azorult | d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8

Analysis

max time kernel
155s
max time network
139s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Size

1.3MB
MD5

0c55a6f232fd0670a66eb1eec42efe22
SHA1

d81f3a175c9e49bc9d5333cf9462065ff50c4c29
SHA256

d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8
SHA512

75e7f455a1a943e324a30ae75f7788d98ea870480464ff7fc0d100336dafd5d0eec067e6b5c59b18ddf80cb46e3b7f068e9157d5974419f2444f6df878f6a318

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

http://performancehaelth.com/okoye/32/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\None"	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe

Suspicious use of SetThreadContext 36 IoCs

Processes:

description	pid	process	target process
PID 1112 set thread context of 1732	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 set thread context of 1888	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1828 set thread context of 1236	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1296 set thread context of 1704	1296	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 904 set thread context of 1136	904	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 964 set thread context of 1060	964	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 360 set thread context of 2024	360	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 952 set thread context of 1636	952	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1432 set thread context of 2044	1432	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1136 set thread context of 1064	1136	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 832 set thread context of 1676	832	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 796 set thread context of 3224	796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3300 set thread context of 3380	3300	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3456 set thread context of 3528	3456	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3608 set thread context of 3696	3608	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3780 set thread context of 2772	3780	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 2848 set thread context of 2912	2848	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 2996 set thread context of 3048	2996	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3132 set thread context of 3184	3132	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 824 set thread context of 3500	824	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3316 set thread context of 3584	3316	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3324 set thread context of 3732	3324	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3684 set thread context of 2800	3684	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 2892 set thread context of 3912	2892	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3996 set thread context of 4048	3996	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1916 set thread context of 3280	1916	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3356 set thread context of 536	3356	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 764 set thread context of 1336	764	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1192 set thread context of 2724	1192	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 3776 set thread context of 2972	3776	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 2840 set thread context of 3116	2840	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 2984 set thread context of 3396	2984	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1744 set thread context of 1732	1744	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1400 set thread context of 940	1400	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1628 set thread context of 1064	1628	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 2752 set thread context of 2944	2752	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe

pid	process
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1296	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1296	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1296	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
904	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
904	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
964	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
360	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
952	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1432	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
1136	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
832	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1296	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	904	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	964	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	360	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	952	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1432	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1136	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	832	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	796	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3300	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3456	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3608	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3780	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	2848	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	2996	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3132	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	824	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3316	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3324	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3684	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	2892	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3996	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1916	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3356	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	764	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1192	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	3776	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	2840	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	2984	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1744	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1400	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	1628	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
Token: SeDebugPrivilege	2752	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.execsc.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.execsc.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.execsc.exed495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe

description	pid	process	target process
PID 1112 wrote to memory of 1484	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1112 wrote to memory of 1484	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1112 wrote to memory of 1484	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1112 wrote to memory of 1484	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1484 wrote to memory of 1080	1484	csc.exe	cvtres.exe
PID 1484 wrote to memory of 1080	1484	csc.exe	cvtres.exe
PID 1484 wrote to memory of 1080	1484	csc.exe	cvtres.exe
PID 1484 wrote to memory of 1080	1484	csc.exe	cvtres.exe
PID 1112 wrote to memory of 1700	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1700	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1700	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1700	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1732	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1732	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1732	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1732	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1732	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1112 wrote to memory of 1580	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1112 wrote to memory of 1580	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1112 wrote to memory of 1580	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1112 wrote to memory of 1580	1112	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1580 wrote to memory of 792	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1580 wrote to memory of 792	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1580 wrote to memory of 792	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1580 wrote to memory of 792	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 792 wrote to memory of 964	792	csc.exe	cvtres.exe
PID 792 wrote to memory of 964	792	csc.exe	cvtres.exe
PID 792 wrote to memory of 964	792	csc.exe	cvtres.exe
PID 792 wrote to memory of 964	792	csc.exe	cvtres.exe
PID 1580 wrote to memory of 912	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 912	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 912	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 912	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1524	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1524	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1524	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1524	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1888	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1888	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1888	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1888	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1888	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1580 wrote to memory of 1828	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1580 wrote to memory of 1828	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1580 wrote to memory of 1828	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1580 wrote to memory of 1828	1580	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1828 wrote to memory of 2016	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1828 wrote to memory of 2016	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1828 wrote to memory of 2016	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 1828 wrote to memory of 2016	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe
PID 2016 wrote to memory of 824	2016	csc.exe	cvtres.exe
PID 2016 wrote to memory of 824	2016	csc.exe	cvtres.exe
PID 2016 wrote to memory of 824	2016	csc.exe	cvtres.exe
PID 2016 wrote to memory of 824	2016	csc.exe	cvtres.exe
PID 1828 wrote to memory of 1236	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1828 wrote to memory of 1236	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1828 wrote to memory of 1236	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1828 wrote to memory of 1236	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1828 wrote to memory of 1236	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	vbc.exe
PID 1828 wrote to memory of 1296	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1828 wrote to memory of 1296	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1828 wrote to memory of 1296	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1828 wrote to memory of 1296	1828	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
PID 1296 wrote to memory of 848	1296	d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
"C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x35nggsy\x35nggsy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7659.tmp" "c:\Users\Admin\AppData\Local\Temp\x35nggsy\CSCAB5B2C836C34416BC382C5D5D5BC3.TMP"
    3⤵
    PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
  "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dj35z4gf\dj35z4gf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC6D.tmp" "c:\Users\Admin\AppData\Local\Temp\dj35z4gf\CSC338B8B41B8B34B72A143B657BC1E1E17.TMP"
      4⤵
      PID:964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
    "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2few4skn\2few4skn.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC340.tmp" "c:\Users\Admin\AppData\Local\Temp\2few4skn\CSC988999B73961458FA3B6D23A303D97EC.TMP"
        5⤵
        
        PID:824
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
      "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\okkk51nf\okkk51nf.cmdline"
        5⤵
        
        PID:848
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA90.tmp" "c:\Users\Admin\AppData\Local\Temp\okkk51nf\CSC74C41B4AE88E48D190E87D7DFEC0EB3.TMP"
        6⤵
        
        PID:1564
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:1608
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:1620
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        5⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utkwgw0h\utkwgw0h.cmdline"
        6⤵
        
        PID:1964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFAF.tmp" "c:\Users\Admin\AppData\Local\Temp\utkwgw0h\CSC6DF1CBEE984140B88F557F297C1CA5DD.TMP"
        7⤵
        
        PID:1676
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        
        PID:1176
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ctmrszmk\ctmrszmk.cmdline"
        7⤵
        
        PID:1532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD588.tmp" "c:\Users\Admin\AppData\Local\Temp\ctmrszmk\CSCAC99E2CE3D540BEAF9C9F3EC728CAB.TMP"
        8⤵
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        7⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        7⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\za4igzqy\za4igzqy.cmdline"
        8⤵
        
