hawkeye_reborn | 53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2

Analysis

max time kernel
125s
max time network
154s
platform
windows10_x64
resource
win10v20210410
submitted
17-05-2021 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Size

1.9MB
MD5

0ed89a2b994f5971723fcaf56524e2ea
SHA1

0337eda7964ae4ab9a8738edfa04ef29d7b8209c
SHA256

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2
SHA512

2010cd5d65f4bfd3eb62f8c2bd3b790576253fc4663dcb00560ff026e24b52ce84ef5c2b3af85bfdbab6a74e2a2a008c55f958502306e3374ce503895715b591

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.crestpak.com
Port:
587
Username:
reception@crestpak.com
Password:
I-rec2018@30crest

Mutex

95f0b856-dab1-4e72-9e89-97c695819f8b

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:I-rec2018@30crest _EmailPort:587 _EmailSSL:false _EmailServer:mail.crestpak.com _EmailUsername:reception@crestpak.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:32800 _MeltFile:false _Mutex:95f0b856-dab1-4e72-9e89-97c695819f8b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/2576-127-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2576-130-0x0000000005020000-0x0000000005092000-memory.dmp	MailPassView
behavioral2/memory/4404-323-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2576-130-0x0000000005020000-0x0000000005092000-memory.dmp	WebBrowserPassView
behavioral2/memory/4164-308-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral2/memory/4164-311-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4692-329-0x000000000044472E-mapping.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2576-130-0x0000000005020000-0x0000000005092000-memory.dmp	Nirsoft
behavioral2/memory/4164-308-0x000000000044472E-mapping.dmp	Nirsoft
behavioral2/memory/4164-311-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4404-323-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4692-329-0x000000000044472E-mapping.dmp	Nirsoft

Drops startup file 64 IoCs

Processes:

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exeRegAsm.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exeRegAsm.execvtres.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	cvtres.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 bot.whatismyipaddress.com

flow	ioc
18	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 64 IoCs

Processes:

description	pid	process	target process
PID 3152 set thread context of 2576	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3984 set thread context of 2772	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 184 set thread context of 3988	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1244 set thread context of 3280	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3172 set thread context of 2536	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3892 set thread context of 1772	3892	cvtres.exe	RegAsm.exe
PID 184 set thread context of 1664	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2836 set thread context of 3900	2836	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3776 set thread context of 1800	3776	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2576 set thread context of 4164	2576	RegAsm.exe	vbc.exe
PID 3788 set thread context of 4208	3788	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2576 set thread context of 4404	2576	RegAsm.exe	vbc.exe
PID 2772 set thread context of 4416	2772	RegAsm.exe	vbc.exe
PID 4276 set thread context of 4468	4276	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2772 set thread context of 4680	2772	RegAsm.exe	vbc.exe
PID 3988 set thread context of 4692	3988	RegAsm.exe	vbc.exe
PID 4540 set thread context of 4724	4540	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3988 set thread context of 4912	3988	RegAsm.exe	vbc.exe
PID 3280 set thread context of 4972	3280	RegAsm.exe	vbc.exe
PID 4796 set thread context of 4996	4796	csc.exe	RegAsm.exe
PID 3280 set thread context of 1784	3280	RegAsm.exe	vbc.exe
PID 5068 set thread context of 2068	5068	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2536 set thread context of 4384	2536	RegAsm.exe	vbc.exe
PID 4180 set thread context of 3384	4180	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2536 set thread context of 4648	2536	RegAsm.exe	vbc.exe
PID 1772 set thread context of 4500	1772	RegAsm.exe	vbc.exe
PID 4644 set thread context of 4868	4644	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1772 set thread context of 4120	1772	RegAsm.exe	vbc.exe
PID 1664 set thread context of 5112	1664	RegAsm.exe	vbc.exe
PID 4848 set thread context of 3792	4848	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3900 set thread context of 5036	3900	RegAsm.exe	vbc.exe
PID 1664 set thread context of 4596	1664	RegAsm.exe	vbc.exe
PID 4396 set thread context of 200	4396	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3900 set thread context of 4172	3900	RegAsm.exe	vbc.exe
PID 1800 set thread context of 4756	1800	RegAsm.exe	vbc.exe
PID 2876 set thread context of 4524	2876	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1800 set thread context of 504	1800	RegAsm.exe	vbc.exe
PID 4208 set thread context of 4856	4208	RegAsm.exe	vbc.exe
PID 4768 set thread context of 4880	4768	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 4468 set thread context of 4688	4468	RegAsm.exe	vbc.exe
PID 4208 set thread context of 4628	4208	RegAsm.exe	vbc.exe
PID 4340 set thread context of 5060	4340	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 4724 set thread context of 4588	4724	RegAsm.exe	vbc.exe
PID 4468 set thread context of 4632	4468	RegAsm.exe	vbc.exe
PID 4776 set thread context of 4540	4776	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 4724 set thread context of 5148	4724	RegAsm.exe	vbc.exe
PID 4996 set thread context of 5168	4996	RegAsm.exe	vbc.exe
PID 2284 set thread context of 5204	2284	Conhost.exe	RegAsm.exe
PID 4996 set thread context of 5364	4996	RegAsm.exe	vbc.exe
PID 2068 set thread context of 5400	2068	RegAsm.exe	vbc.exe
PID 5272 set thread context of 5452	5272	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 2068 set thread context of 5696	2068	RegAsm.exe	vbc.exe
PID 3384 set thread context of 5708	3384	RegAsm.exe	vbc.exe
PID 5524 set thread context of 5744	5524	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 4868 set thread context of 5916	4868	RegAsm.exe	vbc.exe
PID 3384 set thread context of 5948	3384	RegAsm.exe	vbc.exe
PID 5816 set thread context of 5980	5816	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 4868 set thread context of 6136	4868	RegAsm.exe	vbc.exe
PID 3792 set thread context of 2228	3792	RegAsm.exe	vbc.exe
PID 6048 set thread context of 5176	6048	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 200 set thread context of 5408	200	RegAsm.exe	vbc.exe
PID 3792 set thread context of 4808	3792	RegAsm.exe	vbc.exe
PID 4984 set thread context of 2064	4984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 200 set thread context of 5944	200	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

pid	process
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execvtres.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exeConhost.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

pid	process
3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3892	cvtres.exe
184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2836	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3776	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3788	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3788	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3788	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4276	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4540	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4796	csc.exe
5068	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4180	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4644	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4848	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4848	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4848	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4396	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2876	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4768	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4340	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4776	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
2284	Conhost.exe
5272	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5524	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5816	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5816	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6048	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5600	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5600	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5272	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5272	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5272	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6016	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6104	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5492	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
5284	vbc.exe
6092	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6296	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6540	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6756	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6968	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6968	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6148	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6148	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6148	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
3404	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6832	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6752	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6752	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
6588	vbc.exe
5808	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
4720	vbc.exe
6608	vbc.exe
6608	vbc.exe
5660	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
7328	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
7328	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execvtres.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exeConhost.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exevbc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exevbc.exeRegAsm.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3892	cvtres.exe
Token: SeDebugPrivilege	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2836	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3776	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3788	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4276	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4540	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4796	csc.exe
Token: SeDebugPrivilege	5068	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4180	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4644	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4848	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4396	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2876	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4768	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4340	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4776	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2284	Conhost.exe
Token: SeDebugPrivilege	5272	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5524	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5816	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6048	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5600	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5272	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6016	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6104	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5492	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	5284	vbc.exe
Token: SeDebugPrivilege	6092	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6296	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6540	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6756	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6968	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6148	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3404	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6832	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6752	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	6588	vbc.exe
Token: SeDebugPrivilege	5808	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	4720	vbc.exe
Token: SeDebugPrivilege	6608	vbc.exe
Token: SeDebugPrivilege	5660	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	7328	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	7572	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	7796	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	8028	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	7180	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	7692	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	3224	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	8112	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	7812	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	7864	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	7692	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	1440	vbc.exe
Token: SeDebugPrivilege	7852	RegAsm.exe
Token: SeDebugPrivilege	7800	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	8328	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
Token: SeDebugPrivilege	2576	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.execsc.exe

