43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b

Analysis

max time kernel
151s
max time network
60s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
Size

1.7MB
MD5

37ccdffe2bcf1842033c9df8d1772d0d
SHA1

1d073cd19ae7615edd5b96313c21d5798c8ae6ad
SHA256

43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b
SHA512

116091784f8577d33c69c533d7051a4bf3cada2902b579a43158a0399c885b96cf8d13c584dd72c9a4712301011919859818651de61fe3536df7327e233ee281
SSDEEP

24576:onJmNhZgIu4eqjOXgi0A/Lp9bRheopYs7IXQ/ir2Kd65T8FE+rRYg2kJZDKZM75:Dn3WLp91MoHJKSKb95d7

Score

10^/10

collection discovery persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
axelle1994

Signatures

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2732-275-0x0000000000400000-0x000000000041E000-memory.dmp	MailPassView
behavioral1/memory/2732-276-0x0000000000400000-0x000000000041E000-memory.dmp	MailPassView

Nirsoft 11 IoCs

resource	yara_rule
behavioral1/memory/1796-227-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1796-231-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1768-238-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral1/memory/1768-244-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral1/memory/1224-247-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft
behavioral1/memory/2012-265-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2612-270-0x0000000000400000-0x000000000043D000-memory.dmp	Nirsoft
behavioral1/memory/2732-275-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2732-276-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2820-280-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2912-282-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft

Executes dropped EXE 9 IoCs

pid	Process
996	temp.exe
1796	dialup.exe
1768	passwordfox.exe
1224	mspass.exe
2012	iepv.exe
2612	ChromePass.exe
2732	mailpv.exe
2820	produkey.exe
2912	OperaPassView.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-227-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1796-231-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1768-238-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1768-244-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1224-247-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/2012-248-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2012-265-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2612-270-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2732-275-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2732-276-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2820-280-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2912-282-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mailpv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My = "C:\\Users\\Admin\\AppData\\Roaming\\temp.exe"	temp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\svh0st.exe = "C:\\Users\\Admin\\AppData\\Roaming\\temp.exe"	temp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	whatismyip.com
5	whatismyip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

pid	Process
932	dw20.exe
1560	dw20.exe
1188	dw20.exe
1952	dw20.exe
1820	dw20.exe
1272	dw20.exe
928	dw20.exe
956	dw20.exe
1624	dw20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	mspass.exe
Token: SeDebugPrivilege	2012	iepv.exe
Token: SeRestorePrivilege	2012	iepv.exe
Token: SeBackupPrivilege	2012	iepv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1656	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	27
PID 2044 wrote to memory of 1656	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	27
PID 2044 wrote to memory of 1656	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	27
PID 2044 wrote to memory of 996	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	26
PID 2044 wrote to memory of 996	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	26
PID 2044 wrote to memory of 996	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	26
PID 1656 wrote to memory of 1416	1656	vbc.exe	29
PID 1656 wrote to memory of 1416	1656	vbc.exe	29
PID 1656 wrote to memory of 1416	1656	vbc.exe	29
PID 2044 wrote to memory of 1752	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	30
PID 2044 wrote to memory of 1752	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	30
PID 2044 wrote to memory of 1752	2044	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	30
PID 1752 wrote to memory of 520	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	31
PID 1752 wrote to memory of 520	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	31
PID 1752 wrote to memory of 520	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	31
PID 1752 wrote to memory of 1560	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	33
PID 1752 wrote to memory of 1560	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	33
PID 1752 wrote to memory of 1560	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	33
PID 520 wrote to memory of 964	520	vbc.exe	34
PID 520 wrote to memory of 964	520	vbc.exe	34
PID 520 wrote to memory of 964	520	vbc.exe	34
PID 1752 wrote to memory of 1240	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	35
PID 1752 wrote to memory of 1240	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	35
PID 1752 wrote to memory of 1240	1752	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	35
PID 1240 wrote to memory of 932	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	36
PID 1240 wrote to memory of 932	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	36
PID 1240 wrote to memory of 932	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	36
PID 1240 wrote to memory of 1960	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	37
PID 1240 wrote to memory of 1960	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	37
PID 1240 wrote to memory of 1960	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	37
PID 1960 wrote to memory of 1272	1960	vbc.exe	39
PID 1960 wrote to memory of 1272	1960	vbc.exe	39
PID 1960 wrote to memory of 1272	1960	vbc.exe	39
PID 1240 wrote to memory of 268	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	40
PID 1240 wrote to memory of 268	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	40
PID 1240 wrote to memory of 268	1240	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	40
PID 268 wrote to memory of 1188	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	41
PID 268 wrote to memory of 1188	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	41
PID 268 wrote to memory of 1188	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	41
PID 268 wrote to memory of 1480	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	42
PID 268 wrote to memory of 1480	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	42
PID 268 wrote to memory of 1480	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	42
PID 1480 wrote to memory of 876	1480	vbc.exe	44
PID 1480 wrote to memory of 876	1480	vbc.exe	44
PID 1480 wrote to memory of 876	1480	vbc.exe	44
PID 268 wrote to memory of 1080	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	45
PID 268 wrote to memory of 1080	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	45
PID 268 wrote to memory of 1080	268	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	45
PID 1080 wrote to memory of 1952	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	46
PID 1080 wrote to memory of 1952	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	46
PID 1080 wrote to memory of 1952	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	46
PID 1080 wrote to memory of 1564	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	47
PID 1080 wrote to memory of 1564	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	47
PID 1080 wrote to memory of 1564	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	47
PID 1564 wrote to memory of 1756	1564	vbc.exe	49
PID 1564 wrote to memory of 1756	1564	vbc.exe	49
PID 1564 wrote to memory of 1756	1564	vbc.exe	49
PID 1080 wrote to memory of 1784	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	50
PID 1080 wrote to memory of 1784	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	50
PID 1080 wrote to memory of 1784	1080	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	50
PID 1784 wrote to memory of 1820	1784	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	51
PID 1784 wrote to memory of 1820	1784	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	51
PID 1784 wrote to memory of 1820	1784	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	51
PID 1784 wrote to memory of 964	1784	43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe	52

C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
"C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Roaming\temp.exe
  "C:\Users\Admin\AppData\Roaming\temp.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\dialup.exe
    C:\Users\Admin\AppData\Local\Temp\dialup.exe /stext C:\Users\Admin\AppData\Local\Temp\data.txt
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
    C:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt
    3⤵
    - Executes dropped EXE
    PID:1768
- - C:\Users\Admin\AppData\Local\Temp\mspass.exe
    C:\Users\Admin\AppData\Local\Temp\mspass.exe /stext C:\Users\Admin\AppData\Local\Temp\mess.txt
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\iepv.exe
    C:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\iepv.txt
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\ChromePass.exe
    C:\Users\Admin\AppData\Local\Temp\ChromePass.exe /stext C:\Users\Admin\AppData\Local\Temp\ChromePass.txt
    3⤵
    - Executes dropped EXE
    PID:2612
- - C:\Users\Admin\AppData\Local\Temp\mailpv.exe
    C:\Users\Admin\AppData\Local\Temp\mailpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mailpv.txt
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\produkey.exe
    C:\Users\Admin\AppData\Local\Temp\produkey.exe /stext C:\Users\Admin\AppData\Local\Temp\produkey.txt
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\OperaPassView.exe
    C:\Users\Admin\AppData\Local\Temp\OperaPassView.exe /stext C:\Users\Admin\AppData\Local\Temp\OperaPassView.txt
    3⤵
    - Executes dropped EXE
    PID:2912
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyabxvbz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES590A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58CB.tmp"
    3⤵
    PID:1416
- C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
  C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n_gdke4f.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62BA.tmp"
      4⤵
      PID:964
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 428
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
    C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 428
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      PID:932
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tcybuyyc.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C4B.tmp"
        5⤵
        
        PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
      C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1188
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r6z4evil.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7570.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc756F.tmp"
        6⤵
        
        PID:876
    - - C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1952
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f0j1zhph.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DE7.tmp"
        7⤵
        
        PID:1756
      - C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        7⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1820
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x5qhwwen.cmdline"
        7⤵
        
        PID:964
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86CD.tmp"
        8⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        7⤵
        
        PID:1440
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        8⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1272
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a-hlzc3h.cmdline"
        8⤵
        
        PID:1144
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F65.tmp"
        9⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        8⤵
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        9⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:928
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iy8efkhj.cmdline"
        9⤵
        
        PID:428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9696.tmp"
        10⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        9⤵
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        10⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:956
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gi7ea3xn.cmdline"
        10⤵
        
        PID:1592
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FE8.tmp"
        11⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        10⤵
        
        PID:524
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        11⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jyflagqa.cmdline"
        11⤵
        
        PID:1944
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA390.tmp"
        12⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        11⤵
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        12⤵
        
        PID:1480
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ktc8mijc.cmdline"
        12⤵
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADBF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADAE.tmp"
        13⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        12⤵
        
        PID:1076
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        13⤵
        
        PID:1612
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zy7xdazl.cmdline"
        13⤵
        
        PID:624
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB695.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB694.tmp"
        14⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        13⤵
        
        PID:1944
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        14⤵
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fyqycepe.cmdline"
        14⤵
        
        PID:632
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFE7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFE6.tmp"
        15⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        14⤵
        
        PID:1148
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        15⤵
        
        PID:1936
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4g2j0a8d.cmdline"
        15⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5B0.tmp"
        16⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        15⤵
        
        PID:1760
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        16⤵
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hojgaqcs.cmdline"
        16⤵
        
        PID:632
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD09A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD099.tmp"
        17⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        16⤵
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        17⤵
        
        PID:536
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ozcuo2xl.cmdline"
        17⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD912.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD911.tmp"
        18⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        17⤵
        
        PID:764
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        18⤵
        
        PID:428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o4uwpe4v.cmdline"
        18⤵
        
        PID:1336
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE13D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE13C.tmp"
        19⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        18⤵
        
        PID:1616
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        19⤵
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ojdnx962.cmdline"
        19⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE810.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7FF.tmp"
        20⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        19⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        20⤵
        
        PID:1588
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5efv5pdc.cmdline"
        20⤵
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF02B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF02A.tmp"
        21⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        20⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        21⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l50wdwn6.cmdline"
        21⤵
        
        PID:2132
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF559.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF558.tmp"
        22⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        21⤵
        
        PID:2164
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        22⤵
        
        PID:2212
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\__3obavl.cmdline"
        22⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7C8.tmp"
        23⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        22⤵
        
        PID:2268
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        23⤵
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dkmqqtce.cmdline"
        23⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA57.tmp"
        24⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        23⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        24⤵
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ui_spdsh.cmdline"
        24⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCC8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCC7.tmp"
        25⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        24⤵
        
        PID:2456
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        25⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\go-d-am2.cmdline"
        25⤵
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF46.tmp"
        26⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        25⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        26⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\inblsr3y.cmdline"
        26⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES215.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc204.tmp"
        27⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        26⤵
        
        PID:2684
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        27⤵
        
        PID:2756
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j9dj7ih7.cmdline"
        27⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BC.tmp"
        28⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        27⤵
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        28⤵
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rb3_a84s.cmdline"
        28⤵
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87A.tmp"
        29⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        28⤵
        
        PID:2944
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        29⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ydktqv5o.cmdline"
        29⤵
        
        PID:3008
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB19.tmp"
        30⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        29⤵
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        30⤵
        
        PID:2052
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mebyzdtx.cmdline"
        30⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD89.tmp"
        31⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        30⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        31⤵
        
        PID:2172
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yskuuv_n.cmdline"
        31⤵
        
        PID:2228
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1019.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1009.tmp"
        32⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        31⤵
        
        PID:2244
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        32⤵
        
        PID:2128
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-rki5zz7.cmdline"
        32⤵
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES124B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc124A.tmp"
        33⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        32⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        33⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcfk6xvm.cmdline"
        33⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15B3.tmp"
        34⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        33⤵
        
        PID:2476
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        34⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\inravmxk.cmdline"
        34⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1815.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1814.tmp"
        35⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        34⤵
        
        PID:2576
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        35⤵
        
        PID:2416
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ridpe9g8.cmdline"
        35⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A93.tmp"
        36⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        35⤵
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        36⤵
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ylthcizh.cmdline"
        36⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D13.tmp"
        37⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        36⤵
        
        PID:2688
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        37⤵
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lu1ulodf.cmdline"
        37⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F93.tmp"
        38⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        37⤵
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        38⤵
        
        PID:3048
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hri0sei0.cmdline"
        38⤵
        
        PID:2064
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2204.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2203.tmp"
        39⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        38⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        39⤵
        
        PID:2156
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-eflcgj5.cmdline"
        39⤵
        
        PID:2196
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2464.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2453.tmp"
        40⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        39⤵
        
        PID:2228
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        40⤵
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fedr9q3d.cmdline"
        40⤵
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2703.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2702.tmp"
        41⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        40⤵
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        41⤵
        
        PID:2472
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nppmbr0a.cmdline"
        41⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2973.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2962.tmp"
        42⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        41⤵
        
        PID:2556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        42⤵
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\99bhputq.cmdline"
        42⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BD2.tmp"
        43⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        42⤵
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        43⤵
        
        PID:2796
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\it2p_rgt.cmdline"
        43⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E33.tmp"
        44⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        43⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        44⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oo0s0gwy.cmdline"
        44⤵
        
        PID:2476
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3093.tmp"
        45⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        44⤵
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        45⤵
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ndewfxcj.cmdline"
        45⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3323.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3322.tmp"
        46⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        45⤵
        
        PID:576
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        46⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i_v8_tuh.cmdline"
        46⤵
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3592.tmp"
        47⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        46⤵
        
        PID:2992
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        47⤵
        
        PID:2380
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahsvv10n.cmdline"
        47⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3842.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3831.tmp"
        48⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        47⤵
        
        PID:2540
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        48⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lhqdcc52.cmdline"
        48⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A91.tmp"
        49⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        48⤵
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        49⤵
        
        PID:2708
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yiwrp5yu.cmdline"
        49⤵
        
        PID:2780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D30.tmp"
        50⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        49⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        50⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ulaf9syn.cmdline"
        50⤵
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3FB0.tmp"
        51⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        50⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        51⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6wirpnkt.cmdline"
        51⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4250.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc423F.tmp"
        52⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        51⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        52⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nkpza_sj.cmdline"
        52⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44CE.tmp"
        53⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        52⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        53⤵
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pcqosop2.cmdline"
        53⤵
        
        PID:2332
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES476E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc475D.tmp"
        54⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        53⤵
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        54⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qkekivdy.cmdline"
        54⤵
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49DD.tmp"
        55⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        54⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        55⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8zy9mly1.cmdline"
        55⤵
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C3E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C3D.tmp"
        56⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        55⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        56⤵
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\32fwlwme.cmdline"
        56⤵
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EAD.tmp"
        57⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        56⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        57⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nbo1xb2b.cmdline"
        57⤵
        
        PID:2476
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES513E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc513D.tmp"
        58⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        57⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        58⤵
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_xdis6sy.cmdline"
        58⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES538E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc537E.tmp"
        59⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        58⤵
        