        PID:1064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAD6.tmp" "c:\Users\Admin\AppData\Local\Temp\za4igzqy\CSC32DF3362734B497ABED0CF22205B3836.TMP"
        9⤵
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        8⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        8⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gytrju4b\gytrju4b.cmdline"
        9⤵
        
        PID:1260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE090.tmp" "c:\Users\Admin\AppData\Local\Temp\gytrju4b\CSCEB4BE882EEFF4429A2B9E7A2B1A238D5.TMP"
        10⤵
        
        PID:1612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        9⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        9⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tz5a1jji\tz5a1jji.cmdline"
        10⤵
        
        PID:780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE679.tmp" "c:\Users\Admin\AppData\Local\Temp\tz5a1jji\CSC594C5C247524657848ADF5C1B92C2A.TMP"
        11⤵
        
        PID:972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        10⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        10⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjgm2u3z\cjgm2u3z.cmdline"
        11⤵
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC14.tmp" "c:\Users\Admin\AppData\Local\Temp\cjgm2u3z\CSCE2C750A4B2AB49AEB2AFC2F97D3035D8.TMP"
        12⤵
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        11⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        11⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0fln5f1\a0fln5f1.cmdline"
        12⤵
        
        PID:1260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF316.tmp" "c:\Users\Admin\AppData\Local\Temp\a0fln5f1\CSCE8B1051369CD4479ABDFABC5F3D37774.TMP"
        13⤵
        
        PID:792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        12⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        12⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rgrhtq4b\rgrhtq4b.cmdline"
        13⤵
        
        PID:1888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF854.tmp" "c:\Users\Admin\AppData\Local\Temp\rgrhtq4b\CSCC0555E3F985446EBEE5BBA50EB19C9.TMP"
        14⤵
        
        PID:1532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:2992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:1416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        13⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        13⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3slvfgct\3slvfgct.cmdline"
        14⤵
        
        PID:3336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF08.tmp" "c:\Users\Admin\AppData\Local\Temp\3slvfgct\CSC8B2599BEF36846EF942CB03260CC1717.TMP"
        15⤵
        
        PID:3364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        14⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        14⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ydkvvi2v\ydkvvi2v.cmdline"
        15⤵
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES494.tmp" "c:\Users\Admin\AppData\Local\Temp\ydkvvi2v\CSCCD021D5A4F1A43CA915193442FB484B7.TMP"
        16⤵
        
        PID:3512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        15⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        15⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ng3ejta5\ng3ejta5.cmdline"
        16⤵
        
        PID:3636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E1.tmp" "c:\Users\Admin\AppData\Local\Temp\ng3ejta5\CSC2DE1279A23E94C9CB5C9779BB8D4591A.TMP"
        17⤵
        
        PID:3664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        16⤵
        
        PID:3680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        16⤵
        
        PID:3688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        16⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        16⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n4goaxnl\n4goaxnl.cmdline"
        17⤵
        
        PID:3820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8C.tmp" "c:\Users\Admin\AppData\Local\Temp\n4goaxnl\CSCF675B31CDC3446D78A8CECCF27F84E9A.TMP"
        18⤵
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:4088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:1888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2740
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        17⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        17⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\20ezxcp5\20ezxcp5.cmdline"
        18⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15F2.tmp" "c:\Users\Admin\AppData\Local\Temp\20ezxcp5\CSC73DB85A09C3E41DDB84874A55A718A2.TMP"
        19⤵
        
        PID:2908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        18⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        18⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bz2cg1of\bz2cg1of.cmdline"
        19⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B8D.tmp" "c:\Users\Admin\AppData\Local\Temp\bz2cg1of\CSCD599C36677BE49EBA56AEF555A93BF8.TMP"
        20⤵
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        19⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        19⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\myrtzbnb\myrtzbnb.cmdline"
        20⤵
        
        PID:3156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES206D.tmp" "c:\Users\Admin\AppData\Local\Temp\myrtzbnb\CSCA18FA3F1FA9A4C88A38B2B25A08C37ED.TMP"
        21⤵
        
        PID:3180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        20⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        20⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qiwmrw0x\qiwmrw0x.cmdline"
        21⤵
        
        PID:3400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES259B.tmp" "c:\Users\Admin\AppData\Local\Temp\qiwmrw0x\CSCDCF17886AAEB49E3BE3F96128A47A8F0.TMP"
        22⤵
        
        PID:3464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        21⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        21⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cldbddt5\cldbddt5.cmdline"
        22⤵
        
        PID:3560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C5F.tmp" "c:\Users\Admin\AppData\Local\Temp\cldbddt5\CSC614452088BA84A7E81F97DA89D7B8AE.TMP"
        23⤵
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        22⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        22⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\guwpjz0x\guwpjz0x.cmdline"
        23⤵
        
        PID:3704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31BB.tmp" "c:\Users\Admin\AppData\Local\Temp\guwpjz0x\CSC9D0051CE720644B2866DF77217A03B1A.TMP"
        24⤵
        
        PID:3712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        23⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        23⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\11q4ghdy\11q4ghdy.cmdline"
        24⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3718.tmp" "c:\Users\Admin\AppData\Local\Temp\11q4ghdy\CSCDBB00C67E86B4BDEA6D703D29139790.TMP"
        25⤵
        
        PID:3604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        24⤵
        
        PID:2780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        24⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        24⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vggcw4sz\vggcw4sz.cmdline"
        25⤵
        
        PID:3884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CB3.tmp" "c:\Users\Admin\AppData\Local\Temp\vggcw4sz\CSCD212F311C6004E0286C93D28CE7FA09B.TMP"
        26⤵
        
        PID:3908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        25⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        25⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bb1iva4u\bb1iva4u.cmdline"
        26⤵
        
        PID:4020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4201.tmp" "c:\Users\Admin\AppData\Local\Temp\bb1iva4u\CSCA2962EA03BFD43A5BDE3B250D7BB3A.TMP"
        27⤵
        
        PID:4044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        26⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        26⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxwtpdwu\sxwtpdwu.cmdline"
        27⤵
        
        PID:988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4700.tmp" "c:\Users\Admin\AppData\Local\Temp\sxwtpdwu\CSC4F4118CADB4549F8BC5A9DB7E1D5A7B9.TMP"
        28⤵
        
        PID:3268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        27⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        27⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pxfa3pvb\pxfa3pvb.cmdline"
        28⤵
        
        PID:1304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C3D.tmp" "c:\Users\Admin\AppData\Local\Temp\pxfa3pvb\CSC45286D77F0864C748A56EABEBDE67D61.TMP"
        29⤵
        
        PID:608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        28⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        28⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bb3ieztu\bb3ieztu.cmdline"
        29⤵
        
        PID:1928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES514C.tmp" "c:\Users\Admin\AppData\Local\Temp\bb3ieztu\CSC35784308B83C48D3AC19DF28CFA34D62.TMP"
        30⤵
        
        PID:940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        29⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        29⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5ccqdjb\l5ccqdjb.cmdline"
        30⤵
        