description	pid	process	target process
PID 3152 wrote to memory of 1384	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 3152 wrote to memory of 1384	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 3152 wrote to memory of 1384	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1384 wrote to memory of 1800	1384	csc.exe	cvtres.exe
PID 1384 wrote to memory of 1800	1384	csc.exe	cvtres.exe
PID 1384 wrote to memory of 1800	1384	csc.exe	cvtres.exe
PID 3152 wrote to memory of 2576	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3152 wrote to memory of 2576	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3152 wrote to memory of 2576	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3152 wrote to memory of 2576	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3152 wrote to memory of 3984	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 3152 wrote to memory of 3984	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 3152 wrote to memory of 3984	3152	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 3984 wrote to memory of 3120	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 3984 wrote to memory of 3120	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 3984 wrote to memory of 3120	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 3120 wrote to memory of 3888	3120	csc.exe	cvtres.exe
PID 3120 wrote to memory of 3888	3120	csc.exe	cvtres.exe
PID 3120 wrote to memory of 3888	3120	csc.exe	cvtres.exe
PID 3984 wrote to memory of 2772	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3984 wrote to memory of 2772	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3984 wrote to memory of 2772	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3984 wrote to memory of 2772	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3984 wrote to memory of 184	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 3984 wrote to memory of 184	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 3984 wrote to memory of 184	3984	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 184 wrote to memory of 2344	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 184 wrote to memory of 2344	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 184 wrote to memory of 2344	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 2344 wrote to memory of 1120	2344	csc.exe	cvtres.exe
PID 2344 wrote to memory of 1120	2344	csc.exe	cvtres.exe
PID 2344 wrote to memory of 1120	2344	csc.exe	cvtres.exe
PID 184 wrote to memory of 3988	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 184 wrote to memory of 3988	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 184 wrote to memory of 3988	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 184 wrote to memory of 3988	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 184 wrote to memory of 1244	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 184 wrote to memory of 1244	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 184 wrote to memory of 1244	184	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1244 wrote to memory of 2128	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1244 wrote to memory of 2128	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 1244 wrote to memory of 2128	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 2128 wrote to memory of 1848	2128	csc.exe	cvtres.exe
PID 2128 wrote to memory of 1848	2128	csc.exe	cvtres.exe
PID 2128 wrote to memory of 1848	2128	csc.exe	cvtres.exe
PID 1244 wrote to memory of 3280	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1244 wrote to memory of 3280	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1244 wrote to memory of 3280	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1244 wrote to memory of 3280	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 1244 wrote to memory of 3172	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1244 wrote to memory of 3172	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 1244 wrote to memory of 3172	1244	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
PID 3172 wrote to memory of 3376	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 3172 wrote to memory of 3376	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 3172 wrote to memory of 3376	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	csc.exe
PID 3376 wrote to memory of 2076	3376	csc.exe	cvtres.exe
PID 3376 wrote to memory of 2076	3376	csc.exe	cvtres.exe
PID 3376 wrote to memory of 2076	3376	csc.exe	cvtres.exe
PID 3172 wrote to memory of 2536	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3172 wrote to memory of 2536	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3172 wrote to memory of 2536	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3172 wrote to memory of 2536	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	RegAsm.exe
PID 3172 wrote to memory of 3892	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	cvtres.exe
PID 3172 wrote to memory of 3892	3172	53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sofqvjnt\sofqvjnt.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162D.tmp" "c:\Users\Admin\AppData\Local\Temp\sofqvjnt\CSC4C3CE591F1BD46759E571628B7CC4A9.TMP"
3⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4490.tmp"
3⤵
PID:4164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp48E7.tmp"
3⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1zqeyhyf\1zqeyhyf.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D13.tmp" "c:\Users\Admin\AppData\Local\Temp\1zqeyhyf\CSC4A90FCB4CEB44016AE78B2C1F3AE51.TMP"
4⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4915.tmp"
4⤵
PID:4416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4D6B.tmp"
4⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d2vnazze\d2vnazze.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21C6.tmp" "c:\Users\Admin\AppData\Local\Temp\d2vnazze\CSCE36D1FD74B6D44F182B88A58DE9B4ED0.TMP"
5⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
PID:3988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4D6A.tmp"
5⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp51A1.tmp"
5⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hl1d3dal\hl1d3dal.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26B8.tmp" "c:\Users\Admin\AppData\Local\Temp\hl1d3dal\CSCC921BAF25F2C4F748D2A30B3E177ED8A.TMP"
6⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
PID:3280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp529A.tmp"
6⤵
PID:4972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp56A2.tmp"
6⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
5⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dtfsilin\dtfsilin.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B5B.tmp" "c:\Users\Admin\AppData\Local\Temp\dtfsilin\CSCA556D39ABD81421DBFEDE54714E18BF6.TMP"
7⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5912.tmp"
7⤵
PID:4384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5D0B.tmp"
7⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
6⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxa1xbc2\zxa1xbc2.cmdline"
7⤵
PID:3128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3156.tmp" "c:\Users\Admin\AppData\Local\Temp\zxa1xbc2\CSC9AE1542A600E43D59A87E2B2B6F9131.TMP"
8⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
PID:1772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5E81.tmp"
8⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp627A.tmp"
8⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
7⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ria2pgi\4ria2pgi.cmdline"
8⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3696.tmp" "c:\Users\Admin\AppData\Local\Temp\4ria2pgi\CSCA48308DC9AF549B4A812E658BB2DFAB3.TMP"
9⤵
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6382.tmp"
9⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp677B.tmp"
9⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ge3hj2z\2ge3hj2z.cmdline"
9⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C05.tmp" "c:\Users\Admin\AppData\Local\Temp\2ge3hj2z\CSCF08E85CD81C44437918792FFD6AA7E.TMP"
10⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp669F.tmp"
10⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6AA7.tmp"
10⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
9⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\babxt0ml\babxt0ml.cmdline"
10⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES402B.tmp" "c:\Users\Admin\AppData\Local\Temp\babxt0ml\CSC2749A39685D74C56AED1BA3D34F388.TMP"
11⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
PID:1800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6B81.tmp"
11⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6F99.tmp"
11⤵
PID:504

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eisunhu5\eisunhu5.cmdline"
11⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4490.tmp" "c:\Users\Admin\AppData\Local\Temp\eisunhu5\CSCA2652C0CAC074A819424E7FAB6D134F1.TMP"
12⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
PID:4208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6FE6.tmp"
12⤵
PID:4856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp741D.tmp"
12⤵
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
11⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3khrplnz\3khrplnz.cmdline"
12⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4934.tmp" "c:\Users\Admin\AppData\Local\Temp\3khrplnz\CSC17C8ED7ABCF1422981872D68CACD3C33.TMP"
13⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
PID:4468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp73FD.tmp"
13⤵
PID:4688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7824.tmp"
13⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
12⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44jknlqt\44jknlqt.cmdline"
13⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D3B.tmp" "c:\Users\Admin\AppData\Local\Temp\44jknlqt\CSCF8D97B4741B4C7395B797BC9DCD78E.TMP"
14⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
PID:4724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7823.tmp"
14⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7C2C.tmp"
14⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
13⤵
PID:4796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xv2r5ra\5xv2r5ra.cmdline"
14⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51B0.tmp" "c:\Users\Admin\AppData\Local\Temp\5xv2r5ra\CSCB0757214F79C43FA827E6ABEFDB36BDF.TMP"
15⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
PID:4996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7CB7.tmp"
15⤵
PID:5168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp80C0.tmp"
15⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hnqmvouv\hnqmvouv.cmdline"
15⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5624.tmp" "c:\Users\Admin\AppData\Local\Temp\hnqmvouv\CSC977C2B8D88374CA9856DE4FF57BB9ED.TMP"
16⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
PID:2068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp816A.tmp"
16⤵
PID:5400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8573.tmp"
16⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
15⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vnhjgb0j\vnhjgb0j.cmdline"
16⤵
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A4B.tmp" "c:\Users\Admin\AppData\Local\Temp\vnhjgb0j\CSC5F23DD61395349059668FDE19D19EEDE.TMP"
17⤵
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
PID:3384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8572.tmp"
17⤵
PID:5708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8999.tmp"
17⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i1nkt43n\i1nkt43n.cmdline"
17⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EB0.tmp" "c:\Users\Admin\AppData\Local\Temp\i1nkt43n\CSCB10DA06BF25246CF8BDBCBA646B63BA5.TMP"
18⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
PID:4868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp890C.tmp"
18⤵
PID:5916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8D04.tmp"
18⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
17⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ertwaouv\ertwaouv.cmdline"
18⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62C7.tmp" "c:\Users\Admin\AppData\Local\Temp\ertwaouv\CSCFD3A07368C08426991F84D095D36C89.TMP"
19⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
PID:3792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8DCE.tmp"
19⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp91C7.tmp"
19⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
18⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ek3iedbr\ek3iedbr.cmdline"
19⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66ED.tmp" "c:\Users\Admin\AppData\Local\Temp\ek3iedbr\CSC27682A92B52942C9962D22A0E42EA82.TMP"
20⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
PID:200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp91B6.tmp"
20⤵
PID:5408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp95CE.tmp"
20⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
19⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zhyyib40\zhyyib40.cmdline"
20⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B14.tmp" "c:\Users\Admin\AppData\Local\Temp\zhyyib40\CSCBD13C491C4045B5B5D37EDEB6CD4E7A.TMP"
21⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp95FC.tmp"
21⤵
PID:5888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9A14.tmp"
21⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
20⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fbkr0jde\fbkr0jde.cmdline"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F98.tmp" "c:\Users\Admin\AppData\Local\Temp\fbkr0jde\CSC715DFFA6A844E80A23BA7CB9F24275A.TMP"
22⤵
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9C26.tmp"
22⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA01F.tmp"
22⤵
PID:6056

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
21⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wfquhduw\wfquhduw.cmdline"
22⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES744B.tmp" "c:\Users\Admin\AppData\Local\Temp\wfquhduw\CSC628DB23959BD4BD69C1436DA931994C.TMP"
23⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:5060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9EA7.tmp"
23⤵
PID:5264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA2BF.tmp"
23⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
22⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\omy3k2lm\omy3k2lm.cmdline"
23⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7823.tmp" "c:\Users\Admin\AppData\Local\Temp\omy3k2lm\CSCF6EE0D6991D8479ABED853BD90E2FF2.TMP"
24⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:4540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA33B.tmp"
24⤵
PID:6052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA753.tmp"
24⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
23⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p4darm5f\p4darm5f.cmdline"
24⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CC7.tmp" "c:\Users\Admin\AppData\Local\Temp\p4darm5f\CSCD50087DF26334154BD7CCEFF7A56F3.TMP"
25⤵
PID:5176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:5204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA994.tmp"
25⤵
PID:5780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAD8C.tmp"
25⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
24⤵
PID:5272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3d0hswjk\3d0hswjk.cmdline"
25⤵
PID:5312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES815B.tmp" "c:\Users\Admin\AppData\Local\Temp\3d0hswjk\CSC6051A7E6BFC34D458CF52A34E74BF48.TMP"
26⤵
PID:5384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:5452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAC34.tmp"
26⤵
PID:5720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB03C.tmp"
26⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
25⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5plqpxd4\5plqpxd4.cmdline"
26⤵
PID:5596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8562.tmp" "c:\Users\Admin\AppData\Local\Temp\5plqpxd4\CSCFFA8A9052D0941E38364F9ACDEAF0B4.TMP"
27⤵
PID:5688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:5744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB0B8.tmp"
27⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB4D0.tmp"
27⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
26⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ttd1d4q\0ttd1d4q.cmdline"
27⤵
PID:5860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES894A.tmp" "c:\Users\Admin\AppData\Local\Temp\0ttd1d4q\CSCEA48162FBE7644EDB1BFCCE588C53F9.TMP"
28⤵
PID:5932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:5980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB4EE.tmp"
28⤵
PID:6332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB915.tmp"
28⤵
PID:6484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fs52qxv0\fs52qxv0.cmdline"
28⤵
PID:6072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D51.tmp" "c:\Users\Admin\AppData\Local\Temp\fs52qxv0\CSC86B34CAF72E04324B53732D01E2A92F8.TMP"
29⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:5176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB7BD.tmp"
29⤵
PID:6440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBBC5.tmp"
29⤵
PID:6636

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bzleqj5o\bzleqj5o.cmdline"
29⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9159.tmp" "c:\Users\Admin\AppData\Local\Temp\bzleqj5o\CSC737E6CCB50D74061943C2E8A5795C74B.TMP"
30⤵
PID:5348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:4804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBBF3.tmp"
30⤵
PID:6648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBFFB.tmp"
30⤵
PID:6852

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
29⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0n0ofiqe\0n0ofiqe.cmdline"
30⤵
PID:5724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95BE.tmp" "c:\Users\Admin\AppData\Local\Temp\0n0ofiqe\CSCAA71B3512D944C05BBD829DF3C10FC1F.TMP"
31⤵
PID:3728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:5892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:5876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC096.tmp"
31⤵
PID:6880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC49F.tmp"
31⤵
PID:7044

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wklqqdqd\wklqqdqd.cmdline"
31⤵
PID:6116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AA0.tmp" "c:\Users\Admin\AppData\Local\Temp\wklqqdqd\CSC490F2DD31B134DB08EAD90437DF721E7.TMP"
32⤵
PID:5540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:5324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC5B7.tmp"
32⤵
PID:7128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC9BF.tmp"
32⤵
PID:6352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:5412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
31⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nrdz0c4q\nrdz0c4q.cmdline"
32⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F05.tmp" "c:\Users\Admin\AppData\Local\Temp\nrdz0c4q\CSCF016675014454A1AAD1F27376E9AE4A9.TMP"
33⤵
PID:5908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:5188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCB74.tmp"
33⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCF6C.tmp"
33⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
32⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tdx3dnnz\tdx3dnnz.cmdline"
33⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3B8.tmp" "c:\Users\Admin\AppData\Local\Temp\tdx3dnnz\CSC33EE5EABD96E4195A67A46BC3DC63B3D.TMP"
34⤵
PID:5248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:5256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCFB9.tmp"
34⤵
PID:6892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD3D1.tmp"
34⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
33⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oc1uqf51\oc1uqf51.cmdline"
34⤵
PID:5688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8E8.tmp" "c:\Users\Admin\AppData\Local\Temp\oc1uqf51\CSC17A730F6B6B14D7D92F64788C478B312.TMP"
35⤵
PID:5664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD46C.tmp"
35⤵
PID:5648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD865.tmp"
35⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
34⤵
PID:5284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2yytjcd\a2yytjcd.cmdline"
35⤵
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD8B.tmp" "c:\Users\Admin\AppData\Local\Temp\a2yytjcd\CSC632680BE7A0E401B85A5E928E4B788D.TMP"
36⤵
PID:6032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:4804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD8A3.tmp"
36⤵
PID:5640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDCAB.tmp"
36⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
35⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\03c4k4jr\03c4k4jr.cmdline"
36⤵
PID:5628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1C1.tmp" "c:\Users\Admin\AppData\Local\Temp\03c4k4jr\CSC769946302B5B4C13B02FB0E123F71F13.TMP"
37⤵
PID:6172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:6196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDC9A.tmp"
37⤵
PID:7104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE0C2.tmp"
37⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
36⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\udxdhkop\udxdhkop.cmdline"
37⤵
PID:6352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB675.tmp" "c:\Users\Admin\AppData\Local\Temp\udxdhkop\CSC18288AC3E22646BAAE7CDEC0B2DFFBE4.TMP"
38⤵
PID:6396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:6448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE1CA.tmp"
38⤵
PID:5024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE5C3.tmp"
38⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
37⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\llvfps2x\llvfps2x.cmdline"
38⤵
PID:6584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC12.tmp" "c:\Users\Admin\AppData\Local\Temp\llvfps2x\CSC1626C69B13DB4663A481B51A6E5B6F2E.TMP"
39⤵
PID:6660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:6684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE6AC.tmp"
39⤵
PID:6344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEAC4.tmp"
39⤵
PID:7216

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
38⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ngdp3npu\ngdp3npu.cmdline"
39⤵
PID:6800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC077.tmp" "c:\Users\Admin\AppData\Local\Temp\ngdp3npu\CSCC1FFCC1BB3B74B35A4D4F316DF9CF5C.TMP"
40⤵
PID:6864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:6900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEA94.tmp"
40⤵
PID:7196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEE9D.tmp"
40⤵
PID:7372

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
39⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m4b30b4y\m4b30b4y.cmdline"
40⤵
PID:6992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC47E.tmp" "c:\Users\Admin\AppData\Local\Temp\m4b30b4y\CSC68045B755227483CBDF347E19C7831F.TMP"
41⤵
PID:7036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:7108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEFA5.tmp"
41⤵
PID:7456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF3CD.tmp"
41⤵
PID:7664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:7100

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
40⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\frfytxvh\frfytxvh.cmdline"
41⤵
PID:5628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8D4.tmp" "c:\Users\Admin\AppData\Local\Temp\frfytxvh\CSCC7E177C3F0D4407AB592FA7946302E39.TMP"
42⤵
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:6348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:6404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:6396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF38D.tmp"
42⤵
PID:7652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF795.tmp"
42⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
41⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anjhleot\anjhleot.cmdline"
42⤵
PID:6676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCAC.tmp" "c:\Users\Admin\AppData\Local\Temp\anjhleot\CSCA496E1CA518F464E80E28D4C90CD1E59.TMP"
43⤵
PID:6620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF737.tmp"
43⤵
PID:7820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFB3F.tmp"
43⤵
PID:7976

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
42⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eri0e2b0\eri0e2b0.cmdline"
43⤵
PID:6304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0C3.tmp" "c:\Users\Admin\AppData\Local\Temp\eri0e2b0\CSCA20BD4254BC448858ACCAE59EB415FDF.TMP"
44⤵
PID:6720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:7036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFC19.tmp"
44⤵
PID:8052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp11.tmp"
44⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6588

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
43⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0wqhxryy\0wqhxryy.cmdline"
44⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD595.tmp" "c:\Users\Admin\AppData\Local\Temp\0wqhxryy\CSCC7861D4FB57346F8ACFCC5BEE3157956.TMP"
45⤵
PID:7104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:6776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:6944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFFD2.tmp"
45⤵
PID:7192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3DA.tmp"
45⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
44⤵
PID:6588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fhklnuo3\fhklnuo3.cmdline"
45⤵
PID:6972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD96E.tmp" "c:\Users\Admin\AppData\Local\Temp\fhklnuo3\CSCF9DDF5DE41D14E0E9B689113BEA1C4.TMP"
46⤵
PID:6436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:7004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4A4.tmp"
46⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8BC.tmp"
46⤵
PID:7312

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
45⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bi0fyoe3\bi0fyoe3.cmdline"
46⤵
PID:5668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:7100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDC3.tmp" "c:\Users\Admin\AppData\Local\Temp\bi0fyoe3\CSC7F445BEDC549E7BF8D57CE2B128091.TMP"
47⤵
PID:6500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:6872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp967.tmp"
47⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD7F.tmp"
47⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
46⤵
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbx55sda\lbx55sda.cmdline"
47⤵
PID:6552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE238.tmp" "c:\Users\Admin\AppData\Local\Temp\lbx55sda\CSC60308E0335F44E4093954951B53D40.TMP"
48⤵
PID:6500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:5444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE59.tmp"
48⤵
PID:5768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1280.tmp"
48⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
47⤵
PID:6608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oagn0jej\oagn0jej.cmdline"
48⤵
PID:6552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6EB.tmp" "c:\Users\Admin\AppData\Local\Temp\oagn0jej\CSCAA1272E1A0044678ECCE30C4F7CA2F.TMP"
49⤵
PID:6160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:6588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:6592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1231.tmp"
49⤵
PID:7396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1658.tmp"
49⤵
PID:8032

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
48⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvc42ayf\zvc42ayf.cmdline"
49⤵
PID:6812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB40.tmp" "c:\Users\Admin\AppData\Local\Temp\zvc42ayf\CSCD6BD9FF6EF7047348369148E2A79EEB4.TMP"
50⤵
PID:7228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:7260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp15CB.tmp"
50⤵
PID:7600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp19C3.tmp"
50⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
49⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:7328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hn31x1ne\hn31x1ne.cmdline"
50⤵
PID:7380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF96.tmp" "c:\Users\Admin\AppData\Local\Temp\hn31x1ne\CSC634DD98868144F71A7D7A27D1FAFD16E.TMP"
51⤵
PID:7444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:7476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:7484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1A30.tmp"
51⤵
PID:6968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1E38.tmp"
51⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
50⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:7572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvh3ifxg\uvh3ifxg.cmdline"
51⤵
PID:7596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3CC.tmp" "c:\Users\Admin\AppData\Local\Temp\uvh3ifxg\CSC7793839D93E4D81A83381A6143DB40.TMP"
52⤵
PID:7676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:7700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1F31.tmp"
52⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2349.tmp"
52⤵
PID:7448

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
51⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:7796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ig2ocz1a\ig2ocz1a.cmdline"
52⤵
PID:7832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF88E.tmp" "c:\Users\Admin\AppData\Local\Temp\ig2ocz1a\CSC8A14CAC68043476295DA7A354834F339.TMP"
53⤵
PID:7892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:7912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2452.tmp"
53⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2869.tmp"
53⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
52⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:8028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cczrvhle\cczrvhle.cmdline"
53⤵
PID:8060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCE4.tmp" "c:\Users\Admin\AppData\Local\Temp\cczrvhle\CSCD1108F03DFF14AAF8061A9886115DDB.TMP"
54⤵
PID:8112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:8136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp277E.tmp"
54⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2BD4.tmp"
54⤵
PID:8104