        PID:2552
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        59⤵
        
        PID:2100
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mnpp9_vw.cmdline"
        59⤵
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55FD.tmp"
        60⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        59⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        60⤵
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\agtc4guy.cmdline"
        60⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES584F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc583F.tmp"
        61⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        60⤵
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        61⤵
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a3ngbqmv.cmdline"
        61⤵
        
        PID:2932
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5ACF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5ACE.tmp"
        62⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        61⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        62⤵
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brwsj6jo.cmdline"
        62⤵
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D1F.tmp"
        63⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        62⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        63⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v-gcrqeo.cmdline"
        63⤵
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F9E.tmp"
        64⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        63⤵
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        64⤵
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-c4kmey1.cmdline"
        64⤵
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES623E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc622D.tmp"
        65⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        64⤵
        
        PID:2460
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        65⤵
        
        PID:2444
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fn9y4-2f.cmdline"
        65⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64AD.tmp"
        66⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        65⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        66⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\moutoeho.cmdline"
        66⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES673D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc673C.tmp"
        67⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        66⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        67⤵
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qz_wl5rj.cmdline"
        67⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc699D.tmp"
        68⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        67⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        68⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gjhqvktm.cmdline"
        68⤵
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C0D.tmp"
        69⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        68⤵
        
        PID:2540
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        69⤵
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ofozztuo.cmdline"
        69⤵
        
        PID:2476
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E8C.tmp"
        70⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        69⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        70⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpzgblsl.cmdline"
        70⤵
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71E6.tmp"
        71⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        70⤵
        
        PID:2304
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        71⤵
        
        PID:2448
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dtmt3ya8.cmdline"
        71⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc759E.tmp"
        72⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        71⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        72⤵
        
        PID:2780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h6fu5ekp.cmdline"
        72⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78E8.tmp"
        73⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        72⤵
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        73⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s-b_luvk.cmdline"
        73⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C53.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C42.tmp"
        74⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        73⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        74⤵
        
        PID:2200
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\89ovm4bv.cmdline"
        74⤵
        
        PID:2156
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ED2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EC2.tmp"
        75⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        74⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        75⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xqf-anno.cmdline"
        75⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8152.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8141.tmp"
        76⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        75⤵
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        76⤵
        
        PID:2908
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r9dytiw0.cmdline"
        76⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83B1.tmp"
        77⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        76⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        77⤵
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7m2ubhl7.cmdline"
        77⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8651.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8641.tmp"
        78⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        77⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        78⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mv1yp3e2.cmdline"
        78⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88B1.tmp"
        79⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        78⤵
        
        PID:1032
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        79⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aoxxamqi.cmdline"
        79⤵
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B11.tmp"
        80⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        79⤵
        
        PID:2672
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        80⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\esihqhks.cmdline"
        80⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D81.tmp"
        81⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        80⤵
        
        PID:1208
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        81⤵
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytbsx7oz.cmdline"
        81⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9021.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9020.tmp"
        82⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        81⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        82⤵
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahozmacq.cmdline"
        82⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9272.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9271.tmp"
        83⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        82⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        83⤵
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n7alvj5m.cmdline"
        83⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94F0.tmp"
        84⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        83⤵
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        84⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\52swx9qu.cmdline"
        84⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9752.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9751.tmp"
        85⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        84⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        85⤵
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hrqeh4vg.cmdline"
        85⤵
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99B1.tmp"
        86⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        85⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        86⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rdkpnqt3.cmdline"
        86⤵
        
        PID:3036
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BF2.tmp"
        87⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        86⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        87⤵
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ai5id-9b.cmdline"
        87⤵
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E62.tmp"
        88⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        87⤵
        
        PID:1412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        88⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\anzp0oc1.cmdline"
        88⤵
        
        PID:2572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0E2.tmp"
        89⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        88⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        89⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l84hf3vo.cmdline"
        89⤵
        
        PID:1284
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA363.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA352.tmp"
        90⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        89⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        90⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2csr6lv_.cmdline"
        90⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA5C2.tmp"
        91⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        90⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        91⤵
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqqq8ss2.cmdline"
        91⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA833.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA822.tmp"
        92⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        91⤵
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        92⤵
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c9tdsq3b.cmdline"
        92⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAB2.tmp"
        93⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        92⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        93⤵
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\icym4eyu.cmdline"
        93⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD32.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD31.tmp"
        94⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        93⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        94⤵
        
        PID:1284
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\epjet0_r.cmdline"
        94⤵
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFD0.tmp"
        95⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        94⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        95⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zf3mbijw.cmdline"
        95⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB241.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB230.tmp"
        96⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        95⤵
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        96⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyjdnmnx.cmdline"
        96⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4EE.tmp"
        97⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        96⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        97⤵
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p5wyw-_q.cmdline"
        97⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB76F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB76E.tmp"
        98⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        97⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        98⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\amh1nil-.cmdline"
        98⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9AF.tmp"
        99⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        98⤵
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        99⤵
        
        PID:2780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bzlc1n2j.cmdline"
        99⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC6D.tmp"
        100⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        99⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        100⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4wi3zio_.cmdline"
        100⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBEED.tmp"
        101⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        100⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        101⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h4tqy2z8.cmdline"
        101⤵
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC15E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC14D.tmp"
        102⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        101⤵
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        102⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbczud1k.cmdline"
        102⤵
        
        PID:1068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3DC.tmp"
        103⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        102⤵
        
        PID:668
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        103⤵
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0_gefngw.cmdline"
        103⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC68C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC67B.tmp"
        104⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        103⤵
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        104⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iwrjpzqp.cmdline"
        104⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CC.tmp"
        105⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        104⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        105⤵
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x9gt8geu.cmdline"
        105⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB5B.tmp"
        106⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        105⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        106⤵
        
        PID:1428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plhpd-cz.cmdline"
        106⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCDDB.tmp"
        107⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        106⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        107⤵
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3u_zlij9.cmdline"
        107⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD05B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD05A.tmp"
        108⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        107⤵
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        108⤵
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mj0jfixq.cmdline"
        108⤵
        
        PID:2584
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2BB.tmp"
        109⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        108⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        109⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lkph-odg.cmdline"
        109⤵
        
        PID:1408
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD53B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD53A.tmp"
        110⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        109⤵
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        110⤵
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ycoqobur.cmdline"
        110⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD77D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD77C.tmp"
        111⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        110⤵
        
        PID:2780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        111⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hq4atioj.cmdline"
        111⤵
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9AD.tmp"
        112⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        111⤵
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        112⤵
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1vsxpdax.cmdline"
        112⤵
        
        PID:1412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC0F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBFE.tmp"
        113⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        112⤵
        
        PID:1428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        113⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9t-a5iol.cmdline"
        113⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE6E.tmp"
        114⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        113⤵
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        114⤵
        
        PID:1068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\udtooilx.cmdline"
        114⤵
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0BF.tmp"
        115⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        114⤵
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        115⤵
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hrw7hc6l.cmdline"
        115⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE301.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE300.tmp"
        116⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        115⤵
        
        PID:1208
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        116⤵
        
        PID:1948
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nonw1l32.cmdline"
        116⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE571.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE560.tmp"
        117⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        116⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        117⤵
        
        PID:976
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyb8lrgo.cmdline"
        117⤵
        
        PID:1428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7D0.tmp"
        118⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        117⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        118⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pobzigwe.cmdline"
        118⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA7F.tmp"
        119⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        118⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        119⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rojegb6p.cmdline"
        119⤵
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED4C.tmp"
        120⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        119⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        120⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fcpuohr4.cmdline"
        120⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFBC.tmp"
        121⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        120⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        121⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fbtvkbc2.cmdline"
        121⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF23D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF23C.tmp"
        122⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        121⤵
        