        PID:588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5726.tmp" "c:\Users\Admin\AppData\Local\Temp\l5ccqdjb\CSC15E50634B5A24DB7B4579FB1B6DAE5D0.TMP"
        31⤵
        
        PID:1064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:1648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        30⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        30⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uot4shd0\uot4shd0.cmdline"
        31⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CA2.tmp" "c:\Users\Admin\AppData\Local\Temp\uot4shd0\CSC8810900776834AF692FF6572B9D0336D.TMP"
        32⤵
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        31⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        31⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvyj3gne\qvyj3gne.cmdline"
        32⤵
        
        PID:3092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES629B.tmp" "c:\Users\Admin\AppData\Local\Temp\qvyj3gne\CSC1F6C038F6484F6496C6B22EFEE52A28.TMP"
        33⤵
        
        PID:3076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        32⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        32⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hd3r0auw\hd3r0auw.cmdline"
        33⤵
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67B9.tmp" "c:\Users\Admin\AppData\Local\Temp\hd3r0auw\CSCF2892D354874233A7688088DD5C693D.TMP"
        34⤵
        
        PID:3208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        33⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        33⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\frbyj1j0\frbyj1j0.cmdline"
        34⤵
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D64.tmp" "c:\Users\Admin\AppData\Local\Temp\frbyj1j0\CSC5E3BB159D4A940CC9521A8414B30374A.TMP"
        35⤵
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:1524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:1080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:4060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        34⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        34⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yckf5lae\yckf5lae.cmdline"
        35⤵
        
        PID:1140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES732E.tmp" "c:\Users\Admin\AppData\Local\Temp\yckf5lae\CSC969D9A77BA56427CB6266EA5C55DB66.TMP"
        36⤵
        
        PID:1508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        35⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        35⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zoasfquo\zoasfquo.cmdline"
        36⤵
        
        PID:1048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES780E.tmp" "c:\Users\Admin\AppData\Local\Temp\zoasfquo\CSCC457A0B922D44B13B9962D276DF2B851.TMP"
        37⤵
        
        PID:1260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        36⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        36⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\flbtjdwj\flbtjdwj.cmdline"
        37⤵
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D0D.tmp" "c:\Users\Admin\AppData\Local\Temp\flbtjdwj\CSCDAE4FDEC6B0A4E3DBE77D8E3F786A642.TMP"
        38⤵
        
        PID:2948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        37⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d495dd207946570ab08c5db0ecd28ca1fdff588b63580e8273fc2450a56ec6e8.exe"
        37⤵
        Adds Run key to start application
        
        PID:1252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r5jdrawm\r5jdrawm.cmdline"
        38⤵
        
        PID:692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81DE.tmp" "c:\Users\Admin\AppData\Local\Temp\r5jdrawm\CSC3960B446AA64747913DDDACB3E90F6.TMP"
        39⤵
        
        PID:1592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3740
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:4048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:1260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        38⤵
        
        PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2few4skn\2few4skn.dll

Filesize
402KB

MD5
9d4a21aac57789d5f238649ef3486cd6

SHA1
c9c0d3af62f5c13e18709598b46f9fe6191f9717

SHA256
14d30efece460caa57d882a5127df7626fc2d1d596e2195b39af359302a5c6c6

SHA512
8e11335da98bafce0824e79215356754549448c6922ca8fe7acf8998991674074b0d4298609d936d047a44e1228d45c76fe414dcb457e2b8ce286e31066760c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7659.tmp

Filesize
1KB

MD5
616a11d1998c89f01c9fe14369ec3a2a

SHA1
edb9e89ba3229650fe5d5dc792878e4243f0512e

SHA256
3c3a6b2468076a79992e5ff733e8fbfe02fb9b29bb7ca679943480345940efe8

SHA512
55fdcc7efdd49380cf5a9c2d69b58f2c3ee50262f7141ee3237928769d8acaa07a673215d4da33aab9268b5ed8771b45a99e63b90a370c5cf8645a198bfe9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC6D.tmp

Filesize
1KB

MD5
4c6c326e134f0fffddea5f40a34b706c

SHA1
e2284746e29d3ea3c1af72cc9efc7140ef4cefea

SHA256
3038f1e3be26dbfe6926ea4fe342f8de7157271fa1730492453a8232e062533c

SHA512
a5342b525a24b408d1b6c748f6ff751b7b6cbd36bb0a93a9f2349c9f08a8bd2ae9c4366a308504ced0ef3a196501fe53648f8552d4cde03991ba2006173d6739

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC340.tmp

Filesize
1KB

MD5
7b725f0aa09894de5d4883da214d8635

SHA1
a1d6dcb5dd60474bd19c5643183ea91838759c36

SHA256
bf96c81a76e7a1b26a800e4d4f7c11770cc4a554cba55e56d72afdeb2469fcd9

SHA512
a89791c1df41d87a1f59407ccbd575dd2b16ae4b96b90d2c8765e4927b82ed9406c2934d8e0583896b73a23133d624688ae7bc50ca80f4182965ab3a3dc1cae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA90.tmp

Filesize
1KB

MD5
8bb5be5a3dd36d9b81c992860a249e3a

SHA1
e1fad1eb9cb8cc5c7297ea81837ada6e5852f3fe

SHA256
bb726e74c9c0e5a35cec8b8539154366c5ca482ab83df11039919c2dfba31574

SHA512
667451751291c140ab1135e02e788a5595e0eff397a4aff331317fa0b37a35f0739ae20b5b48f9b5f7439ae086d59150d0b96f1779a0ced57ab3f119eda7d62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFAF.tmp

Filesize
1KB

MD5
ba6df5d9057f75b1689edb91bd00ba84

SHA1
5b95d36035d677f601e6428394a6384c1b8faaa6

SHA256
1e3f1f5e28664719fa04b84b877e18033f5731d9a85bb0dd1daa4f75a6ad7df3

SHA512
35a1adb2e971ea49e6ad696a4775424c7ea1a8768d94bb01abeb24258f89c14ceae2808195a7c92e5cb61e36f18d08bf9f65600d570e1e7c2fee6f8b19daa5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD588.tmp

Filesize
1KB

MD5
683c1c6133769f5333c162c12d0b5541

SHA1
89ae27e94fb5fdd470a759171571ed83bda414db

SHA256
0fc81c3ea6f9edf23cff7248b1279ad11b7eda52a16577e1ef34b00fb4c117b8

SHA512
6e91875be2c499f1f55922d0d095af46697d18137a1d19a2e9b838183cc7c3ec577fd2b3061685ab5678aee480feb07e379c80c6a7caa9a8bf874b4cef47cb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDAD6.tmp

Filesize
1KB

MD5
8fdb7d790303ab6b75b51901b837ca2d

SHA1
1b89c0659da548c09a29c4dbf7e15c62cd1a7b66

SHA256
268294993aad53c289586cbabf07de3a7079acafa9a6421fc10f2aa75cd17b27

SHA512
834dab09f25f4fbad1fe93534d6bd2ffc623baf2e7801afcc99aa26ed82df03aa8239100b7ac4c5a652089c205d3579a1043060194db5c0567bae45c9b83a6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE090.tmp

