize
68KB

Download
memory/1316-184-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/1316-163-0x000000000048B2FE-mapping.dmp

Download
memory/1356-115-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/1356-262-0x0000000004FA5000-0x0000000004FB6000-memory.dmp

Filesize
68KB

Download
memory/1356-96-0x000000000048B2FE-mapping.dmp

Download
memory/1388-222-0x0000000000000000-mapping.dmp

Download
memory/1392-234-0x0000000000000000-mapping.dmp

Download
memory/1476-300-0x0000000000000000-mapping.dmp

Download
memory/1504-153-0x0000000000000000-mapping.dmp

Download
memory/1532-255-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1532-242-0x000000000048B2FE-mapping.dmp

Download
memory/1548-131-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/1548-119-0x000000000048B2FE-mapping.dmp

Download
memory/1620-107-0x0000000000000000-mapping.dmp

Download
memory/1640-292-0x0000000004D65000-0x0000000004D76000-memory.dmp

Filesize
68KB

Download
memory/1640-142-0x000000000048B2FE-mapping.dmp

Download
memory/1640-165-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1660-67-0x0000000000000000-mapping.dmp

Download
memory/1724-263-0x00000000009F5000-0x0000000000A06000-memory.dmp

Filesize
68KB

Download
memory/1724-84-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1724-73-0x000000000048B2FE-mapping.dmp

Download
memory/1724-75-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1724-77-0x0000000000D00000-0x0000000000D72000-memory.dmp

Filesize
456KB

Download
memory/1844-135-0x0000000000000000-mapping.dmp

Download
memory/1868-100-0x0000000000000000-mapping.dmp

Download
memory/1868-117-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1868-114-0x0000000004EC0000-0x000000000504B000-memory.dmp

Filesize
1.5MB

Download
memory/1904-176-0x0000000000000000-mapping.dmp

Download
memory/1936-72-0x0000000004200000-0x0000000004294000-memory.dmp

Filesize
592KB

Download
memory/1936-60-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1936-62-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1936-64-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1936-71-0x0000000004BB0000-0x0000000004D3B000-memory.dmp

Filesize
1.5MB

Download
memory/1936-83-0x0000000000420000-0x0000000000423000-memory.dmp

Filesize
12KB

Download
memory/1984-110-0x0000000000000000-mapping.dmp

Download
memory/2112-248-0x0000000000000000-mapping.dmp

Download
memory/2136-298-0x0000000000000000-mapping.dmp

Download
memory/2164-251-0x0000000000000000-mapping.dmp

Download
memory/2180-265-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2180-252-0x000000000048B2FE-mapping.dmp

Download
memory/2224-256-0x000000000044472E-mapping.dmp

Download
memory/2224-259-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2232-257-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2232-253-0x0000000000000000-mapping.dmp

Download
memory/2240-254-0x000000000044472E-mapping.dmp

Download
memory/2272-301-0x000000000048B2FE-mapping.dmp

Download
memory/2272-305-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2292-258-0x0000000000000000-mapping.dmp

Download
memory/2320-306-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2392-266-0x0000000000000000-mapping.dmp

Download
memory/2488-267-0x000000000048B2FE-mapping.dmp

Download
memory/2488-274-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2516-268-0x000000000044472E-mapping.dmp

Download
memory/2548-269-0x0000000000000000-mapping.dmp

Download
memory/2548-275-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/2576-270-0x0000000000000000-mapping.dmp

Download
memory/2604-271-0x0000000000000000-mapping.dmp

Download
memory/2616-310-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2636-282-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2636-276-0x000000000048B2FE-mapping.dmp

Download
memory/2676-277-0x0000000000000000-mapping.dmp

Download
memory/2676-283-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2712-278-0x0000000000000000-mapping.dmp

Download
memory/2740-279-0x0000000000000000-mapping.dmp

Download
memory/2748-311-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2784-291-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2784-280-0x000000000048B2FE-mapping.dmp

Download
memory/2844-285-0x0000000000000000-mapping.dmp

Download
memory/2844-295-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/2872-286-0x000000000044472E-mapping.dmp

Download
memory/2888-287-0x0000000000000000-mapping.dmp

Download
memory/2920-314-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2964-288-0x0000000000000000-mapping.dmp

Download
memory/2972-313-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2980-289-0x000000000048B2FE-mapping.dmp

Download
memory/2980-294-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3040-290-0x0000000000000000-mapping.dmp

Download
memory/3040-293-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads