darkcomet | 8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4

Analysis

max time kernel
168s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
Size

765KB
MD5

dd06a8927a31a5b58a15c778c7ac6e6f
SHA1

8008faee85087b64a606c08fb90190031555f701
SHA256

8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4
SHA512

056bf7e9f3732caed59693a22effa4a94ccd5b597d3a85b05827c849ee854a5fedbd721c9abb5ef6afdf05f46b187968298229e62e96017ec81fbb2387be72d1
SSDEEP

12288:OfCDl0frXblOB1qM0Ml0snT2/1RrVbt56xEb/nWbKrjSAigkLh+LECDBjgi:jmXbl2hk/1rbcc/RruA9FLVjg

Score

10^/10

darkcomet ali persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ALI

ceiec2008.ddns.net:200

Mutex

DCMIN_MUTEX-AWCAR87

Attributes

gencode
6nxiuXbNh2Jz
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

WUDHost.exeAcctres.exeWUDHost.exe

pid process

968 WUDHost.exe
708 Acctres.exe
1764 WUDHost.exe
Loads dropped DLL 2 IoCs

Processes:

8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exeWUDHost.exe

pid process

988 8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
968 WUDHost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
968	WUDHost.exe
708	Acctres.exe
1764	WUDHost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WUDHost.exeWUDHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exeAcctres.exe

description	pid	process	target process
PID 988 set thread context of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 708 set thread context of 1840	708	Acctres.exe	vbc.exe
PID 708 set thread context of 536	708	Acctres.exe	vbc.exe
PID 708 set thread context of 628	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1828	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1548	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1960	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2004	708	Acctres.exe	vbc.exe
PID 708 set thread context of 868	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1560	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2020	708	Acctres.exe	vbc.exe
PID 708 set thread context of 844	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1468	708	Acctres.exe	vbc.exe
PID 708 set thread context of 784	708	Acctres.exe	vbc.exe
PID 708 set thread context of 524	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1588	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1688	708	Acctres.exe	vbc.exe
PID 708 set thread context of 556	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1712	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1888	708	Acctres.exe	vbc.exe
PID 708 set thread context of 636	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1092	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1124	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1860	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1684	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1696	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1744	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1776	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1128	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1476	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1012	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1660	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1920	708	Acctres.exe	vbc.exe
PID 708 set thread context of 704	708	Acctres.exe	vbc.exe
PID 708 set thread context of 968	708	Acctres.exe	vbc.exe
PID 708 set thread context of 676	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1644	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1056	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1604	708	Acctres.exe	vbc.exe
PID 708 set thread context of 828	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1720	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1992	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2000	708	Acctres.exe	vbc.exe
PID 708 set thread context of 292	708	Acctres.exe	vbc.exe
PID 708 set thread context of 808	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1584	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1028	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1988	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1456	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1276	708	Acctres.exe	vbc.exe
PID 708 set thread context of 972	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1768	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1536	708	Acctres.exe	vbc.exe
PID 708 set thread context of 1420	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2032	708	Acctres.exe	vbc.exe
PID 708 set thread context of 760	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2112	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2208	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2304	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2400	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2496	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2592	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2684	708	Acctres.exe	vbc.exe
PID 708 set thread context of 2776	708	Acctres.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exeWUDHost.exeAcctres.exe

pid	process
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
968	WUDHost.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
968	WUDHost.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
968	WUDHost.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
968	WUDHost.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
968	WUDHost.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
968	WUDHost.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
708	Acctres.exe
708	Acctres.exe
708	Acctres.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exevbc.exeWUDHost.exeAcctres.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
Token: 33	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
Token: SeIncBasePriorityPrivilege	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
Token: SeIncreaseQuotaPrivilege	692	vbc.exe
Token: SeSecurityPrivilege	692	vbc.exe
Token: SeTakeOwnershipPrivilege	692	vbc.exe
Token: SeLoadDriverPrivilege	692	vbc.exe
Token: SeSystemProfilePrivilege	692	vbc.exe
Token: SeSystemtimePrivilege	692	vbc.exe
Token: SeProfSingleProcessPrivilege	692	vbc.exe
Token: SeIncBasePriorityPrivilege	692	vbc.exe
Token: SeCreatePagefilePrivilege	692	vbc.exe
Token: SeBackupPrivilege	692	vbc.exe
Token: SeRestorePrivilege	692	vbc.exe
Token: SeShutdownPrivilege	692	vbc.exe
Token: SeDebugPrivilege	692	vbc.exe
Token: SeSystemEnvironmentPrivilege	692	vbc.exe
Token: SeChangeNotifyPrivilege	692	vbc.exe
Token: SeRemoteShutdownPrivilege	692	vbc.exe
Token: SeUndockPrivilege	692	vbc.exe
Token: SeManageVolumePrivilege	692	vbc.exe
Token: SeImpersonatePrivilege	692	vbc.exe
Token: SeCreateGlobalPrivilege	692	vbc.exe
Token: 33	692	vbc.exe
Token: 34	692	vbc.exe
Token: 35	692	vbc.exe
Token: SeDebugPrivilege	968	WUDHost.exe
Token: SeDebugPrivilege	708	Acctres.exe
Token: 33	708	Acctres.exe
Token: SeIncBasePriorityPrivilege	708	Acctres.exe
Token: SeIncreaseQuotaPrivilege	1840	vbc.exe
Token: SeSecurityPrivilege	1840	vbc.exe
Token: SeTakeOwnershipPrivilege	1840	vbc.exe
Token: SeLoadDriverPrivilege	1840	vbc.exe
Token: SeSystemProfilePrivilege	1840	vbc.exe
Token: SeSystemtimePrivilege	1840	vbc.exe
Token: SeProfSingleProcessPrivilege	1840	vbc.exe
Token: SeIncBasePriorityPrivilege	1840	vbc.exe
Token: SeCreatePagefilePrivilege	1840	vbc.exe
Token: SeBackupPrivilege	1840	vbc.exe
Token: SeRestorePrivilege	1840	vbc.exe
Token: SeShutdownPrivilege	1840	vbc.exe
Token: SeDebugPrivilege	1840	vbc.exe
Token: SeSystemEnvironmentPrivilege	1840	vbc.exe
Token: SeChangeNotifyPrivilege	1840	vbc.exe
Token: SeRemoteShutdownPrivilege	1840	vbc.exe
Token: SeUndockPrivilege	1840	vbc.exe
Token: SeManageVolumePrivilege	1840	vbc.exe
Token: SeImpersonatePrivilege	1840	vbc.exe
Token: SeCreateGlobalPrivilege	1840	vbc.exe
Token: 33	1840	vbc.exe
Token: 34	1840	vbc.exe
Token: 35	1840	vbc.exe
Token: SeIncreaseQuotaPrivilege	536	vbc.exe
Token: SeSecurityPrivilege	536	vbc.exe
Token: SeTakeOwnershipPrivilege	536	vbc.exe
Token: SeLoadDriverPrivilege	536	vbc.exe
Token: SeSystemProfilePrivilege	536	vbc.exe
Token: SeSystemtimePrivilege	536	vbc.exe
Token: SeProfSingleProcessPrivilege	536	vbc.exe
Token: SeIncBasePriorityPrivilege	536	vbc.exe
Token: SeCreatePagefilePrivilege	536	vbc.exe
Token: SeBackupPrivilege	536	vbc.exe
Token: SeRestorePrivilege	536	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

692 vbc.exe

pid	process
692	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exeWUDHost.exeAcctres.exe

description	pid	process	target process
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 692	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	vbc.exe
PID 988 wrote to memory of 968	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	WUDHost.exe
PID 988 wrote to memory of 968	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	WUDHost.exe
PID 988 wrote to memory of 968	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	WUDHost.exe
PID 988 wrote to memory of 968	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	WUDHost.exe
PID 968 wrote to memory of 708	968	WUDHost.exe	Acctres.exe
PID 968 wrote to memory of 708	968	WUDHost.exe	Acctres.exe
PID 968 wrote to memory of 708	968	WUDHost.exe	Acctres.exe
PID 968 wrote to memory of 708	968	WUDHost.exe	Acctres.exe
PID 988 wrote to memory of 1764	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	WUDHost.exe
PID 988 wrote to memory of 1764	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	WUDHost.exe
PID 988 wrote to memory of 1764	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	WUDHost.exe
PID 988 wrote to memory of 1764	988	8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe	WUDHost.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 1840	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 536	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe
PID 708 wrote to memory of 628	708	Acctres.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe
"C:\Users\Admin\AppData\Local\Temp\8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4600

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
765KB

MD5
dd06a8927a31a5b58a15c778c7ac6e6f

SHA1
8008faee85087b64a606c08fb90190031555f701

SHA256
8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4

SHA512
056bf7e9f3732caed59693a22effa4a94ccd5b597d3a85b05827c849ee854a5fedbd721c9abb5ef6afdf05f46b187968298229e62e96017ec81fbb2387be72d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
765KB

MD5
dd06a8927a31a5b58a15c778c7ac6e6f

SHA1
8008faee85087b64a606c08fb90190031555f701

SHA256
8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4

SHA512
056bf7e9f3732caed59693a22effa4a94ccd5b597d3a85b05827c849ee854a5fedbd721c9abb5ef6afdf05f46b187968298229e62e96017ec81fbb2387be72d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
Filesize
8KB

MD5
203abaf3a0b4387f8c83b8df44b52be4

SHA1
f298f77bf98b2941d4c7473c8fe0e8feedaaca6f

SHA256
4b5118a6792cf0fec015c0db676d42049333f725f9d10f4d36df95a41003ae38

SHA512
475e350bca4c5273779fe58e17bfe18a713572e17e417f700aa6418196c2830ae003f7fa9f8eb956ebea06e32fe35b47e967d5f1bff9b3a920585562360b0b50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
Filesize
8KB

MD5
203abaf3a0b4387f8c83b8df44b52be4

SHA1
f298f77bf98b2941d4c7473c8fe0e8feedaaca6f

SHA256
4b5118a6792cf0fec015c0db676d42049333f725f9d10f4d36df95a41003ae38

SHA512
475e350bca4c5273779fe58e17bfe18a713572e17e417f700aa6418196c2830ae003f7fa9f8eb956ebea06e32fe35b47e967d5f1bff9b3a920585562360b0b50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
Filesize
8KB

MD5
203abaf3a0b4387f8c83b8df44b52be4

SHA1
f298f77bf98b2941d4c7473c8fe0e8feedaaca6f

SHA256
4b5118a6792cf0fec015c0db676d42049333f725f9d10f4d36df95a41003ae38

SHA512
475e350bca4c5273779fe58e17bfe18a713572e17e417f700aa6418196c2830ae003f7fa9f8eb956ebea06e32fe35b47e967d5f1bff9b3a920585562360b0b50

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
765KB

MD5
dd06a8927a31a5b58a15c778c7ac6e6f

SHA1
8008faee85087b64a606c08fb90190031555f701

SHA256
8e0cdb08c3f33c1bc12b8cac91128b2f0266ad590b83b370240c2139d97701f4

SHA512
056bf7e9f3732caed59693a22effa4a94ccd5b597d3a85b05827c849ee854a5fedbd721c9abb5ef6afdf05f46b187968298229e62e96017ec81fbb2387be72d1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
Filesize
8KB

MD5
203abaf3a0b4387f8c83b8df44b52be4

SHA1
f298f77bf98b2941d4c7473c8fe0e8feedaaca6f

SHA256
4b5118a6792cf0fec015c0db676d42049333f725f9d10f4d36df95a41003ae38

SHA512
475e350bca4c5273779fe58e17bfe18a713572e17e417f700aa6418196c2830ae003f7fa9f8eb956ebea06e32fe35b47e967d5f1bff9b3a920585562360b0b50

Download Submit
memory/292-957-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/292-953-0x000000000048F888-mapping.dmp

Download
memory/524-372-0x000000000048F888-mapping.dmp

Download
memory/524-376-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/536-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/536-132-0x000000000048F888-mapping.dmp

Download
memory/556-432-0x000000000048F888-mapping.dmp

Download
memory/556-436-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/628-152-0x000000000048F888-mapping.dmp

Download
memory/628-156-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-496-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-492-0x000000000048F888-mapping.dmp

Download
memory/676-797-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/676-793-0x000000000048F888-mapping.dmp

Download
memory/692-72-0x000000000048F888-mapping.dmp

Download
memory/692-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/704-757-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/704-753-0x000000000048F888-mapping.dmp

Download
memory/708-91-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/708-90-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/708-87-0x0000000000000000-mapping.dmp

Download
memory/760-1194-0x000000000048F888-mapping.dmp

Download
memory/784-352-0x000000000048F888-mapping.dmp

Download
memory/784-356-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/808-977-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/808-973-0x000000000048F888-mapping.dmp