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
53⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:7180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\11ksnwb1\11ksnwb1.cmdline"
54⤵
PID:6816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES139.tmp" "c:\Users\Admin\AppData\Local\Temp\11ksnwb1\CSCA869660659BF4842889E62E041DFAD4E.TMP"
55⤵
PID:7300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:7452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2C12.tmp"
55⤵
PID:7672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp301A.tmp"
55⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
54⤵
PID:7692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cwnsioud\cwnsioud.cmdline"
55⤵
PID:7648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64A.tmp" "c:\Users\Admin\AppData\Local\Temp\cwnsioud\CSCA4972B202B9C4B8FA02257F34BA71F.TMP"
56⤵
PID:5228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:7480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3113.tmp"
56⤵
PID:6764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp351B.tmp"
56⤵
PID:8252

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
55⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2wisuvp\n2wisuvp.cmdline"
56⤵
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4B.tmp" "c:\Users\Admin\AppData\Local\Temp\n2wisuvp\CSC99C9F69349BA4150AC5B557EE330E03B.TMP"
57⤵
PID:7860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:7472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3643.tmp"
57⤵
PID:8360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3A4C.tmp"
57⤵
PID:8484

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
56⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:8112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\euzgxbo5\euzgxbo5.cmdline"
57⤵
PID:8060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES102D.tmp" "c:\Users\Admin\AppData\Local\Temp\euzgxbo5\CSC6CD5B2F6D74C401D9F50C9DDFD9D56AF.TMP"
58⤵
PID:7696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:6800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3BA2.tmp"
58⤵
PID:8624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3FAB.tmp"
58⤵
PID:8772

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
57⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:7812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4rcwm0r\d4rcwm0r.cmdline"
58⤵
PID:5732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15CB.tmp" "c:\Users\Admin\AppData\Local\Temp\d4rcwm0r\CSC2608CB5F468346F990962D17ABE4F358.TMP"
59⤵
PID:7596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:8048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:7240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:7232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4075.tmp"
59⤵
PID:8856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp448D.tmp"
59⤵
PID:8948

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
58⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:7864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l11gvco1\l11gvco1.cmdline"
59⤵
PID:7164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B0B.tmp" "c:\Users\Admin\AppData\Local\Temp\l11gvco1\CSC42F29487BDFB4BC39ACCAA318669B188.TMP"
60⤵
PID:8084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:7588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4622.tmp"
60⤵
PID:9112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4A3A.tmp"
60⤵
PID:8200

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
59⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:7692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mqg33wpr\mqg33wpr.cmdline"
60⤵
PID:7672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20D7.tmp" "c:\Users\Admin\AppData\Local\Temp\mqg33wpr\CSCEBD9A2A69124494588A0E4E49A76E9CE.TMP"
61⤵
PID:6048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:7840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4C4C.tmp"
61⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5054.tmp"
61⤵
PID:7884

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
60⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zl2ujqo5\zl2ujqo5.cmdline"
61⤵
PID:7240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2694.tmp" "c:\Users\Admin\AppData\Local\Temp\zl2ujqo5\CSCF0A31D5DFF4D4B32BB98B987F494F8DC.TMP"
62⤵
PID:7688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:5968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5218.tmp"
62⤵
PID:8436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5621.tmp"
62⤵
PID:8336

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
61⤵
PID:7852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f1wxgqkh\f1wxgqkh.cmdline"
62⤵
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:7688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C70.tmp" "c:\Users\Admin\AppData\Local\Temp\f1wxgqkh\CSC78E76FF79F0844538FDD6CA13BB0A4B9.TMP"
63⤵
PID:7780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:7760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5768.tmp"
63⤵
PID:4700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5B80.tmp"
63⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
62⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:7800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\swwwwrwy\swwwwrwy.cmdline"
63⤵
PID:7636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31AF.tmp" "c:\Users\Admin\AppData\Local\Temp\swwwwrwy\CSC337D138CDC564419AA57AF4E1249CCF.TMP"
64⤵
PID:8120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:8212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5CB7.tmp"
64⤵
PID:4380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp60BF.tmp"
64⤵
PID:8648

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
63⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:8328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0guxytv\w0guxytv.cmdline"
64⤵
PID:8352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES371E.tmp" "c:\Users\Admin\AppData\Local\Temp\w0guxytv\CSCD57DA40F50584C36989C43677AFAF5E4.TMP"
65⤵
PID:8412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:8432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:8440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6216.tmp"
65⤵
PID:8204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp661E.tmp"
65⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
64⤵
- Drops startup file
PID:8544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dsiucnxk\dsiucnxk.cmdline"
65⤵
PID:8580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C1F.tmp" "c:\Users\Admin\AppData\Local\Temp\dsiucnxk\CSC7EF28F7FCE054793A11CED3D8BEE324.TMP"
66⤵
PID:8640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:8676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp667B.tmp"
66⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6A93.tmp"
66⤵
PID:8508

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
65⤵
- Drops startup file
PID:8780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ky1ohcs\3ky1ohcs.cmdline"
66⤵
PID:8816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4101.tmp" "c:\Users\Admin\AppData\Local\Temp\3ky1ohcs\CSC111B10456E944047B38A2F43A3B65856.TMP"
67⤵
PID:8892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:8912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6BBB.tmp"
67⤵
PID:5124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6FC3.tmp"
67⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
66⤵
- Drops startup file
PID:8996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cuxoj5gf\cuxoj5gf.cmdline"
67⤵
PID:9056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4670.tmp" "c:\Users\Admin\AppData\Local\Temp\cuxoj5gf\CSC2F1942AD43F9490C9EB77F86C031CC5F.TMP"
68⤵
PID:9128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:9152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7139.tmp"
68⤵
PID:5460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7541.tmp"
68⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
67⤵
- Drops startup file
PID:6220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qpp5qvrx\qpp5qvrx.cmdline"
68⤵
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9A.tmp" "c:\Users\Admin\AppData\Local\Temp\qpp5qvrx\CSC38FFDECB11D54DBF82C7D3C67E1C4E7.TMP"
69⤵
PID:8280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:8392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:8424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:8420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7744.tmp"
69⤵
PID:8568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7B5C.tmp"
69⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
68⤵
- Drops startup file
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jywnss3n\jywnss3n.cmdline"
69⤵
PID:8508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51CA.tmp" "c:\Users\Admin\AppData\Local\Temp\jywnss3n\CSC93EAA387724D40FB8B17E872406492AE.TMP"
70⤵
PID:8596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:7996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7C64.tmp"
70⤵
PID:8608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp809C.tmp"
70⤵
PID:9360

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
69⤵
PID:8900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3s4m4wj\n3s4m4wj.cmdline"
70⤵
PID:8844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES571A.tmp" "c:\Users\Admin\AppData\Local\Temp\n3s4m4wj\CSC35A0957BE3D14D30862ECFD4F02C38C0.TMP"
71⤵
PID:8964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:9128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:9100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8231.tmp"
71⤵
PID:9424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8629.tmp"
71⤵
PID:9616

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
70⤵
- Drops startup file
PID:8720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fe2jorox\fe2jorox.cmdline"
71⤵
PID:9192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
72⤵
PID:8120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C79.tmp" "c:\Users\Admin\AppData\Local\Temp\fe2jorox\CSC1B1C96DE339248E6A2AC0ACF9B13628.TMP"
72⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:8796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp882C.tmp"
72⤵
PID:9664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8C63.tmp"
72⤵
PID:9836

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
71⤵
- Drops startup file
PID:8652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\szpwkmjt\szpwkmjt.cmdline"
72⤵
PID:8392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:8424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6255.tmp" "c:\Users\Admin\AppData\Local\Temp\szpwkmjt\CSC7F0F5A1310B34D8B989359499D156351.TMP"
73⤵
PID:8848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:8964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8EB4.tmp"
73⤵
PID:9916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp92BC.tmp"
73⤵
PID:10100

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
72⤵
- Drops startup file
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tyjz23sg\tyjz23sg.cmdline"
73⤵
PID:7992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67D3.tmp" "c:\Users\Admin\AppData\Local\Temp\tyjz23sg\CSCDEFBB6DDADAB4BB1B7E9F8BF7DA9242A.TMP"
74⤵
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:7852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:6480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp925D.tmp"
74⤵
PID:10068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9666.tmp"
74⤵
PID:10180

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
73⤵
PID:7284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v45c1gkl\v45c1gkl.cmdline"
74⤵
PID:8896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D32.tmp" "c:\Users\Admin\AppData\Local\Temp\v45c1gkl\CSC7BB1FC9F3CE4D2B8F6F31D2B90FACE.TMP"
75⤵
PID:7508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:4564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp979D.tmp"
75⤵
PID:9280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9BB5.tmp"
75⤵
PID:9548

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
74⤵
- Drops startup file
PID:5612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mxgl34vz\mxgl34vz.cmdline"
75⤵
PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7262.tmp" "c:\Users\Admin\AppData\Local\Temp\mxgl34vz\CSC9F221C5387A9422E8556C4C9B029377.TMP"
76⤵
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:5212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9DA8.tmp"
76⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA1B0.tmp"
76⤵
PID:9220

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
75⤵
- Drops startup file
PID:8552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04fkdvak\04fkdvak.cmdline"
76⤵
PID:6000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78EA.tmp" "c:\Users\Admin\AppData\Local\Temp\04fkdvak\CSC273277A653E4B81B2418CA5BBD85DA8.TMP"
77⤵
PID:8416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:5128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA401.tmp"
77⤵
PID:9924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA809.tmp"
77⤵
PID:9484

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
76⤵
PID:7284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mvjbzfc3\mvjbzfc3.cmdline"
77⤵
PID:9256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E68.tmp" "c:\Users\Admin\AppData\Local\Temp\mvjbzfc3\CSCC20C2C39508E4D42A5431C6A7C23109F.TMP"
78⤵
PID:9300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:9324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:9332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA9DD.tmp"
78⤵
PID:6168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpADD6.tmp"
78⤵
PID:9740

