darkcomet | 6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478

Analysis

max time kernel
152s
max time network
67s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
Size

739KB
MD5

4d3598646882b23eee497f413d1f7fb2
SHA1

368d6b9766b565dbd611a446921251fa65a2393c
SHA256

6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478
SHA512

52247a6279d998418d3192cc602d919744329bb9bf4f341b0e45e6fc7c9c6e70346f4ee37e77cb9c5171568cf4128d0ec59487dcbd3fa25ebdc83fea5fd29fdc
SSDEEP

12288:3JXwP/1klEfc+zI1a4yHKMA6/Ut7Jq1BCN5N/BZ9Si7KFaqBQ:39I/iluzOadPACUt7Q1Cb/Bl7L

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

endocomet.no-ip.biz:1604

Mutex

DC_MUTEX-5W69PR6

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
NK090aa72Gqo
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 4 IoCs

Processes:

IpOverUsbSvrc.exemsdcsc.exeatiesrx.exeIpOverUsbSvrc.exe

pid process

908 IpOverUsbSvrc.exe
1324 msdcsc.exe
1540 atiesrx.exe
1960 IpOverUsbSvrc.exe
Loads dropped DLL 4 IoCs

Processes:

6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exevbc.exeIpOverUsbSvrc.exeatiesrx.exe

pid process

1792 6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1244 vbc.exe
908 IpOverUsbSvrc.exe
1540 atiesrx.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
908	IpOverUsbSvrc.exe
1324	msdcsc.exe
1540	atiesrx.exe
1960	IpOverUsbSvrc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exeatiesrx.exe

description	pid	process	target process
PID 1792 set thread context of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 set thread context of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1540 set thread context of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 336	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1692	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1344	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1484	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 524	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 768	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1648	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1676	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 800	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 2036	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1392	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 548	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1512	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1584	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 876	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 568	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 972	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1616	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 624	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1940	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1716	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 2032	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 432	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1028	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1628	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1360	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1508	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1800	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1052	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1420	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 2040	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1164	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1120	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1612	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1496	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1804	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1708	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1116	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1348	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 952	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 948	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1780	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1704	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1588	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1200	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 268	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1580	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1568	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1668	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 868	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 776	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 764	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1792	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 588	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1828	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 584	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 612	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 564	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1268	1540	atiesrx.exe	vbc.exe
PID 1540 set thread context of 1936	1540	atiesrx.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exeIpOverUsbSvrc.exeatiesrx.exe