        PID:2780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        122⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sca6vklo.cmdline"
        122⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4CB.tmp"
        123⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        122⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        123⤵
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dsnczyyq.cmdline"
        123⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF76B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF74B.tmp"
        124⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        123⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        124⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oitofufx.cmdline"
        124⤵
        
        PID:1068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9BB.tmp"
        125⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        124⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        125⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\myuccitb.cmdline"
        125⤵
        
        PID:1412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC3A.tmp"
        126⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        125⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        126⤵
        
        PID:1412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mw7hm3sz.cmdline"
        126⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF28.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF18.tmp"
        127⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        126⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        127⤵
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t8dgdi8k.cmdline"
        127⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES198.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc197.tmp"
        128⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        127⤵
        
        PID:976
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        128⤵
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0imufqnb.cmdline"
        128⤵
        
        PID:560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES418.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc417.tmp"
        129⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        128⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        129⤵
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cscgjvkq.cmdline"
        129⤵
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES698.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc687.tmp"
        130⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        129⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        130⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fculoeeg.cmdline"
        130⤵
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E7.tmp"
        131⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        130⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        131⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kestnkw3.cmdline"
        131⤵
        
        PID:1232
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB86.tmp"
        132⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        131⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        132⤵
        
        PID:988
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uk_xlzbe.cmdline"
        132⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE7.tmp"
        133⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        132⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        133⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qejvd5vy.cmdline"
        133⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1067.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1066.tmp"
        134⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        133⤵
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        134⤵
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kp1wfxvg.cmdline"
        134⤵
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12D6.tmp"
        135⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        134⤵
        
        PID:560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        135⤵
        
        PID:976
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k1kqap1l.cmdline"
        135⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1576.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1565.tmp"
        136⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        135⤵
        
        PID:1232
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        136⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\za7yrdac.cmdline"
        136⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17D5.tmp"
        137⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        136⤵
        
        PID:1396
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        137⤵
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yymozqzw.cmdline"
        137⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A55.tmp"
        138⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        137⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        138⤵
        
        PID:560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tpgpxe9u.cmdline"
        138⤵
        
        PID:1412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CD5.tmp"
        139⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        138⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        139⤵
        
        PID:2452
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iralg2bi.cmdline"
        139⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F65.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F54.tmp"
        140⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        139⤵
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        140⤵
        
        PID:3152
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nusjd4mt.cmdline"
        140⤵
        
        PID:3172
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21D4.tmp"
        141⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        140⤵
        
        PID:3208
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        141⤵
        
        PID:3256
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p0izkiri.cmdline"
        141⤵
        
        PID:3268
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2474.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2463.tmp"
        142⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        141⤵
        
        PID:3300
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        142⤵
        
        PID:3352
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a8np0piv.cmdline"
        142⤵
        
        PID:3376
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26D3.tmp"
        143⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        142⤵
        
        PID:3408
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        143⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aas2bkvj.cmdline"
        143⤵
        
        PID:3472
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2954.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2943.tmp"
        144⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        143⤵
        
        PID:3504
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        144⤵
        
        PID:3556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ohqkyvwa.cmdline"
        144⤵
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BD2.tmp"
        145⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        144⤵
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        145⤵
        
        PID:3648
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n7siwjba.cmdline"
        145⤵
        
        PID:3660
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E61.tmp"
        146⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        145⤵
        
        PID:3692
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        146⤵
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hcrpcajv.cmdline"
        146⤵
        
        PID:3756
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30B2.tmp"
        147⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        146⤵
        
        PID:3788
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        147⤵
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yth7_reu.cmdline"
        147⤵
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3323.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3322.tmp"
        148⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        147⤵
        
        PID:3880
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        148⤵
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\icfj4ale.cmdline"
        148⤵
        
        PID:3940
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3620.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc360F.tmp"
        149⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        148⤵
        
        PID:3972
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        149⤵
        
        PID:4020
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m3tv6chr.cmdline"
        149⤵
        
        PID:4032
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3861.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3850.tmp"
        150⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        149⤵
        
        PID:4064
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        150⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jvshwuio.cmdline"
        150⤵
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AA1.tmp"
        151⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        150⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        151⤵
        
        PID:3172
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\isn9th7n.cmdline"
        151⤵
        
        PID:2932
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3CF2.tmp"
        152⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        151⤵
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        152⤵
        
        PID:3320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wa0rm1rd.cmdline"
        152⤵
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F23.tmp"
        153⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        152⤵
        
        PID:3388
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        153⤵
        
        PID:3416
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h65u5x3j.cmdline"
        153⤵
        
        PID:3448
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4156.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4155.tmp"
        154⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        153⤵
        
        PID:3480
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        154⤵
        
        PID:3520
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zurdrjz4.cmdline"
        154⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4396.tmp"
        155⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        154⤵
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        155⤵
        
        PID:3684
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\otog3zse.cmdline"
        155⤵
        
        PID:3408
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4626.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4625.tmp"
        156⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        155⤵
        
        PID:3720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        156⤵
        
        PID:3780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ltqrjy1u.cmdline"
        156⤵
        
        PID:3812
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4913.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4903.tmp"
        157⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        156⤵
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        157⤵
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f2i72om_.cmdline"
        157⤵
        
        PID:3644
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C6C.tmp"
        158⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        157⤵
        
        PID:3888
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        158⤵
        
        PID:3968
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9gawwhit.cmdline"
        158⤵
        
        PID:3944
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FB7.tmp"
        159⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        158⤵
        
        PID:3884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        159⤵
        
        PID:4060
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-iv5pulw.cmdline"
        159⤵
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5218.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5217.tmp"
        160⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        159⤵
        
        PID:4072
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        160⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\igdgr0gv.cmdline"
        160⤵
        
        PID:3080
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5459.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5458.tmp"
        161⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        160⤵
        
        PID:3936
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        161⤵
        
        PID:560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bc--yuod.cmdline"
        161⤵
        
        PID:3288
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5717.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5707.tmp"
        162⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        161⤵
        
        PID:4016
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        162⤵
        
        PID:3340
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uj-yglma.cmdline"
        162⤵
        
        PID:3280
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5987.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5977.tmp"
        163⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        162⤵
        
        PID:1220
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        163⤵
        
        PID:3448
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1hu04nba.cmdline"
        163⤵
        
        PID:3532
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BE7.tmp"
        164⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        163⤵
        
        PID:3404
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        164⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j5tflgz4.cmdline"
        164⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E47.tmp"
        165⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        164⤵
        
        PID:3236
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        165⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0fa8dp77.cmdline"
        165⤵
        
        PID:3624
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60B7.tmp"
        166⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        165⤵
        
        PID:3796
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        166⤵
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgclryio.cmdline"
        166⤵
        
        PID:3504
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6309.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6308.tmp"
        167⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        166⤵
        
        PID:3468
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        167⤵
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avuftbyd.cmdline"
        167⤵
        
        PID:3860
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6588.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6578.tmp"
        168⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        167⤵
        
        PID:3948
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        168⤵
        
        PID:3992
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tif9hqhz.cmdline"
        168⤵
        
        PID:3788
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67D8.tmp"
        169⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        168⤵
        
        PID:4004
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        169⤵
        
        PID:3984
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7a8bziqe.cmdline"
        169⤵
        
        PID:3832
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A58.tmp"
        170⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        169⤵
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        170⤵
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ra4fhrro.cmdline"
        170⤵
        
        PID:3216
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CD7.tmp"
        171⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        170⤵
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        171⤵
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znyt9rse.cmdline"
        171⤵
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F57.tmp"
        172⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        171⤵
        
        PID:3200
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        172⤵
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wj151bpr.cmdline"
        172⤵
        
        PID:3208
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71B7.tmp"
        173⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        172⤵
        
        PID:976
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        173⤵
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6q3oje5t.cmdline"
        173⤵
        
        PID:3540
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7428.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7418.tmp"
        174⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        173⤵
        