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
77⤵
- Drops startup file
PID:9476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\olncp55w\olncp55w.cmdline"
78⤵
PID:9500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84B1.tmp" "c:\Users\Admin\AppData\Local\Temp\olncp55w\CSC529C30D9A0204014AFDA57287639CF43.TMP"
79⤵
PID:9544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:9584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAFC9.tmp"
79⤵
PID:7864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB3D1.tmp"
79⤵
PID:9256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:9576

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
78⤵
- Drops startup file
PID:9728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y0smietx\y0smietx.cmdline"
79⤵
PID:9752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B87.tmp" "c:\Users\Admin\AppData\Local\Temp\y0smietx\CSCDDC994DE44F044C4A7C8BF49142BEA2.TMP"
80⤵
PID:9800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:9860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB651.tmp"
80⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBA59.tmp"
80⤵
PID:8644

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
79⤵
PID:9972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndtl3sxr\ndtl3sxr.cmdline"
80⤵
PID:10020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES926D.tmp" "c:\Users\Admin\AppData\Local\Temp\ndtl3sxr\CSC82A8F9970014C93BD26B7C1C76A824.TMP"
81⤵
PID:10076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:10124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBE40.tmp"
81⤵
PID:10028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC248.tmp"
81⤵
PID:10108

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
80⤵
PID:9316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wsbbl5df\wsbbl5df.cmdline"
81⤵
PID:9276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9905.tmp" "c:\Users\Admin\AppData\Local\Temp\wsbbl5df\CSC4242F4C9AD4641019FF52F4AA0BC5395.TMP"
82⤵
PID:5616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:8852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC4B8.tmp"
82⤵
PID:9848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC8E0.tmp"
82⤵
PID:10360

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
81⤵
- Drops startup file
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmzthhgr\jmzthhgr.cmdline"
82⤵
PID:9676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA029.tmp" "c:\Users\Admin\AppData\Local\Temp\jmzthhgr\CSC57C8E613A1674AA0894515756D214118.TMP"
83⤵
PID:9800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:9772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCC3A.tmp"
83⤵
PID:10420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD052.tmp"
83⤵
PID:10576

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
82⤵
- Drops startup file
PID:10052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ultaxj03\ultaxj03.cmdline"
83⤵
PID:10096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA912.tmp" "c:\Users\Admin\AppData\Local\Temp\ultaxj03\CSCE56E2073BEE541A2903D8911DE123E50.TMP"
84⤵
PID:9256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:9276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD468.tmp"
84⤵
PID:10688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD870.tmp"
84⤵
PID:10840

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
83⤵
- Drops startup file
PID:9804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m1nmm2l4\m1nmm2l4.cmdline"
84⤵
PID:5892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B3.tmp" "c:\Users\Admin\AppData\Local\Temp\m1nmm2l4\CSC260E9731197D42099ED9291E634F6476.TMP"
85⤵
PID:6620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:9972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDC38.tmp"
85⤵
PID:10952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE040.tmp"
85⤵
PID:11108

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
84⤵
PID:9300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3omsetww\3omsetww.cmdline"
85⤵
PID:8464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7A8.tmp" "c:\Users\Admin\AppData\Local\Temp\3omsetww\CSC5D771021964444558D24B41AB26E11B.TMP"
86⤵
PID:9980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:9764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE3AA.tmp"
86⤵
PID:11216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE7B2.tmp"
86⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
85⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pugrpazc\pugrpazc.cmdline"
86⤵
PID:5396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF3A.tmp" "c:\Users\Admin\AppData\Local\Temp\pugrpazc\CSCB138A28764484E38AC978EC81BDC811.TMP"
87⤵
PID:9780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:9176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpEC84.tmp"
87⤵
PID:10544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF08C.tmp"
87⤵
PID:10784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:7016

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
86⤵
- Drops startup file
PID:8396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\otngx1qv\otngx1qv.cmdline"
87⤵
PID:10252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC719.tmp" "c:\Users\Admin\AppData\Local\Temp\otngx1qv\CSC2C0023BE7B964B7684DCF2524CC1C062.TMP"
88⤵
PID:10296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:10332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF34A.tmp"
88⤵
PID:10448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF752.tmp"
88⤵
PID:10856

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
87⤵
PID:10484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znh12kkw\znh12kkw.cmdline"
88⤵
PID:10512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF28.tmp" "c:\Users\Admin\AppData\Local\Temp\znh12kkw\CSC7501F868597947B288853E3ED636D76A.TMP"
89⤵
PID:10560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:10608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFC33.tmp"
89⤵
PID:10276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3B.tmp"
89⤵
PID:10436

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
88⤵
- Drops startup file
PID:10752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3lduoqmw\3lduoqmw.cmdline"
89⤵
PID:10780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7F2.tmp" "c:\Users\Admin\AppData\Local\Temp\3lduoqmw\CSCED300F0AF22B47EA93FE5A76817EE02B.TMP"
90⤵
PID:10824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:10856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:10864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp490.tmp"
90⤵
PID:11008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp898.tmp"
90⤵
PID:10748

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
89⤵
- Drops startup file
PID:11004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5qwnlrho\5qwnlrho.cmdline"
90⤵
PID:11032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF74.tmp" "c:\Users\Admin\AppData\Local\Temp\5qwnlrho\CSCBA40E7FF89B0464AA94DE979B3F1DB6E.TMP"
91⤵
PID:11092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:11128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp"
91⤵
PID:10300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE64.tmp"
91⤵
PID:10528

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
90⤵
PID:5688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\350jxxvs\350jxxvs.cmdline"
91⤵
PID:10292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE83E.tmp" "c:\Users\Admin\AppData\Local\Temp\350jxxvs\CSCE04958829C3A4619B3C1799B8DF81FB.TMP"
92⤵
PID:9296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:10440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp13D2.tmp"
92⤵
PID:5732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp17EA.tmp"
92⤵
PID:10852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:9324

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
91⤵
PID:9148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vdpuc34s\vdpuc34s.cmdline"
92⤵
PID:7088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF01D.tmp" "c:\Users\Admin\AppData\Local\Temp\vdpuc34s\CSC68376BE45B75442F8225FE817AD0DA2B.TMP"
93⤵
PID:10828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:7616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1B73.tmp"
93⤵
PID:11260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1F6C.tmp"
93⤵
- Drops startup file
PID:9148

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
92⤵
PID:11072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\orufhh10\orufhh10.cmdline"
93⤵
PID:11052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF85B.tmp" "c:\Users\Admin\AppData\Local\Temp\orufhh10\CSC625039D579724546B7F62883ACBBE241.TMP"
94⤵
PID:10736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:7992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp23FF.tmp"
94⤵
PID:11300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2817.tmp"
94⤵
PID:11380

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
93⤵
PID:10984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p3f4oclq\p3f4oclq.cmdline"
94⤵
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES134.tmp" "c:\Users\Admin\AppData\Local\Temp\p3f4oclq\CSCD3DD4F0816F04A46B0144CABCB973448.TMP"
95⤵
PID:10804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:10780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2DB3.tmp"
95⤵
PID:11600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp31CB.tmp"
95⤵
PID:11744

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
94⤵
PID:7532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\glekfrg5\glekfrg5.cmdline"
95⤵
PID:10736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C0.tmp" "c:\Users\Admin\AppData\Local\Temp\glekfrg5\CSCE7FFE3B14BCA4EBF9C5B9283C4D6BA.TMP"
96⤵
PID:10284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
- Drops startup file
PID:5688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:7440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:7904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp35E1.tmp"
96⤵
PID:11868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp39E9.tmp"
96⤵
PID:12024

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
95⤵
PID:7776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jx3zbf5g\jx3zbf5g.cmdline"
96⤵
PID:9148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES124B.tmp" "c:\Users\Admin\AppData\Local\Temp\jx3zbf5g\CSCA63EFE39BC1A4FC18E6916305ADBC28A.TMP"
97⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:5892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3E1E.tmp"
97⤵
PID:12136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4236.tmp"
97⤵
PID:11292

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
96⤵
PID:7968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fxyvhkmd\fxyvhkmd.cmdline"
97⤵
PID:9148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A6A.tmp" "c:\Users\Admin\AppData\Local\Temp\fxyvhkmd\CSC9D2995549CA144129054C5419C91DF7B.TMP"
98⤵
PID:10988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:7544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp462D.tmp"
98⤵
PID:5228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4A35.tmp"
98⤵
PID:11608

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
97⤵
PID:8232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v3kq5m0g\v3kq5m0g.cmdline"
98⤵
PID:10492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:10484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23A1.tmp" "c:\Users\Admin\AppData\Local\Temp\v3kq5m0g\CSCCF34B8297BAA4227A1B4795CBEB92371.TMP"
99⤵
PID:11284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:11336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4E6A.tmp"
99⤵
PID:11700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5282.tmp"
99⤵
PID:11420

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
98⤵
PID:11444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ru3mrs5o\ru3mrs5o.cmdline"
99⤵
PID:11468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B13.tmp" "c:\Users\Admin\AppData\Local\Temp\ru3mrs5o\CSC9DCE5CD1C583409F9E32743F5653894D.TMP"
100⤵
PID:11516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:11560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp55AD.tmp"
100⤵
PID:11652

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
99⤵
PID:11676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jpgkyr4p\jpgkyr4p.cmdline"
100⤵
PID:11700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3285.tmp" "c:\Users\Admin\AppData\Local\Temp\jpgkyr4p\CSCAEF5AF3A55BF4937A2BB94BC3B98929C.TMP"
101⤵
PID:11756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:11796

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
100⤵
PID:11920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hu0uvapo\hu0uvapo.cmdline"
101⤵
PID:11960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES398A.tmp" "c:\Users\Admin\AppData\Local\Temp\hu0uvapo\CSC166B54D8424C4F20BE2DE6F751AC112.TMP"
102⤵
PID:12004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:12040