pid	process
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
908	IpOverUsbSvrc.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
908	IpOverUsbSvrc.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
908	IpOverUsbSvrc.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
908	IpOverUsbSvrc.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
908	IpOverUsbSvrc.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
908	IpOverUsbSvrc.exe
1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
1540	atiesrx.exe
1540	atiesrx.exe
1540	atiesrx.exe
1540	atiesrx.exe
1540	atiesrx.exe
1540	atiesrx.exe
1540	atiesrx.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exevbc.exevbc.exeIpOverUsbSvrc.exeatiesrx.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
Token: SeIncreaseQuotaPrivilege	1244	vbc.exe
Token: SeSecurityPrivilege	1244	vbc.exe
Token: SeTakeOwnershipPrivilege	1244	vbc.exe
Token: SeLoadDriverPrivilege	1244	vbc.exe
Token: SeSystemProfilePrivilege	1244	vbc.exe
Token: SeSystemtimePrivilege	1244	vbc.exe
Token: SeProfSingleProcessPrivilege	1244	vbc.exe
Token: SeIncBasePriorityPrivilege	1244	vbc.exe
Token: SeCreatePagefilePrivilege	1244	vbc.exe
Token: SeBackupPrivilege	1244	vbc.exe
Token: SeRestorePrivilege	1244	vbc.exe
Token: SeShutdownPrivilege	1244	vbc.exe
Token: SeDebugPrivilege	1244	vbc.exe
Token: SeSystemEnvironmentPrivilege	1244	vbc.exe
Token: SeChangeNotifyPrivilege	1244	vbc.exe
Token: SeRemoteShutdownPrivilege	1244	vbc.exe
Token: SeUndockPrivilege	1244	vbc.exe
Token: SeManageVolumePrivilege	1244	vbc.exe
Token: SeImpersonatePrivilege	1244	vbc.exe
Token: SeCreateGlobalPrivilege	1244	vbc.exe
Token: 33	1244	vbc.exe
Token: 34	1244	vbc.exe
Token: 35	1244	vbc.exe
Token: SeIncreaseQuotaPrivilege	1300	vbc.exe
Token: SeSecurityPrivilege	1300	vbc.exe
Token: SeTakeOwnershipPrivilege	1300	vbc.exe
Token: SeLoadDriverPrivilege	1300	vbc.exe
Token: SeSystemProfilePrivilege	1300	vbc.exe
Token: SeSystemtimePrivilege	1300	vbc.exe
Token: SeProfSingleProcessPrivilege	1300	vbc.exe
Token: SeIncBasePriorityPrivilege	1300	vbc.exe
Token: SeCreatePagefilePrivilege	1300	vbc.exe
Token: SeBackupPrivilege	1300	vbc.exe
Token: SeRestorePrivilege	1300	vbc.exe
Token: SeShutdownPrivilege	1300	vbc.exe
Token: SeDebugPrivilege	1300	vbc.exe
Token: SeSystemEnvironmentPrivilege	1300	vbc.exe
Token: SeChangeNotifyPrivilege	1300	vbc.exe
Token: SeRemoteShutdownPrivilege	1300	vbc.exe
Token: SeUndockPrivilege	1300	vbc.exe
Token: SeManageVolumePrivilege	1300	vbc.exe
Token: SeImpersonatePrivilege	1300	vbc.exe
Token: SeCreateGlobalPrivilege	1300	vbc.exe
Token: 33	1300	vbc.exe
Token: 34	1300	vbc.exe
Token: 35	1300	vbc.exe
Token: SeDebugPrivilege	908	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1540	atiesrx.exe
Token: SeIncreaseQuotaPrivilege	1840	vbc.exe
Token: SeSecurityPrivilege	1840	vbc.exe
Token: SeTakeOwnershipPrivilege	1840	vbc.exe
Token: SeLoadDriverPrivilege	1840	vbc.exe
Token: SeSystemProfilePrivilege	1840	vbc.exe
Token: SeSystemtimePrivilege	1840	vbc.exe
Token: SeProfSingleProcessPrivilege	1840	vbc.exe
Token: SeIncBasePriorityPrivilege	1840	vbc.exe
Token: SeCreatePagefilePrivilege	1840	vbc.exe
Token: SeBackupPrivilege	1840	vbc.exe
Token: SeRestorePrivilege	1840	vbc.exe
Token: SeShutdownPrivilege	1840	vbc.exe
Token: SeDebugPrivilege	1840	vbc.exe
Token: SeSystemEnvironmentPrivilege	1840	vbc.exe
Token: SeChangeNotifyPrivilege	1840	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1300 vbc.exe

pid	process
1300	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exevbc.exeIpOverUsbSvrc.exeatiesrx.exe

description	pid	process	target process
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1244	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 908	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	IpOverUsbSvrc.exe
PID 1792 wrote to memory of 908	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	IpOverUsbSvrc.exe
PID 1792 wrote to memory of 908	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	IpOverUsbSvrc.exe
PID 1792 wrote to memory of 908	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	IpOverUsbSvrc.exe
PID 1244 wrote to memory of 1324	1244	vbc.exe	msdcsc.exe
PID 1244 wrote to memory of 1324	1244	vbc.exe	msdcsc.exe
PID 1244 wrote to memory of 1324	1244	vbc.exe	msdcsc.exe
PID 1244 wrote to memory of 1324	1244	vbc.exe	msdcsc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 1792 wrote to memory of 1300	1792	6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe	vbc.exe
PID 908 wrote to memory of 1540	908	IpOverUsbSvrc.exe	atiesrx.exe
PID 908 wrote to memory of 1540	908	IpOverUsbSvrc.exe	atiesrx.exe
PID 908 wrote to memory of 1540	908	IpOverUsbSvrc.exe	atiesrx.exe
PID 908 wrote to memory of 1540	908	IpOverUsbSvrc.exe	atiesrx.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1840	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 1960	1540	atiesrx.exe	IpOverUsbSvrc.exe
PID 1540 wrote to memory of 1960	1540	atiesrx.exe	IpOverUsbSvrc.exe
PID 1540 wrote to memory of 1960	1540	atiesrx.exe	IpOverUsbSvrc.exe
PID 1540 wrote to memory of 1960	1540	atiesrx.exe	IpOverUsbSvrc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe
PID 1540 wrote to memory of 2028	1540	atiesrx.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
"C:\Users\Admin\AppData\Local\Temp\6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1324

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:3164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:5060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:4128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
7KB

MD5
810db2c3e098ac24cbcb203b3055b2ad

SHA1
5460fede999acb340854c429fb3dd338729c5482

SHA256
0785de3c23b36943e653436227ead201e151b9614d6f2696a16d611240eec9f2

SHA512
33fc8dce029ce1442b20a6948c198666df9bdf7622b90ffb94700ab58101ca54aa87eb8013f1e79f1a4ca50f20c41141286a56d28298e86fa401b0cbd935cfee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
7KB

