darkcomet | c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54

Analysis

max time kernel
154s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
Size

753KB
MD5

710328053b929dfc6c272841aedf59ed
SHA1

d32f228a62ee3d54385a59ba6d9778ac83654ac9
SHA256

c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54
SHA512

afa40b72337d3248aea10496044d96b946ba64a583506d3c2762aefb07bc646b429327bb3301a15e1da4b1c4d94ac0be32335b7280ad492b054b3c179aab7984
SSDEEP

12288:Zw+TYqyTfPhTevXwmynxHI39IR3fsR0lIqWN7Gbow7MoAHn2IuyezBP3QxygED8:f9yTfpTYX0xiITl2ybZOn2vySf2A8

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

ukon111.duckdns.org:1604

Mutex

DCMIN_MUTEX-HJN2JUP

Attributes

gencode
avKNF8nce0Bo
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

Dnscache.exeaspnet_state.exe

pid process

1640 Dnscache.exe
1412 aspnet_state.exe
Loads dropped DLL 2 IoCs

Processes:

c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exeDnscache.exe

pid process

1348 c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640 Dnscache.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1640	Dnscache.exe
1412	aspnet_state.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dnscache.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network List Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Dnscache.exe"	Dnscache.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exeaspnet_state.exe

description	pid	process	target process
PID 1348 set thread context of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1412 set thread context of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1856	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 988	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1592	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1404	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 752	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1280	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1968	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1244	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1780	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1644	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1012	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1580	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1308	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 824	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1800	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1756	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2008	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1964	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1532	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1632	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1816	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 848	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 804	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1368	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1428	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1608	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1048	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1924	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 268	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1612	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 672	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1312	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1272	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1556	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 912	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1240	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1544	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1500	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1080	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1992	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1812	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2016	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1236	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 468	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1376	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 904	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1124	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 1676	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 724	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 520	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 916	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 892	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2116	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2212	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2312	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2408	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2504	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2600	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2696	1412	aspnet_state.exe	vbc.exe
PID 1412 set thread context of 2792	1412	aspnet_state.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exeDnscache.exe