        PID:3660
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        174⤵
        
        PID:3464
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2tlwyj2b.cmdline"
        174⤵
        
        PID:3620
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7689.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7678.tmp"
        175⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        174⤵
        
        PID:3808
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        175⤵
        
        PID:3492
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3d1gbtsk.cmdline"
        175⤵
        
        PID:3724
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7909.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78F8.tmp"
        176⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        175⤵
        
        PID:3560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        176⤵
        
        PID:3692
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\igx0fs6d.cmdline"
        176⤵
        
        PID:3860
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B87.tmp"
        177⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        176⤵
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        177⤵
        
        PID:3840
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qwhke5mr.cmdline"
        177⤵
        
        PID:4044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DE8.tmp"
        178⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        177⤵
        
        PID:3732
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        178⤵
        
        PID:3832
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkrdvpbo.cmdline"
        178⤵
        
        PID:3468
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8039.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8029.tmp"
        179⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        178⤵
        
        PID:4084
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        179⤵
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4hbqbncc.cmdline"
        179⤵
        
        PID:3992
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82A8.tmp"
        180⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        179⤵
        
        PID:3096
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        180⤵
        
        PID:3376
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hpj4hmhe.cmdline"
        180⤵
        
        PID:3396
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8519.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8518.tmp"
        181⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        180⤵
        
        PID:3304
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        181⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xv6krfzr.cmdline"
        181⤵
        
        PID:3488
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87D6.tmp"
        182⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        
        C:\Users\Admin\AppData\Local\Temp\43d38bb267024afd61fd790da273dc78fdc175be2d14b4cca577db0a12fcf73b.exe
        181⤵
        
        PID:1788
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        182⤵
        
        PID:3672
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbeig5l9.cmdline"
        182⤵
        
        PID:3584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES590A.tmp

Filesize
1KB

MD5
f2c7c4dba8bd703edac6b795477fc4b7

SHA1
312bf145f090a1da2797e9c834a4af23d71929c6

SHA256
d030d9a13544d8a9bd2a53a271097590c879c3214c0ffaeb25eb4d68e6f7db50

SHA512
3e9a1e71bec4b8b34c4f648b25de1b2419a1eef50ec607ec53614c7d29e1db61ad5e89e5d5f574229459804830b89ff12daec67a6d39326b7289cf8f4c7fb2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62EA.tmp

Filesize
1KB

MD5
744a0b94fb66711b8d30105a6b342d2e

SHA1
b0f2921d651b201a22e0b3352d43c462f283088c

SHA256
d284f1d58e0a5a2d2da3d1c81beb7d3e71c40738bb32d0cc8ab4e26a5e84e07a

SHA512
3e4bc56d0ade67cbd267a52888d15923a251a51c7362316feb46f8ba18d72ea461c68f40d90b5cd6882593c74504cb1490702d4843ea8639a515431186ac25c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6C4C.tmp

Filesize
1KB

MD5
7c345abf359d2e266d1017ba7eb63ee6

SHA1
82a15e276fefabc5ef3d0bc3ac3ec2f95ee5eb5d

SHA256
712fc79d8cc586f69785e299cfc94a7db9c93726e867d37fcdaabd52f6015d7a

SHA512
56385b4e6232409d8d8069edf78649c47f9def180da0f50d68d9fc81db8da91b9a56cc7980cfc8f47416aa7e846a653a5231776029a9b1bd80aa59f10182f3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7570.tmp

Filesize
1KB

MD5
06afeaf6d7d639679b5d7a2b8576783b

SHA1
815301f3b24f8512c6308e28ae70de50629ec3db

SHA256
a47edd3f67c02821175865bee1e49f07b4dfdd0c8300388a0a51d439b1f5ea90

SHA512
6284e080e17797bee3cc7d8ee2bc56774b6339ee2232a491dbf8efa17e5539e213700905ae9afd71eb0bac8d7d4016736c3d7b6105d67193d834107f087e8116

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7DE8.tmp

Filesize
1KB

MD5
2c0a1c71ea09d98a761cce479326c5fd

SHA1
9505de4905161ffa0261376138aabf2834bd9ed3

SHA256
e8fc727e5f6cd5775c64253e30953fdc719c632c55d94a5bfbc5a098bb309eba

SHA512
85d38feb5c11bac10b327367d4115907ca5f8bcbe677671d9b92742a522e7f0101e60c2e7c0b19f1253f65f8b62d5ee13f124a6d3aab8da2dd50c2a075dfe342

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86DE.tmp

Filesize
1KB

MD5
a653e7ad0d6ac1857b7d8c3a2f303892

SHA1
ee793cd9d013b93f1be141b3bc1e24dfe0b5dce2

SHA256
8d7f2d391b6f146e545750348bcfa0cdc9076f382241e88801ed2b1021202ae2

SHA512
c89b55b768bd11e4a970dcdf568f123505dd325534f99bc785f12ad06825f54b6ec9f6b618b4966b6f3f3fd5e94b9700f39b11f4ee635e052b0d2a2ad621f035

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F66.tmp

Filesize
1KB

MD5
402418b21f6530c01b20de0e0d41b5f5

SHA1
270a16b3f7b9edc7bcfa2da16b425f621b109377

SHA256
6582ccf90a9276825c3dfd8758523c0d7a3065cbc9277fb79b8b9a9ed9baaeeb

SHA512
02c1dd775e095deb60feaf1d9cb67fbac81a380b120d1b04fe4397b04ddce069ef0a4cf4c6c3ffd654fc4c36e3541838bd63792e1ae604b77e323f84e96e810a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES96A6.tmp

Filesize
1KB

MD5
abfdfde5fd87ae03c4ad5b5017010821

SHA1
e66adef75fdfc8ab8d13d5e119bad8736513e16b

SHA256
f75c16a0575bc6a6013f5ef9b8cb75a89a15ec3b361c332682957aa4cfa21cbc

SHA512
32f6792bdc9dbbd3059953663f2c6321dc7cbf3d8cd72e17c94b67593b42883a1aa01ea82b626ad60d851b875d525f4888ab5e065e5cbd16d95500563c7162da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FF9.tmp

Filesize
1KB

MD5
11540b7f2d0f778a9c0669a9a5f7e599

SHA1
e433a1ac745281068fcce309731ce12220342870

SHA256
e587152e4ac54e42000f68e6582dff111d7585a6a6a1d6d8e101b771e545012d

SHA512
b108d3b4df70355709d737ec695122783d11f096d7f3efb8e9bf9431218494b35b85d23afc543d08edd53b17c75d2eb36fb23981a84008c4a59d02052755e220

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3A1.tmp

Filesize
1KB

MD5
b620be99907861ffde34f473d2d6ea87

SHA1
78b6c41771a311aef9792436bd977ea820b2bde4

SHA256
429faf5c240628181e5427794dc96a203f8e1e6735fc1cc4429ebd7305270785

SHA512
cd1e730ae6b34380412c0b2b4f0ff61dee9efb5bc8e13c881a66a4c4c4badc2439fd577a9b136b4a24441ee7ca0a2bd97f4e91cc1e64eea7b3b7b96014cfe00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADBF.tmp

Filesize
1KB

MD5
573edd4372d957c6c17b50edef8a8dff

SHA1
4a53ca61af37616b7d1b54b5cea435d0c7e6c814

SHA256
ba3bb797bde53a91987ebbb63148024b29eae1155cdf49f0562bf68efaccf506

SHA512
d31cdebe0b98bb0f5867ba9de73d37e0b04dcbcf2dfa12fdeca216a91bb2c6d5cf466ee5c72c2eca966cca1a6f21c7c8038a3ca44193a900417b8c5fcd545147