Filesize
1KB

MD5
805a2dfbda780427221f4fc0a0644035

SHA1
203ccc80d948e30291d7c655c7331fdbf148e46c

SHA256
df81d80d56faf55a7c34e56cdb3a81e6e3f0fa2c5dfc186b02d7de4846a78e21

SHA512
d227146e3949d7f2cc46659ab908752e0e5da67ec74c74c76bf31ab42691cb8dce917113cc1b7dae21c4b3e34d96806b5f65930e6f89923849056632290f1a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE679.tmp

Filesize
1KB

MD5
cae410f377a656ad5410a8d59aa5ff56

SHA1
099a63305a089131e246f34788f53d54cdeafbf2

SHA256
6a26160f33ec513b4f29223ae8b0a65b9d102dc68983684b15dc756894b4e7ff

SHA512
aa6b05491110d28670dc490964235b328f2ef4efc07729e7c03e6de10e9058e32e2f501adc4b5ecab3f31e7bacee49a950a2b617a46e88f0fca1902db87ca3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC14.tmp

Filesize
1KB

MD5
c1482f0b8ee3e92d83e585ec793cd1f3

SHA1
af185d05aeb7d6519e9856a960e2a66301b54d82

SHA256
4ce8c88aa2e7470937294131aaccac83ae94036c6edb5e0e766a5ddc41573fff

SHA512
5026fd3e169fe3e2a2d2e2cb5cf78a7792149b1a8f8340d080635a60aaebae57630536fc8d164f695212d3e7703a13276d4fd596f6fd50d54fb92579471bbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF316.tmp

Filesize
1KB

MD5
2a4659a4f81a7ba0191104fcb48f269d

SHA1
8691e978a29b963140652c724439330a97e4ee8d

SHA256
8742023516a13e66812989dc23bb04aa41a3fc1a63694d60d43fda70c136dc6f

SHA512
c1daaa99d7596b026dc0c83e286dfdc2082193e0a38502a00eb268ffe9761adcc487d8198c104cef828bcca513df2630d243b8b0f82395e15e21922f3f1a9eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjgm2u3z\cjgm2u3z.dll

Filesize
402KB

MD5
68ff4b9e49b28a7af6605fb1ce348ee4

SHA1
9d1e26e9cc5e1c080d7ab53e243960ad69535a3d

SHA256
79872fc5c8e86e6ef6ad62062878bf6d131bfe76acd94632bd3599221dd6e1dc

SHA512
defb9618a592b653e3896cfb2361d9e618c7d6ca0907b4e2d503734ae542c72a7da4d1004ae8a32958442061a22386d5db3ee3b085301892ea0eab9682132613

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctmrszmk\ctmrszmk.dll

Filesize
402KB

MD5
afea6c6d107b36c01c353beab6936dcc

SHA1
7103ebdf7f742c9bdc86f67f42e94bc64b6f691f

SHA256
feb13f3dfa5c76f996adf8514daf80773b4bbc4805bae9025dcbe05f4b7ab0ea

SHA512
0d481c39c098c8f34e5e1cbe93d51a4b9ad843d9ba75600f756544a81ac44e84d81b7b87c9073757c2c74e37b1e613edafb1d421ab89ef597fde968ed0be30f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dj35z4gf\dj35z4gf.dll

Filesize
402KB

MD5
fc9d5f32d5b8609f5001ab00ec76b244

SHA1
c3790266f46f726907cf74050fdd113f74428ab6

SHA256
2ca094796015ea395c2ad44f7123373cec133b7856bb54b2b0fd0d6d2d53b22a

SHA512
3d6eb3ab2b0288a6fbccbb6262048ee857432964e8e59e058a931ed25ae1d8edeca6325f39c4e80e2f26d00a183b8a1eee9cf35d1124118bb9185d7ab66c8aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gytrju4b\gytrju4b.dll

Filesize
402KB

MD5
78ad8a6584999d6bd7e55b8950f91375

SHA1
01e627f481017189763640595561b49388d9943a

SHA256
dc49092b5e54917aa5f3628310bd9b419c97d1e688eb9c23420845c83eb83338

SHA512
747864ed5f06c5de928678658b9493e780ba26d738a12d32280c0bcf30a4e9d195ad39a611ab6094c87c330cd1c268ab92237f54a1583eb236aa4da5f5013e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\okkk51nf\okkk51nf.dll

Filesize
402KB

MD5
0b5f1eaeecf895e4c022c384006aadd3

SHA1
dea5862628c033022df1ed67dc9e6348b1bdf39c

SHA256
2e895e495e48a63f30ecff534b3a09f37f5315d8ffadfb18fd93e7094b8769e8

SHA512
60fca05239b43a2008745e2470f003fe8418a6894aa5dbbc185dd07a7af733db5190555af1699e5aec4dded859ad4a2633cfb0e3bc5fd823beac07c36bd99f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\tz5a1jji\tz5a1jji.dll

Filesize
402KB

MD5
87ea909702c17d66c37b11a2c6d33f66

SHA1
1c03e43357dfda24a05a0bf25853a84431bd7f50

SHA256
60e89725420e9dfb93e07db057d1e8b53a0a8a51fc0c6b15146df3f2dedfe13b

SHA512
9dcbdecaf22f7a7ab70e89fce55522fab91542d592cd0f1839700e0f9ade04f0a983b41b1b3c9191b3ba52a019a7871f91224147fdb2a4a5989120d4f916f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\utkwgw0h\utkwgw0h.dll

Filesize
402KB

MD5
b0a18802367f5d332d01fb7fae217490

SHA1
219e60b9fb806a975db9b811f59ae4bd21e9e693

SHA256
3f7b10bc014ab1b636d28a03bbe014f15483a063d643ccdde8214378821f4bbc

SHA512
3b40d3db6b493b67bc4bb1089157da03169d0612331551246ca4776d7f6407ace24c52a019349dbad2574cbaadf7075fe8be7a8b57daec366aac59273053ebca

Download Submit
C:\Users\Admin\AppData\Local\Temp\x35nggsy\x35nggsy.dll

Filesize
402KB

MD5
bf17e39cbf67aaff141c6e5c148dcefb

SHA1
a4df640d91f14088304e8224da0daa4f75f48fdf

SHA256
2dc5bf936756768934c1f29c7769e6c7aa1341ea4175471a22919e63359425b4

SHA512
c09ea28d6d0be7a6b798a9efdba76b8899464b14df81c302d386861af7c58af2ffd93c1d7e4240a6a7b07f8c41f8470a9617df1c6797cce0925eb90bb9251a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\za4igzqy\za4igzqy.dll

Filesize
402KB

MD5
50b83409f7055796ebecd7724af1acf9

SHA1
3259222656ce55ef739ae69e3a4ef4e9d9f81afc

SHA256
9054374066c39417500e55ddc75091c5c2253614a79325b355ea3a7039f06f83

SHA512
9b6ecc626d9a6eed586ab228377bd03cb23fbac271e337de110f4b069c923b7c1704a1bc9bfc9110c1ef5fe1e3551501de7d1ae1b3bb461974d829f68bdd2a5e