pid	process
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
1640	Dnscache.exe
1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exevbc.exeDnscache.exeaspnet_state.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
Token: SeIncreaseQuotaPrivilege	940	vbc.exe
Token: SeSecurityPrivilege	940	vbc.exe
Token: SeTakeOwnershipPrivilege	940	vbc.exe
Token: SeLoadDriverPrivilege	940	vbc.exe
Token: SeSystemProfilePrivilege	940	vbc.exe
Token: SeSystemtimePrivilege	940	vbc.exe
Token: SeProfSingleProcessPrivilege	940	vbc.exe
Token: SeIncBasePriorityPrivilege	940	vbc.exe
Token: SeCreatePagefilePrivilege	940	vbc.exe
Token: SeBackupPrivilege	940	vbc.exe
Token: SeRestorePrivilege	940	vbc.exe
Token: SeShutdownPrivilege	940	vbc.exe
Token: SeDebugPrivilege	940	vbc.exe
Token: SeSystemEnvironmentPrivilege	940	vbc.exe
Token: SeChangeNotifyPrivilege	940	vbc.exe
Token: SeRemoteShutdownPrivilege	940	vbc.exe
Token: SeUndockPrivilege	940	vbc.exe
Token: SeManageVolumePrivilege	940	vbc.exe
Token: SeImpersonatePrivilege	940	vbc.exe
Token: SeCreateGlobalPrivilege	940	vbc.exe
Token: 33	940	vbc.exe
Token: 34	940	vbc.exe
Token: 35	940	vbc.exe
Token: SeDebugPrivilege	1640	Dnscache.exe
Token: SeDebugPrivilege	1412	aspnet_state.exe
Token: SeIncreaseQuotaPrivilege	1696	vbc.exe
Token: SeSecurityPrivilege	1696	vbc.exe
Token: SeTakeOwnershipPrivilege	1696	vbc.exe
Token: SeLoadDriverPrivilege	1696	vbc.exe
Token: SeSystemProfilePrivilege	1696	vbc.exe
Token: SeSystemtimePrivilege	1696	vbc.exe
Token: SeProfSingleProcessPrivilege	1696	vbc.exe
Token: SeIncBasePriorityPrivilege	1696	vbc.exe
Token: SeCreatePagefilePrivilege	1696	vbc.exe
Token: SeBackupPrivilege	1696	vbc.exe
Token: SeRestorePrivilege	1696	vbc.exe
Token: SeShutdownPrivilege	1696	vbc.exe
Token: SeDebugPrivilege	1696	vbc.exe
Token: SeSystemEnvironmentPrivilege	1696	vbc.exe
Token: SeChangeNotifyPrivilege	1696	vbc.exe
Token: SeRemoteShutdownPrivilege	1696	vbc.exe
Token: SeUndockPrivilege	1696	vbc.exe
Token: SeManageVolumePrivilege	1696	vbc.exe
Token: SeImpersonatePrivilege	1696	vbc.exe
Token: SeCreateGlobalPrivilege	1696	vbc.exe
Token: 33	1696	vbc.exe
Token: 34	1696	vbc.exe
Token: 35	1696	vbc.exe
Token: SeIncreaseQuotaPrivilege	1020	vbc.exe
Token: SeSecurityPrivilege	1020	vbc.exe
Token: SeTakeOwnershipPrivilege	1020	vbc.exe
Token: SeLoadDriverPrivilege	1020	vbc.exe
Token: SeSystemProfilePrivilege	1020	vbc.exe
Token: SeSystemtimePrivilege	1020	vbc.exe
Token: SeProfSingleProcessPrivilege	1020	vbc.exe
Token: SeIncBasePriorityPrivilege	1020	vbc.exe
Token: SeCreatePagefilePrivilege	1020	vbc.exe
Token: SeBackupPrivilege	1020	vbc.exe
Token: SeRestorePrivilege	1020	vbc.exe
Token: SeShutdownPrivilege	1020	vbc.exe
Token: SeDebugPrivilege	1020	vbc.exe
Token: SeSystemEnvironmentPrivilege	1020	vbc.exe
Token: SeChangeNotifyPrivilege	1020	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

940 vbc.exe

pid	process
940	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exeDnscache.exeaspnet_state.exe

description	pid	process	target process
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 940	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	vbc.exe
PID 1348 wrote to memory of 1640	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	Dnscache.exe
PID 1348 wrote to memory of 1640	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	Dnscache.exe
PID 1348 wrote to memory of 1640	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	Dnscache.exe
PID 1348 wrote to memory of 1640	1348	c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe	Dnscache.exe
PID 1640 wrote to memory of 1412	1640	Dnscache.exe	aspnet_state.exe
PID 1640 wrote to memory of 1412	1640	Dnscache.exe	aspnet_state.exe
PID 1640 wrote to memory of 1412	1640	Dnscache.exe	aspnet_state.exe
PID 1640 wrote to memory of 1412	1640	Dnscache.exe	aspnet_state.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1696	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1020	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1864	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1856	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1856	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1856	1412	aspnet_state.exe	vbc.exe
PID 1412 wrote to memory of 1856	1412	aspnet_state.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe
"C:\Users\Admin\AppData\Local\Temp\c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:940

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Dnscache.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Dnscache.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\aspnet_state.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\aspnet_state.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Dnscache.exe

Filesize
8KB

MD5
f83dfcf941cceb799187d322e5646097

SHA1
a831600e1249d676744b7d02f46666314c1ef807

SHA256
8f5f189a56bb02c3f5ac98eb8526e54fa346253b4602536488e562c28c35fd0c

SHA512
554698c82d162f2f7d124f8c683bb86a2ef89898a2f373991f994e4931f5535c72878a87356308389c55f106d8d0844a1942bda75094823c4e211d0c1d454777