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB695.tmp

Filesize
1KB

MD5
239b6c2a4b754d4927697ce3b3191a0a

SHA1
24c1b927de477ceee899c4359a3c4144c2064229

SHA256
6462f901a23f8a442e805378f320963e8a7946b3f7f6a6c0d511fbed4f9a0979

SHA512
457fa64a7d924acf5af562cc6b23660212e2eedca0c45bb406ee103fa1e7481b1bf5d587843f73c5b7f0b4c1e2527a0a34e202f9aeaf741ae9f875f003c6a585

Download Submit
C:\Users\Admin\AppData\Local\Temp\a-hlzc3h.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a-hlzc3h.cmdline

Filesize
138B

MD5
ced47962d213bfb5c6cb455398b621c3

SHA1
338d4502367198151010d4ea87834b3603f02bb9

SHA256
0e14145a3adfc4b88a5af2a906f4ed1220c22df0a0e21e786fd5d3fffe0d1aaa

SHA512
ee4a516d6f080034aa318ff5cbd069f8994da0f0a7eb84a146074b8675ab0521424e8225635398db4fcd8a1a8b1346927f24e79fb90365dded5f8998c5af575b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a-hlzc3h.dll

Filesize
1.5MB

MD5
5ff46470c6d442cf56758173967dc177

SHA1
b4656ae4e14d0a23512b20bc89d23c8093b31930

SHA256
f78d97da9fd9a657fd62fae3e8e3c47411fe5fecbc72552f26de934436f6f670

SHA512
b1dc25893f419e223225636f0b0bd5a82f402c8784d2835b98e7e7fd6342db576311baa9be80ba87662088c2d4fb422166b94e27c55865c8ad1ba7eaabe0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0j1zhph.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0j1zhph.cmdline

Filesize
138B

MD5
54909490c353a5db79ff90e14e5b94b3

SHA1
872db786e4faade009e29a3ad7efae33a64c88f1

SHA256
381372d826f8d18f405b9f02470b2047c1152f990aa6c192d3dc1c8eb9f08f9a

SHA512
05b61395c32f79d1837a08e786d4eaaa371789d0a8bddda8023dcb25ab8aa11eee914371d74ba0398bad7b10464d2b4eb49ecbb02a4be6d7a903446c8fb98be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0j1zhph.dll

Filesize
1.5MB

MD5
17f07ac24e861ab8bde6468eb2914a35

SHA1
9d9033a49a15082452b9369f0fd4c98f7dd462e5

SHA256
4b77bfe29553f4289e52d076e9efa4e5aa760b7ac8c6c9186efb4e72dc86ca1a

SHA512
3fc0d070ea391e2bd9e2ce140613ffb31b439ef5c25f0b05998e974f58d4a68ba1df83d31f104e16d97fb39464b42d65bd426167cf4ef8b53a983cc2951da063

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyqycepe.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyqycepe.cmdline

Filesize
138B

MD5
6fae8f05c441d3ee9e32a14396fc7a59

SHA1
5afe3e6afc144ae561d6c251868ad40433478ead

SHA256
05343e1342a0581fe5d0201c5af55d74d949e164725d693e81fba6da73483325

SHA512
cef273262eb8711a34741ec69b0d2325e67b3b05ff50d39c5ef74ddd17632be997bbd2767229b7c19623502febd65a4b4c4660fb95c51ea89314e6a427ffa94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gi7ea3xn.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gi7ea3xn.cmdline

Filesize
138B

MD5
f619679ee43d005f64fd61f0fe89dcd7

SHA1
c2ed46ac16226005ef5f4d963ea3310f00d9c5c2

SHA256
51ab600acc113d887f18c888d3258868b2ed2712292234df398f4559edfcc7cf

SHA512
734154ec86b09bd93f73bd418934bc4a9c57d5f352b616685965eca8c4f3f10570387b685f37e4d9b305e0059b60049632c8c95fad899e116c6a0340d4111d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gi7ea3xn.dll

Filesize
1.5MB

MD5
dd157f8515746225404aa51e587cd20a

SHA1
9909533b4a934e44bdb8c5dc055f03636b4b45b1

SHA256
e1803360804e040e916971d91c70ac0cf929134f526827ef82bb9423e2102bf9

SHA512
4d894887163ff7979ba3fa3db58c172ae6e555498f5d91c27d0ae2ec4e44b945cd549498fc32f6e8f9248801f39e8b2b01032c78c9e880924a7df510c6786122

Download Submit
C:\Users\Admin\AppData\Local\Temp\iy8efkhj.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iy8efkhj.cmdline

Filesize
138B

MD5
d0f43148f012871bfffb8c79e928b98d

SHA1
c9438b9854a7ca6d6eff68ee1407c69fd3be78b0

SHA256
b3f8624107bb1cec46b63c1cdd4db641d88fdf577d10e87309f483f0f836ee0f

SHA512
912b0ca102dac2c0161670741d6240036de0fcb1e7b227fad5f2ff3f0ef527eb98315aff1990c71c4d0b0c34735b216db849dcbfaba3ec3f18776f29cf43bc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iy8efkhj.dll

Filesize
1.5MB

MD5
fa8fedbcb494df8129d2149a5c8659b9

SHA1
b9bd8a6a1ff3b40e40ab4b72e7c97a4a312ab827

SHA256
113532bcbb317817eee626b563f90841c1bc27d14e13b1421a13d16490babe3c

SHA512
fa39917281fd306ef793057f2c061e3d51e2f3de75ceb8a8298f3f9f2a7dda87eed413be04457d07acd133c11bbee87ba66ff5fa2c73cb4b8c6f70eb01676fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyflagqa.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyflagqa.cmdline

Filesize
138B

MD5
b60dace4f07ae828a41ad30a6e88144f

SHA1
00452fcd5c6f3d56e2c852446c9ab33fed5063e9

SHA256
b4edb823c07599437f46e85edfda1a7892463026603004752a4a8b6ed6d6246a

SHA512
e18492c8ea84b1a6fc21bbb8a972e5bb404f1868069671dda37ef87cfe786fe4c248791ac837cec6fadeb57c802ddcaa97c1c30e45e00c7d26b06d285c91f2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyflagqa.dll

Filesize
1.5MB

MD5
623ec72ef3c0c6491b8305af4f775f0a

SHA1
d0793c6557880687c2ac37a09b632b6bd43ac628

SHA256
e9f061e0efacaf5cbfc802a339f260651133dfbda295d1b25b65d6efef6be34f

SHA512
3f1377e596ba4f59c1027544eee1309378806cc0011bb6cadf9e8ec2466c4676f773eafbc3288905088fa2c07370ac926c1ec193dfc0e424caedad3cd7bda731

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktc8mijc.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktc8mijc.cmdline

Filesize
138B

MD5
84bc5027f1a9527e941819b7df3e64e3

SHA1
06be211da28d29c89048b40041d27b4ed5d0611d

SHA256
2933b960eff974586808892d071262eaf552370ae48e65bef9021c58c3973223

SHA512
306edf1554362eae3851359c4b0380a1aa64b50ca8c12775213a14ba69be68993c53ef2531902bb532fd99fe230333972294c3d77cc43462de544a1a595b7f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktc8mijc.dll

Filesize
1.5MB

MD5
e153c4af3a1796bcd0b9ab21a60ec773

SHA1
727dcc49476721c0acb1ed4457e1f1e00f9f3d17

SHA256
b7840ddfacd567ad3bc96f56a5ff5126a29734683d5f3494699939c5a8df7d13

SHA512
6e20000191bbac93ba440e54a6d046de55b014cfa6eadfaa04473506f75365ec5ad7eed06e4eb1c4751886fce7f012b40bb6c4bf226d210e8a0edad361d01838

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyabxvbz.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyabxvbz.cmdline