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
598KB

MD5
f1a75053c725a2e72627dc2484fc305c

SHA1
990d895a930d567eee5dc231ce04800b7bfad21c

SHA256
bc1b916fddcff2beaa857797ce1c110781328eac9ef668f3ce2dae6a0b96ddb7

SHA512
5bf6d38e95337ad494b520d70812923b520b693c6991b7704bce05e090173fd62d996af15d4631c1796a94817c4ae3c08c93d13c00f937a2853b9ae0bc6905a1

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
598KB

MD5
f1a75053c725a2e72627dc2484fc305c

SHA1
990d895a930d567eee5dc231ce04800b7bfad21c

SHA256
bc1b916fddcff2beaa857797ce1c110781328eac9ef668f3ce2dae6a0b96ddb7

SHA512
5bf6d38e95337ad494b520d70812923b520b693c6991b7704bce05e090173fd62d996af15d4631c1796a94817c4ae3c08c93d13c00f937a2853b9ae0bc6905a1

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
4KB

MD5
fedeba2342ca0d9a087be4b841f23858

SHA1
d871d3b96ddc2bf479912357d72fc46a27cc5b3f

SHA256
04e8ec821821813d6669f0643ce744958aee56557118e94ecfae03632ff54743

SHA512
72dcd1c61dac01727ad8d0924bf3c3f9989765882054e5f7132315d891479f7eb9f4552df45460de2b7c29905abdf20307735f4792a46e8f33526c6c12987bca

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
598KB

MD5
f1a75053c725a2e72627dc2484fc305c

SHA1
990d895a930d567eee5dc231ce04800b7bfad21c

SHA256
bc1b916fddcff2beaa857797ce1c110781328eac9ef668f3ce2dae6a0b96ddb7

SHA512
5bf6d38e95337ad494b520d70812923b520b693c6991b7704bce05e090173fd62d996af15d4631c1796a94817c4ae3c08c93d13c00f937a2853b9ae0bc6905a1

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
598KB

MD5
f1a75053c725a2e72627dc2484fc305c

SHA1
990d895a930d567eee5dc231ce04800b7bfad21c

SHA256
bc1b916fddcff2beaa857797ce1c110781328eac9ef668f3ce2dae6a0b96ddb7

SHA512
5bf6d38e95337ad494b520d70812923b520b693c6991b7704bce05e090173fd62d996af15d4631c1796a94817c4ae3c08c93d13c00f937a2853b9ae0bc6905a1

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
20KB

MD5
ff35ccf1c7de79ed116f98d68b75c570

SHA1
c250e741d16dfc79cf0b27df2c14cbeb887002d0

SHA256
245a2a6d24aafed5ffec18b72e5d9693e7d56923810894065a8f0ce4bf10752b

SHA512
023275a05a5dbe26984f5c94a91c2d22923c1ed8be0e4a28586993f7cf1d319dda05eade4c789b27fde0718a05dfa9f0aca77f40ce9fd5971e9f8ad3896cbfe0

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
598KB

MD5
f1a75053c725a2e72627dc2484fc305c

SHA1
990d895a930d567eee5dc231ce04800b7bfad21c

SHA256
bc1b916fddcff2beaa857797ce1c110781328eac9ef668f3ce2dae6a0b96ddb7

SHA512
5bf6d38e95337ad494b520d70812923b520b693c6991b7704bce05e090173fd62d996af15d4631c1796a94817c4ae3c08c93d13c00f937a2853b9ae0bc6905a1

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
8KB

MD5
ec66c662eac5c2f3e000002f90c5e107

SHA1
6d68d13eef1dbee30eb90bef40d18fcace35aca1

SHA256
cf786c2364ecc6eddcf611f4d97ba9acaa4f6437d759f7d12057bca3e41f5721

SHA512
5980092a4df0f97f567b010492066a2ef83fcfe1834202d7b8290366d5f7006138a43f7a44af85b746ba9a4e375bd2fa6f2cc87bf24e39baa6e1bcc5d9f17170

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
598KB

MD5
f1a75053c725a2e72627dc2484fc305c

SHA1
990d895a930d567eee5dc231ce04800b7bfad21c

SHA256
bc1b916fddcff2beaa857797ce1c110781328eac9ef668f3ce2dae6a0b96ddb7

SHA512
5bf6d38e95337ad494b520d70812923b520b693c6991b7704bce05e090173fd62d996af15d4631c1796a94817c4ae3c08c93d13c00f937a2853b9ae0bc6905a1

Download Submit
C:\Users\Admin\DocumentsCodeIdentifier

Filesize
352KB

MD5
86579715b61c185689a87eee2f6916ba

SHA1
a309152b5db9cdf73e76c675764d6f45a0c75354

SHA256
c0908a5f4eeea032ebe79e5ee8ce1e38fdc4903a15e29ce9c0081ab7c1f07085

SHA512
7930d2a4bd1c64d2f5d7bf4c158b69a1dda56b495bb8132e47f6c681a1c10c3db57547784a6eed242824e11a659d6a171b71751d62ba8fab27f5c999b6cef72a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2few4skn\2few4skn.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2few4skn\2few4skn.cmdline

Filesize
301B

MD5
674a5de6f6974d98d47a18954548bb24

SHA1
af63dd4644d93e5dcd2e77fc7e310b0e884dd5a1

SHA256
23ed3cc35a930a076a169249ecd31b9ddd273022c7eaa2f922e5d9c77c71be4c

SHA512
80f47dc073def42093a2e8ab3438dc683a20d59f8b9b069e6543cebfab9a78d68a19436d4f3e87a8ed31dbb3748b47b98343ff87166a03cfd2aca7eafdee3fe6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2few4skn\CSC988999B73961458FA3B6D23A303D97EC.TMP

Filesize
1KB

MD5
78d32ea92ad157996c2bea15fe551fb5

SHA1
04036418332377d1a865c7c35a420016f94c1862

SHA256
28405c17d3993d90b60a44d5ecb9749feb55e9f7dbdade141d2fffc7877952b3

SHA512
5c1bbdae2d7893e177843fa64792d7ef6f053f8e9a4b4d4ac204fe1bf00752e65fec4ce6fd547df88cf07e18eb1887b97026313a78dac6cf65985204547945ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a0fln5f1\CSCE8B1051369CD4479ABDFABC5F3D37774.TMP

Filesize
1KB

MD5
e0bad024baeaa8cb2bd769562976a491

SHA1
98680efbd9801f1862cdc6a2b1b297d8725aa781

SHA256
4a26b7cd7d62b75c6dcd8a6c2345c70b0ab2476ede1b220fea4e57c8aa83f2f2

SHA512
f6403972f16caa788e1633e173706b84fd9a5dea76d93fc05e8f1bd867782535a0b04e1f96d85d240a77b696eea2bf799fd877d2d7d5403d3bfe632f77c25ec6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a0fln5f1\a0fln5f1.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a0fln5f1\a0fln5f1.cmdline