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Dnscache.exe

Filesize
8KB

MD5
f83dfcf941cceb799187d322e5646097

SHA1
a831600e1249d676744b7d02f46666314c1ef807

SHA256
8f5f189a56bb02c3f5ac98eb8526e54fa346253b4602536488e562c28c35fd0c

SHA512
554698c82d162f2f7d124f8c683bb86a2ef89898a2f373991f994e4931f5535c72878a87356308389c55f106d8d0844a1942bda75094823c4e211d0c1d454777

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\aspnet_state.exe

Filesize
753KB

MD5
710328053b929dfc6c272841aedf59ed

SHA1
d32f228a62ee3d54385a59ba6d9778ac83654ac9

SHA256
c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54

SHA512
afa40b72337d3248aea10496044d96b946ba64a583506d3c2762aefb07bc646b429327bb3301a15e1da4b1c4d94ac0be32335b7280ad492b054b3c179aab7984

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\aspnet_state.exe

Filesize
753KB

MD5
710328053b929dfc6c272841aedf59ed

SHA1
d32f228a62ee3d54385a59ba6d9778ac83654ac9

SHA256
c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54

SHA512
afa40b72337d3248aea10496044d96b946ba64a583506d3c2762aefb07bc646b429327bb3301a15e1da4b1c4d94ac0be32335b7280ad492b054b3c179aab7984

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Dnscache.exe

Filesize
8KB

MD5
f83dfcf941cceb799187d322e5646097

SHA1
a831600e1249d676744b7d02f46666314c1ef807

SHA256
8f5f189a56bb02c3f5ac98eb8526e54fa346253b4602536488e562c28c35fd0c

SHA512
554698c82d162f2f7d124f8c683bb86a2ef89898a2f373991f994e4931f5535c72878a87356308389c55f106d8d0844a1942bda75094823c4e211d0c1d454777

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\aspnet_state.exe

Filesize
753KB

MD5
710328053b929dfc6c272841aedf59ed

SHA1
d32f228a62ee3d54385a59ba6d9778ac83654ac9

SHA256
c6ba04b5e34d9960834679000ac903196d4f027920facb3ab24d0e7623a82d54

SHA512
afa40b72337d3248aea10496044d96b946ba64a583506d3c2762aefb07bc646b429327bb3301a15e1da4b1c4d94ac0be32335b7280ad492b054b3c179aab7984

Download Submit
memory/268-734-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/268-730-0x000000000048F888-mapping.dmp

Download
memory/468-1031-0x000000000048F888-mapping.dmp

Download
memory/468-1035-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/520-1148-0x000000000048F888-mapping.dmp

Download
memory/672-774-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/672-770-0x000000000048F888-mapping.dmp

Download
memory/724-1131-0x000000000048F888-mapping.dmp

Download
memory/724-1132-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/752-247-0x000000000048F888-mapping.dmp

Download
memory/752-251-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/804-613-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/804-609-0x000000000048F888-mapping.dmp

Download
memory/824-432-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/824-428-0x000000000048F888-mapping.dmp

Download
memory/848-589-0x000000000048F888-mapping.dmp

Download
memory/848-593-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/892-1188-0x000000000048F888-mapping.dmp

Download
memory/904-1075-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/904-1071-0x000000000048F888-mapping.dmp

Download
memory/912-850-0x000000000048F888-mapping.dmp

Download
memory/912-854-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/916-1168-0x000000000048F888-mapping.dmp

Download
memory/940-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/940-72-0x000000000048F888-mapping.dmp

Download
memory/988-187-0x000000000048F888-mapping.dmp

Download
memory/988-191-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-371-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1012-367-0x000000000048F888-mapping.dmp

Download
memory/1020-131-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-127-0x000000000048F888-mapping.dmp

Download
memory/1048-689-0x000000000048F888-mapping.dmp

Download
memory/1048-693-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-934-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-930-0x000000000048F888-mapping.dmp