MD5
810db2c3e098ac24cbcb203b3055b2ad

SHA1
5460fede999acb340854c429fb3dd338729c5482

SHA256
0785de3c23b36943e653436227ead201e151b9614d6f2696a16d611240eec9f2

SHA512
33fc8dce029ce1442b20a6948c198666df9bdf7622b90ffb94700ab58101ca54aa87eb8013f1e79f1a4ca50f20c41141286a56d28298e86fa401b0cbd935cfee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
7KB

MD5
810db2c3e098ac24cbcb203b3055b2ad

SHA1
5460fede999acb340854c429fb3dd338729c5482

SHA256
0785de3c23b36943e653436227ead201e151b9614d6f2696a16d611240eec9f2

SHA512
33fc8dce029ce1442b20a6948c198666df9bdf7622b90ffb94700ab58101ca54aa87eb8013f1e79f1a4ca50f20c41141286a56d28298e86fa401b0cbd935cfee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
7KB

MD5
810db2c3e098ac24cbcb203b3055b2ad

SHA1
5460fede999acb340854c429fb3dd338729c5482

SHA256
0785de3c23b36943e653436227ead201e151b9614d6f2696a16d611240eec9f2

SHA512
33fc8dce029ce1442b20a6948c198666df9bdf7622b90ffb94700ab58101ca54aa87eb8013f1e79f1a4ca50f20c41141286a56d28298e86fa401b0cbd935cfee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
Filesize
739KB

MD5
4d3598646882b23eee497f413d1f7fb2

SHA1
368d6b9766b565dbd611a446921251fa65a2393c

SHA256
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478

SHA512
52247a6279d998418d3192cc602d919744329bb9bf4f341b0e45e6fc7c9c6e70346f4ee37e77cb9c5171568cf4128d0ec59487dcbd3fa25ebdc83fea5fd29fdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
Filesize
739KB

MD5
4d3598646882b23eee497f413d1f7fb2

SHA1
368d6b9766b565dbd611a446921251fa65a2393c

SHA256
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478

SHA512
52247a6279d998418d3192cc602d919744329bb9bf4f341b0e45e6fc7c9c6e70346f4ee37e77cb9c5171568cf4128d0ec59487dcbd3fa25ebdc83fea5fd29fdc

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
7KB

MD5
810db2c3e098ac24cbcb203b3055b2ad

SHA1
5460fede999acb340854c429fb3dd338729c5482

SHA256
0785de3c23b36943e653436227ead201e151b9614d6f2696a16d611240eec9f2

SHA512
33fc8dce029ce1442b20a6948c198666df9bdf7622b90ffb94700ab58101ca54aa87eb8013f1e79f1a4ca50f20c41141286a56d28298e86fa401b0cbd935cfee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
7KB

MD5
810db2c3e098ac24cbcb203b3055b2ad

SHA1
5460fede999acb340854c429fb3dd338729c5482

SHA256
0785de3c23b36943e653436227ead201e151b9614d6f2696a16d611240eec9f2

SHA512
33fc8dce029ce1442b20a6948c198666df9bdf7622b90ffb94700ab58101ca54aa87eb8013f1e79f1a4ca50f20c41141286a56d28298e86fa401b0cbd935cfee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe
Filesize
739KB

MD5
4d3598646882b23eee497f413d1f7fb2

SHA1
368d6b9766b565dbd611a446921251fa65a2393c

SHA256
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478

SHA512
52247a6279d998418d3192cc602d919744329bb9bf4f341b0e45e6fc7c9c6e70346f4ee37e77cb9c5171568cf4128d0ec59487dcbd3fa25ebdc83fea5fd29fdc

Download Submit
memory/268-1082-0x000000000048F888-mapping.dmp

Download
memory/268-1086-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/336-179-0x000000000048F888-mapping.dmp

Download
memory/336-183-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/432-624-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/432-620-0x000000000048F888-mapping.dmp

Download
memory/524-263-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/524-259-0x000000000048F888-mapping.dmp

Download
memory/548-399-0x000000000048F888-mapping.dmp

Download
memory/548-403-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/568-479-0x000000000048F888-mapping.dmp

Download
memory/568-483-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/584-1283-0x000000000048F888-mapping.dmp

Download
memory/588-1242-0x000000000048F888-mapping.dmp

Download
memory/624-539-0x000000000048F888-mapping.dmp

Download
memory/624-544-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-543-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-1202-0x000000000048F888-mapping.dmp