Filesize
301B

MD5
70c1b820f46fcdad44dc4699599c3dad

SHA1
9359b5e876b2017237a2c7b40dc3e07d04254c98

SHA256
12d027af4225f3ad0ab3eab67d71c2f71461298fed5874e28f5bf4f62f4aa792

SHA512
c980183055b05dd579f74992d08cfeb1f3174898b87e96559276a40b8a2259f0abf6ccc16dcc60882baa84cc732e79bef5364a3844dd6bcdbd66570429533695

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjgm2u3z\CSCE2C750A4B2AB49AEB2AFC2F97D3035D8.TMP

Filesize
1KB

MD5
6d1cf1a8f44a67bb455d5c3ffc5d7acd

SHA1
e97c1a619a01903e938f1ee658b9b12852592e63

SHA256
888f71a9ad21a4a638c3205ebccbfe0f3d6e7f4c741cabc35d89776292458a6b

SHA512
0a5148df7f2e3e778fe511281702fad945386818e015aea249642219acafa26f7d7f5c911daf4a693ebe2882dd0b9a1e9fc54c09ba90bd887864a5a5fd753f07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjgm2u3z\cjgm2u3z.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjgm2u3z\cjgm2u3z.cmdline

Filesize
301B

MD5
fd01fc279b44e9a949a5c41d5f111b45

SHA1
5e3802cfa3d6c595104990f68f990d7d720a655d

SHA256
12b867fe17f70be88d9d3868ad23c8d24042b3f3cb6bd0d845e2e7447afd8e38

SHA512
9579b4bd3b7a412a97fbd730cd038dd7e4134486e7db49c5a436998e903f698b5a19a6b5dfba2d32d7ce118fc88f61c2c76b6d3de26609fb9df4bfbb47e91074

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctmrszmk\CSCAC99E2CE3D540BEAF9C9F3EC728CAB.TMP

Filesize
1KB

MD5
8cc419c9a0bf888caf1a50966455a5ba

SHA1
02bf31871098896809b2016eab0396f9e9227aec

SHA256
0d58e073f35c303dfcb44e2b48e3ad654c7d093c7293ed301eb1644a16c281a6

SHA512
0d3850b44c548b84127e106644c8e3677bf2ac80f6a0fe6e243ddaaef0dd3d0994cec4bfaa5ccdadeff5067bbedcb769ece28415d9b3055ea5e08758078a6896

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctmrszmk\ctmrszmk.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ctmrszmk\ctmrszmk.cmdline

Filesize
301B

MD5
be69b6f1ce6db92a3a4ce5e41ebd4a56

SHA1
cb2e74c87a55db49df10402a378ac4ad4ffe6630

SHA256
9f167230379fd5515a50eac39886eae4ee24afa44a17081fe88195ce368263c2

SHA512
5a6c8da95ff63b1052d3198786a56bd40314c9d88501790afbc6a8e2ccbaf3083631d4638bb33cd4828079c2a791a92f7cbb6ad9d55d9a7c63634972ec27fccf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dj35z4gf\CSC338B8B41B8B34B72A143B657BC1E1E17.TMP

Filesize
1KB

MD5
77e4353381c704a31c3bcc6e4832ba32

SHA1
2c47dc9f8d0f6bef46041deb19fdee1c60c3999a

SHA256
52d00fe3016d0812dbbd11ab81f83d688c45b88eafd4d581915daa0cde947e55

SHA512
6ebf5aa7ee755086fde2bba66aaebcb860a7467ada615ae902c98b2581e370d98e95e75be4289bad12b3cdcd22125be2318d4b7e86b2acb69cbef2191d3c6bb8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dj35z4gf\dj35z4gf.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dj35z4gf\dj35z4gf.cmdline

Filesize
301B

MD5
5f9bce75cfb1fc713a5d724b34784f6d

SHA1
3ef18eb1680d74993e12bab967fcf9996cfe67c9

SHA256
773bfad7c9b3a38cde4f3c8ed18b1e4417382273ba009dbbfca3fe7a9c9593bf

SHA512
1fe4e70ed8878a92b19f33a334cb69259d561cf0e14abcc4bf519ed1a36b9eddd9d35b2684bd3e682e8b376c66ba052a99aa55f665bca3f27125857b1d9edd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gytrju4b\CSCEB4BE882EEFF4429A2B9E7A2B1A238D5.TMP

Filesize
1KB

MD5
5549ce18a0e0b3290180ff659c54489e

SHA1
5593a6844c293aaff65bef67276f78504bd4a77a

SHA256
ed74dec708eea8c0622e4da18a6689bf1af13881e8f3d8b564537008fcab5a71

SHA512
e7f82a1503fa39a68ccf4469e276d2e34fa8483c7c075e3b5cf1a51f754694a4164a552895935cb3a51e9490c994f38aa67940f78615232794710a9144d04b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gytrju4b\gytrju4b.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gytrju4b\gytrju4b.cmdline

Filesize
301B

MD5
c48b9375abd319f257bd1a268e8f3965

SHA1
16485bc829a5728d27821679a77e0a069967c4ed

SHA256
09b9d9a273d1162941794356e7116fc6374f3d1b77cb486efdaeee9edaf59f6d

SHA512
f100d4c44fedae74e684af515fd6a5c767bc3e08dcab5476e0a3122cab8789657ac2c3524397ea5ef3c1e7b4af882a7d6d2d1a1d2c411a230dfcbc50fde960f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okkk51nf\CSC74C41B4AE88E48D190E87D7DFEC0EB3.TMP

Filesize
1KB

MD5
1d7472e5419d200ed4db9ffd0f569455

SHA1
97d9f8e88ebbb28ec33edb19e5e8300dc315dac7

SHA256
d84355c2274d78d444367570aae107b2fc1f0eaa0baf8db5f5117f769c9217b5

SHA512
964cb2af195f3127b20e8fa93d6900d28ccdf318af2bed09e2a1bb9dcfadb0c82f2000876031ad67ca997a7edaec2b202f8bd9e1353ecaeeeb1e51f8dd4f18a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okkk51nf\okkk51nf.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okkk51nf\okkk51nf.cmdline

Filesize
301B

MD5
6796af4bf5b28ca42cae43529e046eff

SHA1
872ed92c14d20369aa6ffc4ef76779e8c6b7e06e

SHA256
f748cccac17e67aa8ec1de949342fd59c9dfd1d4df4b6d5c26458d4299dbe122

SHA512
4bfb3576340b1db2bc8c428ba112b10385f17458cb3d27290b0fa442527263fda3fb777e9223f560acd6c21b3a16f1a70b42e3ff9f37019f9bc5bd54df8fcdd1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tz5a1jji\CSC594C5C247524657848ADF5C1B92C2A.TMP