Download
memory/1124-1095-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-1091-0x000000000048F888-mapping.dmp

Download
memory/1236-1015-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1236-1011-0x000000000048F888-mapping.dmp

Download
memory/1240-870-0x000000000048F888-mapping.dmp

Download
memory/1240-874-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-311-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-307-0x000000000048F888-mapping.dmp

Download
memory/1272-810-0x000000000048F888-mapping.dmp

Download
memory/1272-814-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-271-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-267-0x000000000048F888-mapping.dmp

Download
memory/1308-412-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1308-408-0x000000000048F888-mapping.dmp

Download
memory/1312-794-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1312-790-0x000000000048F888-mapping.dmp

Download
memory/1348-91-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-56-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-55-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1368-629-0x000000000048F888-mapping.dmp

Download
memory/1368-633-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1376-1051-0x000000000048F888-mapping.dmp

Download
memory/1376-1055-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1404-227-0x000000000048F888-mapping.dmp

Download
memory/1404-231-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1412-90-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1412-86-0x0000000000000000-mapping.dmp

Download
memory/1412-89-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1428-649-0x000000000048F888-mapping.dmp

Download
memory/1428-653-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1500-914-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1500-910-0x000000000048F888-mapping.dmp

Download
memory/1532-533-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-529-0x000000000048F888-mapping.dmp

Download
memory/1544-894-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1544-890-0x000000000048F888-mapping.dmp

Download
memory/1556-834-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1556-830-0x000000000048F888-mapping.dmp

Download
memory/1580-392-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-387-0x000000000048F888-mapping.dmp

Download
memory/1580-391-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-211-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1592-207-0x000000000048F888-mapping.dmp

Download
memory/1608-669-0x000000000048F888-mapping.dmp

Download
memory/1608-673-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-750-0x000000000048F888-mapping.dmp

Download
memory/1612-754-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1632-549-0x000000000048F888-mapping.dmp

Download
memory/1632-553-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1640-80-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-83-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-76-0x0000000000000000-mapping.dmp

Download
memory/1644-351-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1644-347-0x000000000048F888-mapping.dmp

Download
memory/1676-1115-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1676-1111-0x000000000048F888-mapping.dmp

Download
memory/1696-107-0x000000000048F888-mapping.dmp

Download
memory/1696-111-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1756-472-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1756-468-0x000000000048F888-mapping.dmp

Download
memory/1780-331-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1780-327-0x000000000048F888-mapping.dmp

Download
memory/1800-448-0x000000000048F888-mapping.dmp

Download
memory/1800-452-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1812-971-0x000000000048F888-mapping.dmp

Download
memory/1812-975-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1816-573-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1816-569-0x000000000048F888-mapping.dmp

Download
memory/1856-167-0x000000000048F888-mapping.dmp

Download
memory/1856-171-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-147-0x000000000048F888-mapping.dmp

Download
memory/1864-151-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1924-713-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1924-709-0x000000000048F888-mapping.dmp

Download
memory/1924-714-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1964-512-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1964-513-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1964-508-0x000000000048F888-mapping.dmp

Download
memory/1968-287-0x000000000048F888-mapping.dmp

Download
memory/1968-291-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1992-950-0x000000000048F888-mapping.dmp

Download
memory/1992-955-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1992-954-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2008-488-0x000000000048F888-mapping.dmp

Download
memory/2008-492-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2016-995-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2016-991-0x000000000048F888-mapping.dmp

Download
memory/2116-1208-0x000000000048F888-mapping.dmp

Download
memory/2212-1228-0x000000000048F888-mapping.dmp

Download
memory/2312-1249-0x000000000048F888-mapping.dmp

Download
memory/2408-1269-0x000000000048F888-mapping.dmp

Download
memory/2504-1289-0x000000000048F888-mapping.dmp

Download
memory/2600-1309-0x000000000048F888-mapping.dmp

Download