Download
memory/828-873-0x000000000048F888-mapping.dmp

Download
memory/828-877-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/844-316-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/844-312-0x000000000048F888-mapping.dmp

Download
memory/868-252-0x000000000048F888-mapping.dmp

Download
memory/868-256-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/968-77-0x0000000000000000-mapping.dmp

Download
memory/968-92-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/968-82-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/968-773-0x000000000048F888-mapping.dmp

Download
memory/968-777-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/968-84-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/972-1098-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-1094-0x000000000048F888-mapping.dmp

Download
memory/988-55-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/988-56-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/988-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1012-693-0x000000000048F888-mapping.dmp

Download
memory/1012-697-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1028-1013-0x000000000048F888-mapping.dmp

Download
memory/1028-1017-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1056-837-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1056-833-0x000000000048F888-mapping.dmp

Download
memory/1092-516-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1092-512-0x000000000048F888-mapping.dmp

Download
memory/1124-532-0x000000000048F888-mapping.dmp

Download
memory/1124-536-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1128-657-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1128-653-0x000000000048F888-mapping.dmp

Download
memory/1276-1074-0x000000000048F888-mapping.dmp

Download
memory/1276-1078-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1420-1154-0x000000000048F888-mapping.dmp

Download
memory/1456-1058-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1456-1053-0x000000000048F888-mapping.dmp

Download
memory/1468-336-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1468-332-0x000000000048F888-mapping.dmp

Download
memory/1476-677-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1476-673-0x000000000048F888-mapping.dmp

Download
memory/1536-1134-0x000000000048F888-mapping.dmp

Download
memory/1536-1138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1548-192-0x000000000048F888-mapping.dmp

Download
memory/1548-196-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1560-276-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1560-272-0x000000000048F888-mapping.dmp

Download
memory/1584-997-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1584-993-0x000000000048F888-mapping.dmp

Download
memory/1588-396-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1588-392-0x000000000048F888-mapping.dmp

Download
memory/1604-853-0x000000000048F888-mapping.dmp

Download
memory/1604-857-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1644-813-0x000000000048F888-mapping.dmp

Download
memory/1644-817-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1660-713-0x000000000048F888-mapping.dmp

Download
memory/1660-717-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1684-572-0x000000000048F888-mapping.dmp

Download
memory/1684-576-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-416-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-412-0x000000000048F888-mapping.dmp

Download
memory/1696-596-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1696-592-0x000000000048F888-mapping.dmp

Download
memory/1712-456-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1712-452-0x000000000048F888-mapping.dmp

Download
memory/1720-897-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1720-893-0x000000000048F888-mapping.dmp

Download
memory/1744-612-0x000000000048F888-mapping.dmp

Download
memory/1744-617-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1744-616-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1764-1056-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-93-0x0000000000000000-mapping.dmp

Download
memory/1764-96-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-1114-0x000000000048F888-mapping.dmp

Download
memory/1768-1118-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1776-633-0x000000000048F888-mapping.dmp

Download
memory/1776-637-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1828-176-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1828-172-0x000000000048F888-mapping.dmp

Download
memory/1840-116-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1840-112-0x000000000048F888-mapping.dmp

Download
memory/1860-556-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1860-552-0x000000000048F888-mapping.dmp

Download
memory/1888-476-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1888-472-0x000000000048F888-mapping.dmp

Download
memory/1920-737-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1920-733-0x000000000048F888-mapping.dmp

Download
memory/1960-216-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1960-212-0x000000000048F888-mapping.dmp

Download
memory/1988-1037-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1988-1033-0x000000000048F888-mapping.dmp

Download
memory/1992-913-0x000000000048F888-mapping.dmp

Download
memory/1992-917-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-937-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2000-933-0x000000000048F888-mapping.dmp

Download
memory/2004-236-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2004-232-0x000000000048F888-mapping.dmp

Download
memory/2020-296-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2020-292-0x000000000048F888-mapping.dmp

Download
memory/2032-1174-0x000000000048F888-mapping.dmp

Download
memory/2112-1214-0x000000000048F888-mapping.dmp

Download
memory/2208-1234-0x000000000048F888-mapping.dmp

Download
memory/2304-1254-0x000000000048F888-mapping.dmp

Download
memory/2400-1274-0x000000000048F888-mapping.dmp

Download
memory/2496-1294-0x000000000048F888-mapping.dmp

Download