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
101⤵
PID:12176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\omidxhiz\omidxhiz.cmdline"
102⤵
PID:12200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4012.tmp" "c:\Users\Admin\AppData\Local\Temp\omidxhiz\CSC22ED231796C143CAB2C41510A26A76E5.TMP"
103⤵
PID:12248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:12268

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
102⤵
PID:7720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lu0dumpi\lu0dumpi.cmdline"
103⤵
PID:8008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4756.tmp" "c:\Users\Admin\AppData\Local\Temp\lu0dumpi\CSCDE2AFFD7570A451CAB9ECF4CE1332429.TMP"
104⤵
PID:11472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:11484

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
103⤵
PID:11064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v2hh3v5o\v2hh3v5o.cmdline"
104⤵
PID:7968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E3B.tmp" "c:\Users\Admin\AppData\Local\Temp\v2hh3v5o\CSCBDCA97A7ADA54F58B9233C7FB7FC50A3.TMP"
105⤵
PID:11724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:9372

C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe
"C:\Users\Admin\AppData\Local\Temp\53b5b038df0871a10be7d0f3a458ebdeaec39ddee8be3bf47152b5ab55c882e2.exe"
104⤵
PID:12004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vqogxy3u\vqogxy3u.cmdline"
105⤵
PID:12032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES562A.tmp" "c:\Users\Admin\AppData\Local\Temp\vqogxy3u\CSC5C8D06AB26458FA324DDDBAB5376B.TMP"
106⤵
PID:11672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:12156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:10356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1zqeyhyf\1zqeyhyf.dll
MD5
3c6cf12313a9802eb83b87a023b1a16d

SHA1
a4647ba572f05827b3307094dc6085f9b922f8b7

SHA256
fd924652613b36685f91d8806abf1de1a4ad9d7d39a885ff3d3d480f43bfaeb4

SHA512
2c9351dbbc1f380f982ca34dc5b0856e038a6918b04719c26bceb112ef92239e9df7ac2d9537a019d52e004efd4e984cd813bac79b1449615343098d5fc43d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ge3hj2z\2ge3hj2z.dll
MD5
11dd599e45eab6a494170bd5b4c30b4f

SHA1
8dbf435d8faa1c5fa3ecfa2344f12badd14156ca

SHA256
39e8bd1d150efb21a79b3c00f6fd4f14e1c54e672bd3972cf088d26372815818

SHA512
a6008e5c5e027e0c621649dbfbce77fee81295bc14d95e544b0331007ad94b1be182a6c8c1e6284d70c3558407fa13f5a3e07cdd7463b4987dcbccd930ba4ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ria2pgi\4ria2pgi.dll
MD5
98d5982ab58119f5ba773c59ef5015e8

SHA1
253f2b9cddd200967a2163f72ed2ca7bde3452d8

SHA256
71a8cab4309a2ab92ce7688458f30e50e801478d299d442e714d2bf785f939bf

SHA512
28881f6253a501064f976056e361b5e8a9f9c6cff7587180d211525f9eb9cc33eb5a86a9b422b2855093ef6515480aa80131d826202345a7e63ac7474e9ba89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES162D.tmp
MD5
2ab50731ed2ef042bdaf6316a7987cdc

SHA1
b1ed0e77f5bfdbf567c834ebd3a354e0ea8a19ed

SHA256
af77f158a17c714d3ab45e1bc9c304b8a22becd05aa2c3c90048b4398c1c229d

SHA512
d6668ea0397265c984bc95ad954d2bf9e377deb7e0bab40d0688484b96ae9a270bb2fe883813c385af8d34f433314ea5fbd299e89155ba5bc7b3254381dad2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D13.tmp
MD5
97cd93469cfa5df8ed4a764431015aa8

SHA1
307ba8ba8be252ff561db2deeb2ac9f54d503b1f

SHA256
bb2158093a707a3bab5953f84afe8ef6d0e7dadd378392d63f7be0137765a43b

SHA512
45e95b6a0a84aee481afbcf44677d7eaa7659ed48dbb7bd34106ba4c8d370b61921ceb254c08c6b76868748650659f357819c515770e5a67102a5f5c2a764192

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES21C6.tmp
MD5
fb1ffb7ee5f1174a525a0a3876f0efea

SHA1
d0959771d53f3cebea8932a4b9574de417fdefe9

SHA256
ec80e4a64a2bf955aec49c5db854e9e1b404f5adb90794161b84f122e156d342

SHA512
7c94d1f236629d82b415dc2de16798cc3144bc8f62890eaaf01ae4948ad04acfc1adb5541a985843fd2c572fe6bdd1539da74617dee725ecabdaba5897e58868

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES26B8.tmp
MD5
46e379106817264bf69f3515b7542a4b

SHA1
0ef26d016697dd1865e16ae4a2b2c1c914912c4c

SHA256
32bab3b212e971b6eef9cd37c01f50759b91717c1985221213ce0a41ea48563c

SHA512
fdc5d60dd4878e5d3465bebda6b75e154edf26c797ed2ac3f2c06a3aa20a7716758c0502117cd83bc78d3549b9d2c9041a25bf285851d6d235f5125d3cb68ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B5B.tmp
MD5
a1971fa845a48114057625bd95e63481

SHA1
bc1f98f60ea71508403f452d4ec7666295dc0d02

SHA256
17e73ba6e9876ffff2e66a150073a06950e18ce5f31973217555a78f5c8e7bd7

SHA512
282155fe799dce25c5279d9b070be2c759efaf6fed6f6351c6cd672c53706cddc0cb5b5ad281dd51fe68e4a387d4e719bf2e21e2ed96b42e1a9b07f17e8f180a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3156.tmp
MD5
0719acb26a96345c61a852771f7a3883

SHA1
f5de0ec55931ea99e2e4e92e266bcd3076da0146

SHA256
623db9da0c6c129aa3643558bb4e09ed9caaed4b5892617d3f182bc9b84cbff7

SHA512
41d6409ba5a76ec6357c3f6a46be11349b7d36061dcabd554da2c560471d6d88d5148a7d1f67c001251b713f03374dd9c06c655f59c857abcd666ac29d76658c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3696.tmp
MD5
244451ba304999708cbb547aec38c714

SHA1
48cceee9afaca274f0518a302b2046386fcd9e89

SHA256
3acadafb74fd22d3c4ca2acbce07dc34656d3b2ea1f30e2709bf0690157af9a2

SHA512
7d347db9d0512b63d6eb8ebd1a7f87ccb0fb1dbe198b949bcfdbf2070905c8f61d79e87ff4d1a79751ed60efad199c93d0e5960af065bf793ecb218c851ddf4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C05.tmp
MD5
8d9560698f718228f735f85b332fe04e

SHA1
1b6022f52ecf4ff2615c1126e769c748e181b132

SHA256
f2558d1f6d76c3c70f2e5a087715b1d19d53cd07d37b61afabc85eb87d98c395

SHA512
c9c6b385f2cf4720896b59c97df45a42c7180e700c7b9d42fe109ca48de2eb62585385c0da18a200d23206137b37b4490d0eb67c44e1587afb40572c759e7ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES402B.tmp
MD5
f2bd6934f5ca407e2ce99927c32e1a94

SHA1
581c1d6463480ecb635aaff53de163387cb06ab0

SHA256
9c88935d508a7f852a3348ba90e05d3ee75205420fb82bd7d075b591805d61d3

SHA512
77e072e8ea31da3750aa04b6dbf8276d3b550f3d37d0dcddc04fab7dc27fc9d623a0a6439dda8287cb9d0df857319b9725a1dc7ad454d7bd61214f6371f1a7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\babxt0ml\babxt0ml.dll
MD5
546a1a0cb0bdc3402c09d41947fc8b7d

SHA1
a472bc2973345f66806e6072718d039fbdcc9aaf

SHA256
fe83b6670507472dbe5825ee6dcb76078786b02b9bf53cb93bbda0fc3acebf7d

SHA512
da3661155211359ab425dad076113bdd12b9e2d6c97799ace4e69e275bb8d17da1028047584ed0367754753e42841bad22f5ffe8339f7be32d42404fe89e924c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2vnazze\d2vnazze.dll
MD5
51c50bc036dfdfa7fcc1108c0b530197

SHA1
b1f0f96efb19ec03b1f391da92c9575e2a410aed

SHA256
610a57f80e6ae14ef820553be4a9746936c6c8a412f01a3fcf4fb0bdbd48f36e

SHA512
a859c3268d6e390a81ae928154afad9a7b4eb978379816a7a4e03e04f8cbdff2992e69e13216a1f73163696fd0d5a1ffb9e8464ca18f6f8c207011a9abca782b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtfsilin\dtfsilin.dll
MD5
cf95e0bb70194336d5ec883a94a45373

SHA1
eebfaeca756f3ed043c8d114e140d3d83dff54f7

SHA256
0425e810fe8509695cd10347ba635bb980762ecb1547452d877c60613324dbf1

SHA512
30d04c19502a750a936f42ce39988c818c9c0be81e809143d557f6f05451ab7fd390a899a6adde4539b567196e6ac1293c26b4bc0b5c04b518c051d2492b5331

Download Submit
C:\Users\Admin\AppData\Local\Temp\hl1d3dal\hl1d3dal.dll
MD5
badbb05cda8564815633fa0c970b0840

SHA1
6b78745049e2d2f625b1b00542eaa22a5cf14b79

SHA256
8a8617aa3f914ca50a68e8704e51614c739690a1414efddd11b88624dfee89fb

SHA512
aff6c17d3cfd94215e4cebd870c93bb5af7209329f97f688f10742f1a5c4386083d0689b58e30ccc49af1839aa3cd37b2896784854a1184a37ecbedadfee7028

Download Submit
C:\Users\Admin\AppData\Local\Temp\sofqvjnt\sofqvjnt.dll
MD5
850958d1772412b356e2e4018ec948cc