Filesize
138B

MD5
474bf61267399093ea98d7120217cd90

SHA1
3d6e0e0cb337f11797d716ba6f21504e695ee862

SHA256
bee1007428eeaa0fffe732bf6041c47dd700b523bd3c393f6c6b60cb5dcb8036

SHA512
6b9eb07cba7e301d3686179ec2a8f9278a7bcbda54cb2009c8a8b7906c06c33a6e5194c4f1a8355ababa13564b650baab61e7b331ad78fa857aba80f077983d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyabxvbz.dll

Filesize
1.5MB

MD5
5d5d746e82c8c143fc542a3f85aa1aaa

SHA1
87c72e4fb90be8c3f2655ed004a8ee7d822b4f2c

SHA256
ee60c458c979e05595847c53fc4fd0af758238a886de03bae5833734ae838e82

SHA512
c076c264d7d1de2e882a1575f7f781c5f3e77a006f7798e3d0a72931c27fc2e0682f750581084b987fc8db9408eae7247079dd38f01c57e8357ccaf268665402

Download Submit
C:\Users\Admin\AppData\Local\Temp\n_gdke4f.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\n_gdke4f.cmdline

Filesize
138B

MD5
78dae8cf37cc5dfe91a629f63aa702ad

SHA1
91338ebe7443247a444b6d0070ea8abeb020aee5

SHA256
a6ee31b61e89184b016ea957e1595b66e9d628f846ffd606626abe89bfc88d91

SHA512
78806da71efd1b3c59fc6c75a8ed8e1712240886da5cfb460b7ee827d14bee47a2b53d9f2e57e0cea5372755bdd7b38a012c1b92bbab69a6e2371e5bdbe761a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\n_gdke4f.dll

Filesize
1.5MB

MD5
d2bf4e686c6554b97b5e39fd42772ce9

SHA1
b82e554929ca8975278e4199cab8e6b329be804c

SHA256
e7a654bf7dce80aeaee2ce2e8221ad086703d909293d1a1bb61a69af90c04c8a

SHA512
cb6e7995b887433f687c3f739a563b8fa601bb2332aadb3cde14e7245579c6da82510efa9adde0aa548d456cf148f26f6cc327c0ceb2c32dd02d4518f5148168

Download Submit
C:\Users\Admin\AppData\Local\Temp\r6z4evil.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\r6z4evil.cmdline

Filesize
138B

MD5
bab460e39f00b34f46b44508757db6a0

SHA1
faa6902d50bc42580628ba2fc4a1ef9aec38fcef

SHA256
65328df2466759753379fa4d94d00e4a5950e5263dab2f1f7d9217adc0b212d3

SHA512
d71d40fb32916df40ba7ebf056774dccca7c75af2ef94b817d36e43b3c36b046145a3c0cbda968f36c91060998e0ff8d917371c20e67a7d78897dcd010e0edb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\r6z4evil.dll

Filesize
1.5MB

MD5
3b47107f0cc448dd36f67639897fbd20

SHA1
c28dcc5dd02e3432f4687edcb8291afc8b27751f

SHA256
75601a39d2f0914e60fc02a5f36eb2fa5f679457135d139a68e460903d30956b

SHA512
4658e876ba78915212c9ca5a3804586c4c7839aabf52356cb08d47a3a8db986ea96e2b06e4e7c8c7964945a713264902701c9ba777ba7d388d0caae0ce7bf446

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcybuyyc.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcybuyyc.cmdline

Filesize
138B

MD5
1146b8cd1ee70d13c97c102e31e55379

SHA1
dc52c0d106a46b77be885cddb0b72a7a30962fc2

SHA256
782a41b7069450cccfae6e4d84562ee62eb8cc4c073964b74e697bc9d57d3642

SHA512
f718b49171a77166e8a727759bed41e7a87da64b77256ffc073ffe05c77e6decd27c80b5d80d58131fdc4406cd935e29349b100248e61404223561bfaa46d2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcybuyyc.dll

Filesize
1.5MB

MD5
6c74992969b98731053d06d0b170912e

SHA1
821c204519bbf4595e2333c26c3ebeaed6a5bd32

SHA256
a114b15bda87919d035aa9382f7e85499969b1ffcf3c3130b803485c637396a3

SHA512
2d3e509ce815d39faec27e4cbf267d7cf11d8ac49ecea67fad39bd92a00024ace191f048e0dd05fd77ba468a17d312bd9064221797789fa62dcbf29b5c85e8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc58CB.tmp

Filesize
652B

MD5
e8df0db8cf5189bae90eb40f78932ea1

SHA1
6bab73e85a84b9ebc1a063b0dd49870bb8db3ba6

SHA256
e5fa0376b2a3ff44cdf3142a87858a7c94359c13d8191a24299cd7ec80685a6c

SHA512
9c15c109e4fa9fedd8b53610cffea0b597a05a17e4eb7841c9cc17569043d066ad08ed38c71aff933e5192e241df71448ff3ebb5df27362ffc8428893847b7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc62BA.tmp

Filesize
652B

MD5
3b09e3f4efb4f5015f2241cc4a5110fe

SHA1
9ade050a9f94ce8d030145c5f80dc07e85d41a76

SHA256
c6db027132fe5fb4ea7aeb9bbb23fb1774ea0797bdd305308f1e62f639d69320

SHA512
61a1f9598d25ba946e39491e234bec332d48f08c7c64bd4642342b2d7085225645a7b60e71ac3032abe34849e617616c02c852ca1983f22ae97318709ddc28f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6C4B.tmp

Filesize
652B

MD5
1166e142c57b200c184c0fe403eee1a8

SHA1
b4e9bc59d34246dc9a09977ff84a710e68980642

SHA256
1154d866072c21c83a460a46a26e3c4477bed1f70c7f1bb20de1e0bcee7ff80d

SHA512
3b202fb7af112dd663ef3e25c946bde7204ac41b21ed921abe0d2b159a2208dba654667695e435c48646e5d4cbdfe267b643bba15ca42c8eb3892916a306996e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc756F.tmp

Filesize
652B

MD5
f95ca8fbd646e75f71e9e57a4728042e

SHA1
27ed1d9acb65c8b88717767e5f95e39685a25015

SHA256
0a8001ca2d179419b1b288dff99002f475cb6ec0883b14ead03c4a3330174ded

SHA512
d563b30cda4c9af70f34cefed1df1ee7bc9e417485fd863b5f14c66f7b0a1feeb6e8678ee978b5750ed142c93e4b665810a85256e50ac3e9d3cc33c792bd5c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DE7.tmp

Filesize
652B

MD5
cf78e4abd11d9ac1b60b96716aa2269b

SHA1
388dbbbf4bb5b41f61ab457af088ebed5be41057

SHA256
2e43aee77e1b37a01441b2caf6c0332756aeefcbbb3a9f8ddde073a7985b0fad

SHA512
855578d9b4a36cf22cd4466572a9fdb0c7e4b75fd862531c359f7b6d5dc733cdd0a18b089309a1bf7ed15c00a41dbf9504c086b1e75f5de7a22f2b91420dba83

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc86CD.tmp

Filesize
652B

MD5
7e5d203a1402036642c64257d5770100

SHA1
3dfa2b8bd8ed92001b8d51c7c806df7c888f5b5b

SHA256
1186783d74567e9cd4f986cdb88302b419df22649abe0d3ea359ac50474df03b

SHA512
def6f1bce5329f7e6b5b828e591ade565bc4840eb02dc4fcf59fe89aa07e6ec5176a9b91f17195f524770f74478d56782c2e415cc9be6015f96c4d4676302813