Download
memory/768-279-0x000000000048F888-mapping.dmp

Download
memory/768-283-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/776-1182-0x000000000048F888-mapping.dmp

Download
memory/800-343-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/800-339-0x000000000048F888-mapping.dmp

Download
memory/868-1162-0x000000000048F888-mapping.dmp

Download
memory/876-459-0x000000000048F888-mapping.dmp

Download
memory/876-463-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/908-86-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/908-117-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/908-107-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/908-77-0x0000000000000000-mapping.dmp

Download
memory/948-981-0x000000000048F888-mapping.dmp

Download
memory/948-985-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/952-961-0x000000000048F888-mapping.dmp

Download
memory/952-965-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-499-0x000000000048F888-mapping.dmp

Download
memory/972-503-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1028-644-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1028-640-0x000000000048F888-mapping.dmp

Download
memory/1052-740-0x000000000048F888-mapping.dmp

Download
memory/1052-744-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1052-745-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1116-921-0x000000000048F888-mapping.dmp

Download
memory/1116-925-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1120-825-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1120-821-0x000000000048F888-mapping.dmp

Download
memory/1164-801-0x000000000048F888-mapping.dmp

Download
memory/1164-805-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1200-1066-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1200-1062-0x000000000048F888-mapping.dmp

Download
memory/1244-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-72-0x000000000048F888-mapping.dmp

Download
memory/1244-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-85-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1244-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1300-113-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1300-102-0x000000000048F888-mapping.dmp

Download
memory/1300-105-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1300-106-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1324-82-0x0000000000000000-mapping.dmp

Download
memory/1344-223-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1344-219-0x000000000048F888-mapping.dmp

Download
memory/1348-945-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-941-0x000000000048F888-mapping.dmp

Download
memory/1360-684-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1360-680-0x000000000048F888-mapping.dmp

Download
memory/1392-379-0x000000000048F888-mapping.dmp

Download
memory/1392-383-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1420-761-0x000000000048F888-mapping.dmp

Download
memory/1420-765-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1484-239-0x000000000048F888-mapping.dmp

Download
memory/1484-243-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1496-865-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1496-861-0x000000000048F888-mapping.dmp

Download
memory/1508-704-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1508-700-0x000000000048F888-mapping.dmp

Download
memory/1512-423-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1512-419-0x000000000048F888-mapping.dmp

Download
memory/1540-110-0x0000000000000000-mapping.dmp

Download
memory/1540-114-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1540-115-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1568-1122-0x000000000048F888-mapping.dmp

Download
memory/1580-1106-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-1102-0x000000000048F888-mapping.dmp

Download
memory/1584-443-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1584-439-0x000000000048F888-mapping.dmp

Download
memory/1588-1042-0x000000000048F888-mapping.dmp

Download
memory/1588-1046-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-845-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-841-0x000000000048F888-mapping.dmp

Download
memory/1616-523-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1616-519-0x000000000048F888-mapping.dmp

Download
memory/1628-660-0x000000000048F888-mapping.dmp

Download
memory/1628-664-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1648-299-0x000000000048F888-mapping.dmp

Download
memory/1648-303-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1668-1142-0x000000000048F888-mapping.dmp

Download
memory/1676-319-0x000000000048F888-mapping.dmp

Download
memory/1676-323-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1692-203-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1692-199-0x000000000048F888-mapping.dmp

Download
memory/1704-1026-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1704-1022-0x000000000048F888-mapping.dmp

Download
memory/1708-901-0x000000000048F888-mapping.dmp

Download
memory/1708-905-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1716-580-0x000000000048F888-mapping.dmp

Download
memory/1716-584-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1780-1001-0x000000000048F888-mapping.dmp

Download
memory/1780-1005-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1780-1006-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1792-55-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-56-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-1222-0x000000000048F888-mapping.dmp

Download
memory/1792-116-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1800-720-0x000000000048F888-mapping.dmp

Download
memory/1800-724-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1804-885-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1804-881-0x000000000048F888-mapping.dmp

Download
memory/1828-1263-0x000000000048F888-mapping.dmp

Download
memory/1840-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1840-133-0x000000000048F888-mapping.dmp

Download
memory/1940-564-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1940-560-0x000000000048F888-mapping.dmp

Download
memory/1960-162-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-138-0x0000000000000000-mapping.dmp

Download
memory/2028-163-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2028-158-0x000000000048F888-mapping.dmp

Download
memory/2032-600-0x000000000048F888-mapping.dmp

Download
memory/2032-604-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-359-0x000000000048F888-mapping.dmp

Download
memory/2036-363-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-785-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-781-0x000000000048F888-mapping.dmp

Download