SHA1
2d19b76b8cbffdd71d2d3592af27f0f4ca92e3f4

SHA256
1f18bc2836bdeff0c1e13205f918d2c00ab12a5479e8321f92a0b06cd35604c8

SHA512
9f8074f506b299c681a51891b689a0fe8566c344794d9bdba6c545269aa86f0dbf3aeac38e02345069ca4592b70dbc658814cca99b29d79b57e0186164b2bf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxa1xbc2\zxa1xbc2.dll
MD5
ec3d71b5ac572b7f6436902b1f411219

SHA1
2dfa178e4b5e7494be4f8b3049f21422a6b3b9e3

SHA256
0e71ffc9e57f93bb80af070e5e97a80103b0769f609cb219dbbd1041bb952c73

SHA512
915db4cb0a5a24f565ccbd6621df560e41fe7da77283dba30176a817e305ae73fadc4194223b927f660e255a8f00bc5f0cf3566026fa6a0547654ec7383dfc3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.url
MD5
a031e41e2faa2a8282d91f2e2aba9103

SHA1
7526352d769b82debf0f125dd0f6db650b6e354f

SHA256
539430a394d49bf400877e1af78ea280f6b48dc7b3184708cc07da6b90af1856

SHA512
38354cc6c9369d1bbff71dfae4791ea2dfd6a0a7b25c2224947e9d45ce31d77cbf8a2c3614cc931126109821d63bbb50e2f608dbb88fee53c6f5e0485148a709

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
C:\Users\Admin\DocumentsICollectData.txt
MD5
0807a0a2d548b89754bcc9da967acec5

SHA1
8ae14b94c72aee276be405ad54a6bce2333dbef4

SHA256
aa4a43d63bcc841cbce4cfc238f39371abc4234bdae40a607db641c08d428301

SHA512
587dd73fa8441accb77248f74cc81810bc368e6d34f07b739e170b6ca51d287310c120ffe1e484529974ebb064a260e42115464224bd8cfc3c2387d9dd70c4bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1zqeyhyf\1zqeyhyf.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1zqeyhyf\1zqeyhyf.cmdline
MD5
b6ad3685f48674fadc00dd1b816aaf77

SHA1
73e16b20b9a1dffc9b082d540dd6bfd772f400fc

SHA256
9000aca1a0099880fb037d844b71124a43ed0336ec1508e2526895b0263f1c61

SHA512
b3905c1d2b9780bcd8589381aff5a78948d22df882658ac6f60d90a32d4e2a24cf9518897f65c97a9e46e3754ed92180ae1b4e2031556b90d3898bbe78044a4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1zqeyhyf\CSC4A90FCB4CEB44016AE78B2C1F3AE51.TMP
MD5
5483813b3d9968a22f9c0f0b6ae95792

SHA1
9c06cabb5bce781948fcccb98a99cdc88c9510ae

SHA256
31349d04eab89b59cf3455bb2d3ada55f39781a36d33b1f6bcc984f2c28ad4c4

SHA512
08a390a0adedf9b3f44b2fc1d7d48a4c2c07a58edfc4b1bf12ae6829d71300bd833b01a1a15b6fa9ddfba77b48ca462b9aed354fbe54fdea8a802d5fc37d0674

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ge3hj2z\2ge3hj2z.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ge3hj2z\2ge3hj2z.cmdline
MD5
bb4ef98d9cff123a0a66335457e1033b

SHA1
64be543480bd59b3a1ca75ecd593d87e92ed4a79

SHA256
d7a3109e9b4c0238923b45628a6296a2a0976612b0cbdfeb6fffb4f631ca2d8b

SHA512
59f194bd0d5bd23bf43d37308e3d2abfdba6a656ca0f01260197ccd6189108e317ac66709dc0a4a4c20eeea905a88ea9890e12900a908ebd5141d24788feb1cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ge3hj2z\CSCF08E85CD81C44437918792FFD6AA7E.TMP
MD5
6bb637a7d39325f8c1798ca9e76c3425

SHA1
23974408cb3292c45a0af13371e127de11c75f85

SHA256
0cf975cc587380811352c62d16113e31e85be3d574e20128e4d8c2a58b5cf4a0

SHA512
3040c2ac9b229b6fd271c7101545f82fc7e21b04c2377983d4e60ff3c5bbbb5ee5921e70dd6ab2e648900cf5e11982f5103c624bd6fb4039df815bd087f4c321

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ria2pgi\4ria2pgi.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ria2pgi\4ria2pgi.cmdline
MD5
9a391d72228f17980ae2055eda9a8b17

SHA1
cab0dfc73f9b9297344b41df36ab575d1c031089

SHA256
acc4f1f4a180891f3123ef84694b3cd01eef13111bdc709e744caa8410d2079d

SHA512
f3260df5f74b3ef4ff3583985a3f8a008357f367a243ef63e73e4f79ff86d9c1b0c6918a4e795c9d8c7b9fd12b9bf7673e97d69b8fb09b74cb3361d00e3de970

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ria2pgi\CSCA48308DC9AF549B4A812E658BB2DFAB3.TMP
MD5
36671afee31248ccee9e65f59b580ad0

SHA1
821636754300422fb84055bf26d3176f580b9d08

SHA256
50f27bd1048aff33322081565b635a17f7bb00740a38b860c2499d6fbbcb42c5

SHA512
323755a2e01681baa4f5da778c514fc421e82e0de0b1fa04a37d4459269ec324b51c0b76b4303fb5a0d18c5d40e62afee98c36202601eee3479827cf50922083

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\babxt0ml\CSC2749A39685D74C56AED1BA3D34F388.TMP
MD5
a5e15f7c480cc685c78109ef14d1d509

SHA1
666ab9e9112a4c52664c480ed2a777ce2a0a8172

SHA256
30c649f9fc7b4a0ec7914546cc209ae11a791266d90ce1b0f45985f079dce09b

SHA512
068a83441f76fdbdcd0f07cfc7cca89401bfcb874faba6c2af6b412770c83941f3d8cd79550a9ac75579ed31a0496026b767bd29886d9675dde46bf667801e75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\babxt0ml\babxt0ml.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\babxt0ml\babxt0ml.cmdline
MD5
547add478abd366ae0dee676bf322357

SHA1
a8128732a5eff0eae65414a3b478c737215118ae

SHA256
9e669f26d3b6b75a6aadafba62067988e8c29599b9ea6373e77cb3a36a9ee338

SHA512
39cb049da76e4204d5e11c1ac126da225ce952d75a441b89fba9f74ce1869f014c3fa8145b6c6e8df8e0b68c453d387714131df3e782aa22b9f5c51e6a7e31cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d2vnazze\CSCE36D1FD74B6D44F182B88A58DE9B4ED0.TMP
MD5
40d1bbad57fb5baef9b150234c48e986

SHA1
7c619cfd53f8afd85a804576036e5640eea73b84

SHA256
2d7d8306358815d67640a8f0d59bd41b893d96b61375265acf2dbb5cb3b5702d

SHA512
6587111a6f4a602df374f60f909326bece96c0396184b52b8e10713e3a3ca1c89934705f2a7db5ac0d39d6ccffba7e1313fd22a534abaf42be6d20bb67bb8529

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d2vnazze\d2vnazze.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d2vnazze\d2vnazze.cmdline
MD5
48eff6f74b9435b10decf7fa39909908

SHA1
6d0bfe6244a2bb99dfc2e169d0c4ca647c234177

SHA256
488678b510d1af7a4ddbf8daf976ed698438dff0e5a31e217ff487f6e97661b2

SHA512
3e45bf271c487cd0262163727b1277e60d6f9900022e5754d122bd81e66d52bd2b5eac60eef01f2fa51ee713e2760c242236c600ddb00921685a1f09518cdac9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dtfsilin\CSCA556D39ABD81421DBFEDE54714E18BF6.TMP
MD5
b0665a84f6cc696cc6f705d7256ac5a0

SHA1
ba2df1a804d8ddf7c9fc3198a600d90a5f90a9ad

SHA256
b3b409e8b4125882f87ee73ea0ef4f85a44e8b8258969690edfd9bf9025a6f9b

SHA512
453baf3a08bcc99ccd1ffafa0d437137f088cce5fb62a9bfef0dfb4ade525fcf6fb29b72ce9de8f8376f73a7bd9f7d772534de883bee24e366c3c9404d99a036

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dtfsilin\dtfsilin.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dtfsilin\dtfsilin.cmdline
MD5
7fd420c5db4ec69852c5be6e26818277

SHA1
ddceff92512f1628207abace488f30d1adbb3c92

SHA256
f61e1730712ad5e1868ad727c75b45dd7f462451f51be77ac84dfe6f579c3150

SHA512
e455344848efd45c33cef0e9a3ead294dd874c7ed73caa4d265c008e61c297534e435ac5074df174e0a8ffd63a40473c761fa31f09475061475cdcf84a654702

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eisunhu5\eisunhu5.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eisunhu5\eisunhu5.cmdline
MD5
2dfa54329353ac82c1531e6068480c7c

SHA1
725fe63944afc79eb66f66d5dc92e25a2f019e81

SHA256
a56ea2cbf13eb97a40d54039b1c85c8767cfc5eb33ba193ae06245f645ac9635

SHA512
5a1cf8b7d12be44fb5313efc48a2ed637fcc2aaf66c2cb066276f5c30ec4f9d4c83d4c6ef14cadba244899e44f9611f0403bc420ffcb753adf1e244bba9fba1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hl1d3dal\CSCC921BAF25F2C4F748D2A30B3E177ED8A.TMP
MD5
564ef9783820a586790245184a3e7a92

SHA1
c2d10dc231ad787c4ba1161e7cb15614753748d3

SHA256
63ebf7168e4da2d9c754f89bf4cb97e8db93a8ed60ff9f2856d3d8a5edcfaed6

SHA512
e77e2017586a7a735e5b3c49f8be44baad0da1955b90be8248bdc8a84b135acdf68ee633e82778ab078235342e98388e61c8fc05a407f119f3cc52c6e0b2b2bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hl1d3dal\hl1d3dal.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hl1d3dal\hl1d3dal.cmdline
MD5
ec1716583cc28e8dc74e80a2196eba6d