Filesize
1KB

MD5
bc7db293bafbe32f6224729563e0e5dc

SHA1
eeb6da54297ec7891a114bedf87ad8c8006b26df

SHA256
f789bc77067fe7ac4c24e264cca94282da49deea1247bccb1f034ed269794b39

SHA512
b914a880bee6c21d8e69910580fe2a08d2d34212cc97788e46832ecdbe9da9e8ade893d44fe99000a6543134b312a758da21e4d602acf98b1385ef212b9736a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tz5a1jji\tz5a1jji.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tz5a1jji\tz5a1jji.cmdline

Filesize
301B

MD5
e4fe28f7bb2d48ad5d934a08f75cab08

SHA1
1518d164e39d81063a629b570424e63660507de6

SHA256
776b57374627a170c1e27b33d712f0d87c0188f6b89494baf422a847d4477b35

SHA512
f323e1beb43b37f23bce7c7a05e6aeac847afc860f4b4078d688480efeb5ff5c1abb20825f7aa645b10e9703298f8377471de477845f457c31ae9b15be5925e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\utkwgw0h\CSC6DF1CBEE984140B88F557F297C1CA5DD.TMP

Filesize
1KB

MD5
45e216c8cd6bea1266e49677f6ba1173

SHA1
ae1bab65e564d59c8cc4ba871ba89cc4730cdac5

SHA256
8d0495d8b07907e11c6355ebfeed1bf7d994138fc71e557d6734e1418ec848bb

SHA512
427c4df565c406a1ba9fee4a48e74f246e6637e8657a746970747e4915191b8c0e09d5c0487629ad1f2e16af8c82d53c40b7c5eb5a680c20e54f1e3100e78157

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\utkwgw0h\utkwgw0h.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\utkwgw0h\utkwgw0h.cmdline

Filesize
301B

MD5
d52853cd0d305a3a5ad99d782ea19d6d

SHA1
39f83505bd28cef3982f949f25bc7ea0f7afa4e1

SHA256
e6ea1e51854ac982211c611333d8f8e66233a9a8d8bb32f1e5e66fde59f95e6c

SHA512
7b00dd4b9a8380bdf98b89530161796e57fe59f1665c70948d1e0ca9fd88203c068ee58fce3cbaf4764a303656e70ad8571c26504bbcb8dfb9a2b93cc48b6003

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x35nggsy\CSCAB5B2C836C34416BC382C5D5D5BC3.TMP

Filesize
1KB

MD5
01fcedd903b6980c139baccbbb83941e

SHA1
6337f0d7c46174fd7ad73a454ffa820f1dc2a0a3

SHA256
57963dccec14c69c8c680b3575fda268f9804f4df0599b9449d16fd1471da234

SHA512
e33c26325230a7a41fa005995014e8b885147a1ddf564dbef8e8167cfeb94d76326e15745910e60eb2bb319051ed321ef1db4e4b609716652567cb7d0603663d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x35nggsy\x35nggsy.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x35nggsy\x35nggsy.cmdline

Filesize
301B

MD5
16119b87a4214a01dc68709653e821d9

SHA1
74d0abcc908a12a3e2b8eba7b1b8f712b52e92e5

SHA256
7729e2b15bbbc2d2ca2512004b8aedcaa858dbe9b8c7c674946611a6e576b66c

SHA512
9b17817ae92ca5c1d20fb6915baf49583daa1d3f43e269b9a734381000d24edf154179a55a0a082f3915dbcfe6d9427ba9ce6732180483ef59c4be0ce898f69b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\za4igzqy\CSC32DF3362734B497ABED0CF22205B3836.TMP

Filesize
1KB

MD5
18f2f2af015b36637a5e0e87c1e7ff4c

SHA1
55c6d1452fcf9b1c9faf763e1f69879e6f9abaec

SHA256
bb08f4091e8c1d98c55fe72c5f9df00bb46ea862231da669c5f312b96cec260e

SHA512
d2436f064e77047432553bf59947914452af519a31d06047ba634228aa7f023efa6de0b1e9745fa4e47224217c8d5bed3f1d0d724ea74f060568a6ee19d5555b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\za4igzqy\za4igzqy.0.cs

Filesize
598KB

MD5
945da0f7614dcffd0fedfc7d9579df3d

SHA1
f897db8046fc7578f55f2652071f7aa6be5de8fe

SHA256
09f0c0202cd9d761b50f6c2600dd962242646c79b482156d36cd4d7c38bfd064

SHA512
ff9d14ec23c269d8f91e49944bafe3de4534bb7fec546ce837d67136aa6f07b3247ccb0cb7e9b22e8f9becf8f9538f227c96e88ea6cbeda3d10b7856fa350a1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\za4igzqy\za4igzqy.cmdline

Filesize
301B

MD5
a0c913f9424916dd80edb515324f9774

SHA1
9bce11a5064f5955b3ae5e8825fa8e65193b6962

SHA256
1ea87d270dc05ea5533d8e909e9033ca80a66e07a13a695a8fa4f9dd725c2fce

SHA512
c545bfc9443ab3376d67f797f86f0643704c4d3abfa9563cf39f84c7efdfe9ba944fd0464678c7302001c74a2669db528a62cc4107d902953b63c074363dbeac

Download Submit
memory/360-139-0x0000000000000000-mapping.dmp

Download
memory/360-149-0x0000000000620000-0x000000000068A000-memory.dmp

Filesize
424KB

Download
memory/536-293-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-295-0x0000000000A40000-0x0000000000AAA000-memory.dmp

Filesize
424KB

Download
memory/780-170-0x0000000000000000-mapping.dmp

Download
memory/792-72-0x0000000000000000-mapping.dmp

Download
memory/792-202-0x0000000000000000-mapping.dmp

Download
memory/796-213-0x0000000000BF0000-0x0000000000C5A000-memory.dmp

Filesize
424KB

Download
memory/796-209-0x0000000000000000-mapping.dmp

Download
memory/824-89-0x0000000000000000-mapping.dmp

Download
memory/824-263-0x0000000000A10000-0x0000000000A7A000-memory.dmp

Filesize
424KB

Download
memory/832-196-0x0000000000000000-mapping.dmp

Download
memory/832-205-0x0000000000A70000-0x0000000000ADA000-memory.dmp

Filesize
424KB

Download
memory/848-100-0x0000000000000000-mapping.dmp

Download
memory/904-121-0x0000000000860000-0x00000000008CA000-memory.dmp

Filesize
424KB

Download
memory/904-111-0x0000000000000000-mapping.dmp

Download
memory/952-153-0x0000000000000000-mapping.dmp

Download
memory/952-163-0x0000000000980000-0x00000000009EA000-memory.dmp

Filesize
424KB

Download
memory/964-135-0x0000000000A50000-0x0000000000ABA000-memory.dmp

Filesize
424KB

Download
memory/964-75-0x0000000000000000-mapping.dmp

Download
memory/964-125-0x0000000000000000-mapping.dmp

Download
memory/972-173-0x0000000000000000-mapping.dmp

Download
memory/1060-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1060-136-0x000000000041A1F8-mapping.dmp