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8F65.tmp

Filesize
652B

MD5
0f0f252a1489e6292ff690718ea3bc1f

SHA1
99399485922b352f397da400a2920b664b482403

SHA256
e83feac21acd30f73632643a3c615770aa819ebf2212c28ed1ab8d4854cafbb1

SHA512
1a9719acfa6e657357762e7d2c9f29d32e5cad3a3dc531c0700912422cc5d3e5f8a35f3efbae85862b86d80c8870b94671e7812a4c2df88c0b0d9e030ce2a938

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9696.tmp

Filesize
652B

MD5
4ace7e22f946622a41d8daf0a1d254c5

SHA1
0e91ca2b00eb10dc5810c3d0804d7ec096348ec6

SHA256
014f0d401235241f333c926303019ec37feebe437b7b19763cb0f00000c95b56

SHA512
59c339423fed847ff87e3093636c88b96efe430a1ad7b8702b188ab8703f36b1d29372d8e7be614684eba0e3ca6ea9f41e198480f8d2233ec391ebc00ba86d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9FE8.tmp

Filesize
652B

MD5
30e44cb20005906b5621a116436e9bee

SHA1
b0cac71d18a2548325cc994c8a71a1f710bd263a

SHA256
98a939281c0a599320977a4fe427817f4b2b17afaae111a40d27f2198f2e9cb4

SHA512
b9b3133539defd18c05e3b4f03a917b94db7c3e062eefa957d001b3b19e7924ccd1df57e25198465178439652d53a9c22e04165acb3800fcaaa3a92ba62fe9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA390.tmp

Filesize
652B

MD5
a2657de576a22e9628ba379fe8244d4a

SHA1
3bf23c1b3b33191cebdfd55f61e3b2daa70fce84

SHA256
cb97547590d81cbac3e419ed06bf5ad2c64ce571b8da777c3cb325418e1a2de1

SHA512
d653b28874526f3d91cc64124e77b60aeceff45c9fffec27c1a09fdbeb8b7445d11534a5c544841ba30464b539a966b5a24ab3d5419aae577c0b708c5e89d5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcADAE.tmp

Filesize
652B

MD5
58530e31bc1db6798ea4b20bc9287121

SHA1
2c2366a2c6ca9cf025a69cc648917af81208561f

SHA256
65180b375787418ae863d1b51164bc26aa6b5db36b0011b9004920c97a433ec6

SHA512
8175cba620d786f5c45ae73e598bfce38f7d694302a1d88976788e585ba36d464e9f46ff4c22dda7c64686e91ae139b990a5670787fab389d49f3f95fe990fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB694.tmp

Filesize
652B

MD5
bde14bd504076304c0653f831b7c7bba

SHA1
fc064f000f28deba53f0fdee1ce3f0c034fb3589

SHA256
cfad95fdd2970c8fbbe850eaaa5f37dd98d05c82416064fc55365d0a35128082

SHA512
a365400300b3313edb9141e3f2ab40a268cd0d66b8bb785928bb95b169633e65108e4bedcc361788e818e3575022a604bebcf02bd633f8082228fc830d79c662

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5qhwwen.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5qhwwen.cmdline

Filesize
138B

MD5
beedb4c1f5befddc992c77151fa92f63

SHA1
d6dbf1bdae95df7fbf451d1845563fae249dc7f8

SHA256
41bf6315fb0c2a8f9f0031928111a92f6e62635e2145e45bbce7dfbf62260c82

SHA512
b69acd63d523d32fdbe0b664df33453c1d92b2de6e26a3baec5f0bb611afb17611dc003c2c5de5be5d68787af045443c376a876b049dd47de407f784daeeb0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5qhwwen.dll

Filesize
1.5MB

MD5
9f76c78260fb313b6b63f581815714d5

SHA1
3105b9c8d83232b8d7853762cf647c4c8592d20b

SHA256
cd16605dbe14fdf3e2380492c2f9a9cc80dc0dd6b30d7ea1843cd1e909ecb897

SHA512
0123c6d7aac885f50b88289932570f272f06b4e0ac1cab3c03161edecb54a4f87d70d0aae5d055e496a9229a4bbb042b1ea20de59ad8b681684cd8ac037b9c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zy7xdazl.0.vb

Filesize
757KB

MD5
78ebf14caaac90d9f3e8fa099bdb5f21

SHA1
4f17a3037add620c104d883bb55afc7a0287c27e

SHA256
c8ac05bb4101bd3493f69778727807ba7d2807eca3963c5568eb4c6376b8f3b9

SHA512
77809949b9a5068759aee01a8b2d02959d42521fb2e2ab272f53e31788c4a559f21e578355785c57dc88964f2b34893fe60ad772e2095d81034479981262ed9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zy7xdazl.cmdline

Filesize
138B

MD5
d91e44c711b022b33392eff3629f6766

SHA1
5026a8221a8080e4366f31674e1a5cc43123c614

SHA256
0e95ea116da23e8d6003f36f2c407f144e33a253ea0502425eff39b6bbbd7739

SHA512
8ff96f3c72d1588ef69492d6c9890fac4ae6abca13c0e7ceb5d7101154b1e6cdf9de384780067dac8cd7c74aa986412eff5d5f94bb595f33010e28781447c93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zy7xdazl.dll

Filesize
1.5MB

MD5
bed0c843688edd56e4cd75d5a8bb264e

SHA1
1f88455313fd22cb55ef68190f990b7fe74cfa77

SHA256
214e4b718e04bd3f0094d39baff46988b2acbf80578e0070ca068348197ab871

SHA512
0240bdae353923ad0e475a8ef186a9758236091a93ffcc9e54bfb8b0c1c036974c9548050697803461dba0fe5c083f68e07d5519875a5d4b332c6e6190d4b0bf

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
563KB

MD5
b1f06115b094b13172ac21c70dcc2e04

SHA1
518f57ed9d382bb6b5785a1872d1dd90306e43c8

SHA256
59f419c9c78221c9eac6e5631c78ca4a32f9913cc44f2a5397cb751ed1350570

SHA512
a7e4977ff10a69e10d484355d53e8aae24e4070ac6943ccb082e090a01befe6fa5ac4a1de4360f0e7bb62b2ed0b10ffe43fc42f10299eb43aab4e87dcc511032

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
563KB

MD5
b1f06115b094b13172ac21c70dcc2e04

SHA1
518f57ed9d382bb6b5785a1872d1dd90306e43c8

SHA256
59f419c9c78221c9eac6e5631c78ca4a32f9913cc44f2a5397cb751ed1350570

SHA512
a7e4977ff10a69e10d484355d53e8aae24e4070ac6943ccb082e090a01befe6fa5ac4a1de4360f0e7bb62b2ed0b10ffe43fc42f10299eb43aab4e87dcc511032

Download Submit
memory/268-94-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/268-95-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/468-250-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/468-251-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/764-239-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/764-240-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/996-63-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/996-62-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/996-108-0x0000000000AE6000-0x0000000000B05000-memory.dmp

Filesize
124KB

Download
memory/996-214-0x0000000000AE6000-0x0000000000B05000-memory.dmp

Filesize
124KB

Download
memory/1076-192-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1076-191-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1080-107-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1080-106-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1148-213-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1148-212-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1224-247-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1240-82-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1240-81-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1440-131-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1440-132-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1616-243-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1616-242-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1664-230-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1664-232-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1748-180-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1748-179-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1752-70-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1752-71-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1756-156-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1756-155-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1760-223-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1760-222-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1768-244-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1768-238-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1784-120-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1784-119-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1796-231-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1796-220-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1796-227-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1832-143-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1832-144-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1944-204-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/1944-203-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/2012-265-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-54-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/2044-56-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/2044-55-0x000007FEEDE40000-0x000007FEEEED6000-memory.dmp

Filesize
16.6MB

Download
memory/2072-253-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/2612-270-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2732-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2732-276-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2820-280-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2912-282-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download