SHA1
7416e41192179bad2927b1bc1ab45a4790d26e71

SHA256
85f60f21e8a22c343e4a06644689b35d09d6c5e5b70f01ba5dbca1f88cd430cc

SHA512
27ee7c3db46d00ba746cf3ad78fe7da231a9b3cf5b9b58e23e77589a945ee23146ccd3052442d3cb7dcaba024dda0b7ecf2b2642210c55c0a8834272ddb11230

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sofqvjnt\CSC4C3CE591F1BD46759E571628B7CC4A9.TMP
MD5
ee96f0f634831cbdd08efb13a64d6432

SHA1
97595428dd86ee9f73f66c4fb1223c8728a5a229

SHA256
d55cae9d418c20cc5d15147219244efb8452e7c811a5570e5c720ac54efde5de

SHA512
bb11fd54c70b178fae71356a6bc1bec5087968acc65682e9c43f42e5acf72ea2286f3a6370d09252f158cba72c12c880d03ab38947758b1f92581b6f783ba577

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sofqvjnt\sofqvjnt.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sofqvjnt\sofqvjnt.cmdline
MD5
1974eceb7ca2b3a29125facc61885ff7

SHA1
921b8f496997e8a91f4234d429196eb83eb1842b

SHA256
551b56c9e0e107f123bcc2abc969d0d2f000cf6ff0480e4a4ec0b4f6e4fcd0d4

SHA512
7f9e3505132c9f441de324487006b8275bd5e6ab1086274fbf6c5559ec559f0fffe21ae5d1292cc49c8b9800362d3a8d47e38f9d90e0bf4fc1dd45f26d3f6e76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxa1xbc2\CSC9AE1542A600E43D59A87E2B2B6F9131.TMP
MD5
7a4eb7c8d7d1c61ac0b66c738c337dd1

SHA1
68272a1cec9f5c832435c77c61efde24bf981e09

SHA256
5033ad3fa1399f1c56a670d3b7f4953fabedd07d0be3eabb2a63e2c27069b801

SHA512
9478fb08df30feff6a77432447665e1eb6a04be1543fc2652c96248d344a464cbeb35a236eefb95b4d89491d3b20fda770768e8cd92d53f1cdbfbabcecea6fbe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxa1xbc2\zxa1xbc2.0.cs
MD5
e2e4c88c5da15cab714003462226a701

SHA1
f585bf2beac7a536061c63a883d7984e33d054bf

SHA256
9fcc82655ef792bfd2bc7ff7cc9d4ee207fe36686ccd875c6b3212bfecae28be

SHA512
b9f77a9f377b5536335eccf25937dce752ac4deb038b2d5dc90d3a1c8471bb01090b7cc0c9774e4c443f6923183e1a106ae1f1756ccc96599ce2dfeb43de410f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxa1xbc2\zxa1xbc2.cmdline
MD5
a2d57c1e62127934e5d7bd699afd9069

SHA1
d3d63f7ef127bdb40a4db518f8bafca4f3f425cb

SHA256
1ae5b8458aa070a2e9c4d41923471732cc9001fef19e4b66567e40b2fb0abddd

SHA512
0d0c745493ca08da63eea9b3ae71e85ff506805b7111c102f141e97800d984f5ffd3ffbc0781b3833284fdd4b0bd8416086dd670f37c21aed1bfa3b447dc5099

Download Submit
memory/184-245-0x0000000000000000-mapping.dmp

Download
memory/184-152-0x0000000000000000-mapping.dmp

Download
memory/184-169-0x0000000004DE0000-0x0000000004F6B000-memory.dmp

Filesize
1.5MB

Download
memory/184-165-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/184-261-0x00000000056C0000-0x000000000584B000-memory.dmp

Filesize
1.5MB

Download
memory/184-257-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1120-162-0x0000000000000000-mapping.dmp

Download
memory/1244-185-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1244-192-0x0000000004D20000-0x0000000004EAB000-memory.dmp

Filesize
1.5MB

Download
memory/1244-175-0x0000000000000000-mapping.dmp

Download
memory/1384-116-0x0000000000000000-mapping.dmp

Download
memory/1664-264-0x000000000048B2FE-mapping.dmp

Download
memory/1664-274-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/1772-256-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1772-241-0x000000000048B2FE-mapping.dmp

Download
memory/1784-350-0x000000000041211A-mapping.dmp

Download
memory/1800-303-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1800-120-0x0000000000000000-mapping.dmp

Download
memory/1800-298-0x000000000048B2FE-mapping.dmp

Download
memory/1848-188-0x0000000000000000-mapping.dmp

Download
memory/2068-275-0x0000000000000000-mapping.dmp

Download
memory/2068-356-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/2068-351-0x000000000048B2FE-mapping.dmp

Download
memory/2076-211-0x0000000000000000-mapping.dmp

Download
memory/2128-182-0x0000000000000000-mapping.dmp

Download
memory/2148-302-0x0000000000000000-mapping.dmp

Download
memory/2344-159-0x0000000000000000-mapping.dmp

Download
memory/2528-251-0x0000000000000000-mapping.dmp

Download
memory/2532-288-0x0000000000000000-mapping.dmp

Download
memory/2536-237-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2536-218-0x000000000048B2FE-mapping.dmp

Download
memory/2576-131-0x0000000009A50000-0x0000000009A51000-memory.dmp

Filesize
4KB

Download
memory/2576-127-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2576-145-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2576-132-0x0000000009730000-0x0000000009731000-memory.dmp

Filesize
4KB

Download
memory/2576-126-0x000000000048B2FE-mapping.dmp

Download
memory/2576-130-0x0000000005020000-0x0000000005092000-memory.dmp

Filesize
456KB

Download
memory/2772-149-0x000000000048B2FE-mapping.dmp

Download
memory/2772-164-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2780-279-0x0000000000000000-mapping.dmp

Download
memory/2836-270-0x0000000000000000-mapping.dmp

Download
memory/2836-276-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2876-232-0x0000000000000000-mapping.dmp

Download
memory/3120-137-0x0000000000000000-mapping.dmp

Download
memory/3128-229-0x0000000000000000-mapping.dmp

Download
memory/3152-129-0x0000000004B30000-0x0000000004B33000-memory.dmp

Filesize
12KB

Download
memory/3152-114-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/3152-119-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3152-124-0x00000000049A0000-0x0000000004B2B000-memory.dmp

Filesize
1.5MB

Download
memory/3152-125-0x0000000005DD0000-0x0000000005E64000-memory.dmp

Filesize
592KB

Download
memory/3172-199-0x0000000000000000-mapping.dmp

Download
memory/3172-215-0x0000000005690000-0x000000000581B000-memory.dmp

Filesize
1.5MB

Download
memory/3172-208-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/3280-195-0x000000000048B2FE-mapping.dmp

Download
memory/3280-207-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3376-206-0x0000000000000000-mapping.dmp

Download
memory/3384-360-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3776-285-0x0000000000000000-mapping.dmp

Download
memory/3776-290-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/3788-304-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/3788-299-0x0000000000000000-mapping.dmp

Download
memory/3792-369-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3888-140-0x0000000000000000-mapping.dmp

Download
memory/3892-236-0x0000000004C70000-0x0000000004DFB000-memory.dmp

Filesize
1.5MB

Download
memory/3892-238-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3892-223-0x0000000000000000-mapping.dmp

Download
memory/3892-293-0x0000000000000000-mapping.dmp

Download
memory/3900-289-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/3900-284-0x000000000048B2FE-mapping.dmp

Download
memory/3960-254-0x0000000000000000-mapping.dmp

Download
memory/3984-146-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3984-133-0x0000000000000000-mapping.dmp

Download
memory/3984-144-0x0000000004F50000-0x00000000050DB000-memory.dmp

Filesize
1.5MB

Download
memory/3988-184-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/3988-172-0x000000000048B2FE-mapping.dmp

Download
memory/4116-349-0x0000000000000000-mapping.dmp

Download
memory/4152-307-0x0000000000000000-mapping.dmp

Download
memory/4164-311-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4164-308-0x000000000044472E-mapping.dmp

Download
memory/4180-357-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4180-352-0x0000000000000000-mapping.dmp

Download
memory/4208-315-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/4208-309-0x000000000048B2FE-mapping.dmp

Download
memory/4276-313-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/4276-310-0x0000000000000000-mapping.dmp

Download
memory/4320-312-0x0000000000000000-mapping.dmp

Download
memory/4404-316-0x000000000041211A-mapping.dmp

Download
memory/4404-323-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4416-317-0x000000000044472E-mapping.dmp

Download
memory/4428-318-0x0000000000000000-mapping.dmp

Download
memory/4468-326-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/4468-319-0x000000000048B2FE-mapping.dmp

Download
memory/4540-322-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4540-320-0x0000000000000000-mapping.dmp

Download
memory/4580-324-0x0000000000000000-mapping.dmp

Download
memory/4644-359-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4668-327-0x0000000000000000-mapping.dmp

Download
memory/4680-328-0x000000000041211A-mapping.dmp

Download
memory/4692-329-0x000000000044472E-mapping.dmp

Download
memory/4724-336-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4724-330-0x000000000048B2FE-mapping.dmp

Download
memory/4796-337-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4796-331-0x0000000000000000-mapping.dmp

Download
memory/4824-332-0x0000000000000000-mapping.dmp

Download
memory/4848-365-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/4868-364-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/4912-338-0x000000000041211A-mapping.dmp

Download
memory/4924-339-0x0000000000000000-mapping.dmp

Download
memory/4972-340-0x000000000044472E-mapping.dmp

Download
memory/4996-347-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/4996-341-0x000000000048B2FE-mapping.dmp

Download
memory/5068-348-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5068-342-0x0000000000000000-mapping.dmp

Download
memory/5108-346-0x0000000000000000-mapping.dmp

Download