Download
memory/1064-142-0x0000000000000000-mapping.dmp

Download
memory/1064-195-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-193-0x000000000041A1F8-mapping.dmp

Download
memory/1080-59-0x0000000000000000-mapping.dmp

Download
memory/1112-65-0x0000000000430000-0x0000000000433000-memory.dmp

Filesize
12KB

Download
memory/1112-55-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1112-54-0x0000000001190000-0x00000000012E2000-memory.dmp

Filesize
1.3MB

Download
memory/1112-63-0x0000000000B70000-0x0000000000BDA000-memory.dmp

Filesize
424KB

Download
memory/1112-64-0x00000000005F0000-0x000000000061C000-memory.dmp

Filesize
176KB

Download
memory/1136-124-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1136-192-0x0000000000770000-0x00000000007DA000-memory.dmp

Filesize
424KB

Download
memory/1136-182-0x0000000000000000-mapping.dmp

Download
memory/1136-122-0x000000000041A1F8-mapping.dmp

Download
memory/1192-299-0x0000000000510000-0x000000000057A000-memory.dmp

Filesize
424KB

Download
memory/1236-94-0x000000000041A1F8-mapping.dmp

Download
memory/1236-96-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1260-156-0x0000000000000000-mapping.dmp

Download
memory/1260-199-0x0000000000000000-mapping.dmp

Download
memory/1296-107-0x0000000000550000-0x00000000005BA000-memory.dmp

Filesize
424KB

Download
memory/1296-97-0x0000000000000000-mapping.dmp

Download
memory/1336-297-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1400-145-0x0000000000000000-mapping.dmp

Download
memory/1432-177-0x0000000000560000-0x00000000005CA000-memory.dmp

Filesize
424KB

Download
memory/1432-167-0x0000000000000000-mapping.dmp

Download
memory/1484-56-0x0000000000000000-mapping.dmp

Download
memory/1532-128-0x0000000000000000-mapping.dmp

Download
memory/1532-212-0x0000000000000000-mapping.dmp

Download
memory/1564-103-0x0000000000000000-mapping.dmp

Download
memory/1580-79-0x00000000009F0000-0x0000000000A5A000-memory.dmp

Filesize
424KB

Download
memory/1580-69-0x0000000000000000-mapping.dmp

Download
memory/1612-159-0x0000000000000000-mapping.dmp

Download
memory/1624-188-0x0000000000000000-mapping.dmp

Download
memory/1636-164-0x000000000041A1F8-mapping.dmp

Download
memory/1636-166-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1676-208-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1676-117-0x0000000000000000-mapping.dmp

Download
memory/1676-206-0x000000000041A1F8-mapping.dmp

Download
memory/1704-108-0x000000000041A1F8-mapping.dmp

Download
memory/1704-110-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-181-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-66-0x000000000041A1F8-mapping.dmp

Download
memory/1736-185-0x0000000000000000-mapping.dmp

Download
memory/1828-83-0x0000000000000000-mapping.dmp

Download
memory/1828-93-0x0000000000B30000-0x0000000000B9A000-memory.dmp

Filesize
424KB

Download
memory/1888-211-0x0000000000000000-mapping.dmp

Download
memory/1888-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1888-80-0x000000000041A1F8-mapping.dmp

Download
memory/1916-287-0x0000000000A50000-0x0000000000ABA000-memory.dmp

Filesize
424KB

Download
memory/1964-114-0x0000000000000000-mapping.dmp

Download
memory/2016-86-0x0000000000000000-mapping.dmp

Download
memory/2024-150-0x000000000041A1F8-mapping.dmp

Download
memory/2024-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2044-131-0x0000000000000000-mapping.dmp

Download
memory/2044-178-0x000000000041A1F8-mapping.dmp

Download
memory/2044-180-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2724-301-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-248-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-246-0x000000000041A1F8-mapping.dmp

Download
memory/2800-277-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2848-251-0x0000000000BC0000-0x0000000000C2A000-memory.dmp

Filesize
424KB

Download
memory/2848-249-0x0000000000000000-mapping.dmp

Download
memory/2892-279-0x0000000000BA0000-0x0000000000C0A000-memory.dmp

Filesize
424KB

Download
memory/2912-253-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2972-305-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2996-255-0x00000000004D0000-0x000000000053A000-memory.dmp

Filesize
424KB

Download
memory/3048-257-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3132-259-0x0000000000AC0000-0x0000000000B2A000-memory.dmp

Filesize
424KB

Download
memory/3184-261-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3224-216-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3224-214-0x000000000041A1F8-mapping.dmp

Download
memory/3280-289-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3300-217-0x0000000000000000-mapping.dmp

Download
memory/3300-221-0x00000000008B0000-0x000000000091A000-memory.dmp

Filesize
424KB

Download
memory/3316-267-0x0000000000670000-0x00000000006DA000-memory.dmp

Filesize
424KB

Download
memory/3324-271-0x00000000009E0000-0x0000000000A4A000-memory.dmp

Filesize
424KB

Download
memory/3336-219-0x0000000000000000-mapping.dmp

Download
memory/3356-291-0x0000000000410000-0x000000000047A000-memory.dmp

Filesize
424KB

Download
memory/3364-220-0x0000000000000000-mapping.dmp

Download
memory/3380-222-0x000000000041A1F8-mapping.dmp

Download
memory/3380-224-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3456-229-0x00000000002E0000-0x000000000034A000-memory.dmp

Filesize
424KB

Download
memory/3456-225-0x0000000000000000-mapping.dmp

Download
memory/3484-227-0x0000000000000000-mapping.dmp

Download
memory/3500-265-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3512-228-0x0000000000000000-mapping.dmp

Download
memory/3528-232-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3528-230-0x000000000041A1F8-mapping.dmp

Download
memory/3584-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3608-233-0x0000000000000000-mapping.dmp

Download
memory/3608-237-0x00000000004E0000-0x000000000054A000-memory.dmp

Filesize
424KB

Download
memory/3636-235-0x0000000000000000-mapping.dmp

Download
memory/3664-236-0x0000000000000000-mapping.dmp

Download
memory/3684-275-0x00000000005E0000-0x000000000064A000-memory.dmp

Filesize
424KB

Download
memory/3696-240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3696-238-0x000000000041A1F8-mapping.dmp

Download
memory/3732-273-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3776-303-0x0000000000B70000-0x0000000000BDA000-memory.dmp

Filesize
424KB

Download
memory/3780-245-0x0000000000F70000-0x0000000000FDA000-memory.dmp

Filesize
424KB

Download
memory/3780-241-0x0000000000000000-mapping.dmp

Download
memory/3820-243-0x0000000000000000-mapping.dmp

Download
memory/3848-244-0x0000000000000000-mapping.dmp

Download
memory/3912-281-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3996-283-0x0000000000850000-0x00000000008BA000-memory.dmp

Filesize
424KB

Download
memory/4048-285-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download