darkcomet | f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377

Analysis

max time kernel
151s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
Size

1.3MB
MD5

15d9a62c514046f4f05f8ee4e37f64ce
SHA1

386d2cf3986f961e023f48ff1617f5c9b627ba98
SHA256

f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377
SHA512

9280a47f581da7a9f665ddee4fdfff478e005543b11faf4e30a867ca0712496e8ea16a77b6fa39ef5c682bc765022b2355c07d7991f868ea2d5b3f294227179c
SSDEEP

24576:nxmpirBc+MjsNXZaQIGrIftUJFU7faIhyrRBYonc0:gpyBc1INZaQIG0lUJiaIh

Score

10^/10

darkcomet victim evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victim

camohomopopper.no-ip.biz:55152

camohomohopper.no-ip.biz:55151

Mutex

DC_MUTEX-FY6YKFW

Attributes

gencode
mfXATs7kpnnT
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 3 IoCs

pid	Process
1836	IpOverUsbSvrc.exe
676	Acctres.exe
1600	IpOverUsbSvrc.exe

Sets file to hidden 1 TTPs 9 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
2016	attrib.exe
1368	attrib.exe
1364	attrib.exe
1116	attrib.exe
1556	attrib.exe
484	attrib.exe
568	attrib.exe
1296	attrib.exe
1668	attrib.exe

Loads dropped DLL 2 IoCs

pid	Process
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1836	IpOverUsbSvrc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 676 set thread context of 1636	676	Acctres.exe	55
PID 676 set thread context of 1652	676	Acctres.exe	56
PID 676 set thread context of 2020	676	Acctres.exe	57
PID 676 set thread context of 1580	676	Acctres.exe	58
PID 676 set thread context of 564	676	Acctres.exe	59
PID 676 set thread context of 1996	676	Acctres.exe	60
PID 676 set thread context of 1940	676	Acctres.exe	62
PID 676 set thread context of 2008	676	Acctres.exe	63
PID 676 set thread context of 808	676	Acctres.exe	64
PID 676 set thread context of 844	676	Acctres.exe	65
PID 676 set thread context of 2036	676	Acctres.exe	66
PID 676 set thread context of 988	676	Acctres.exe	67
PID 676 set thread context of 1724	676	Acctres.exe	68
PID 676 set thread context of 1332	676	Acctres.exe	69
PID 676 set thread context of 1668	676	Acctres.exe	70
PID 676 set thread context of 536	676	Acctres.exe	71
PID 676 set thread context of 1116	676	Acctres.exe	72
PID 676 set thread context of 1744	676	Acctres.exe	73
PID 676 set thread context of 1308	676	Acctres.exe	74
PID 676 set thread context of 1932	676	Acctres.exe	75
PID 676 set thread context of 1808	676	Acctres.exe	76
PID 676 set thread context of 1620	676	Acctres.exe	77
PID 676 set thread context of 472	676	Acctres.exe	78
PID 676 set thread context of 1488	676	Acctres.exe	80
PID 676 set thread context of 1036	676	Acctres.exe	81
PID 676 set thread context of 1584	676	Acctres.exe	82
PID 676 set thread context of 1952	676	Acctres.exe	83
PID 676 set thread context of 1960	676	Acctres.exe	84
PID 676 set thread context of 1556	676	Acctres.exe	85
PID 676 set thread context of 1900	676	Acctres.exe	86
PID 676 set thread context of 1788	676	Acctres.exe	87
PID 676 set thread context of 700	676	Acctres.exe	88
PID 676 set thread context of 1912	676	Acctres.exe	89
PID 676 set thread context of 1468	676	Acctres.exe	90
PID 676 set thread context of 1000	676	Acctres.exe	91
PID 676 set thread context of 1276	676	Acctres.exe	92
PID 676 set thread context of 836	676	Acctres.exe	93
PID 676 set thread context of 1296	676	Acctres.exe	94
PID 676 set thread context of 1728	676	Acctres.exe	95
PID 676 set thread context of 1616	676	Acctres.exe	96
PID 676 set thread context of 1984	676	Acctres.exe	97
PID 676 set thread context of 1372	676	Acctres.exe	99
PID 676 set thread context of 112	676	Acctres.exe	100
PID 676 set thread context of 892	676	Acctres.exe	101
PID 676 set thread context of 984	676	Acctres.exe	102
PID 676 set thread context of 2024	676	Acctres.exe	103
PID 676 set thread context of 320	676	Acctres.exe	104
PID 676 set thread context of 364	676	Acctres.exe	105
PID 676 set thread context of 568	676	Acctres.exe	106
PID 676 set thread context of 2136	676	Acctres.exe	107
PID 676 set thread context of 2228	676	Acctres.exe	108
PID 676 set thread context of 2320	676	Acctres.exe	109
PID 676 set thread context of 2412	676	Acctres.exe	110
PID 676 set thread context of 2504	676	Acctres.exe	111
PID 676 set thread context of 2596	676	Acctres.exe	112
PID 676 set thread context of 2688	676	Acctres.exe	113
PID 676 set thread context of 2784	676	Acctres.exe	114
PID 676 set thread context of 2876	676	Acctres.exe	115
PID 676 set thread context of 2968	676	Acctres.exe	116
PID 676 set thread context of 3060	676	Acctres.exe	117
PID 676 set thread context of 2128	676	Acctres.exe	118
PID 676 set thread context of 2236	676	Acctres.exe	119
PID 676 set thread context of 2336	676	Acctres.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
1000	PING.EXE
1112	PING.EXE
540	PING.EXE
960	PING.EXE
1784	PING.EXE
1952	PING.EXE
1832	PING.EXE
1260	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1836	IpOverUsbSvrc.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1836	IpOverUsbSvrc.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1836	IpOverUsbSvrc.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1836	IpOverUsbSvrc.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1836	IpOverUsbSvrc.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1836	IpOverUsbSvrc.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
676	Acctres.exe
676	Acctres.exe
676	Acctres.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
Token: SeIncreaseQuotaPrivilege	1480	vbc.exe
Token: SeSecurityPrivilege	1480	vbc.exe
Token: SeTakeOwnershipPrivilege	1480	vbc.exe
Token: SeLoadDriverPrivilege	1480	vbc.exe
Token: SeSystemProfilePrivilege	1480	vbc.exe
Token: SeSystemtimePrivilege	1480	vbc.exe
Token: SeProfSingleProcessPrivilege	1480	vbc.exe
Token: SeIncBasePriorityPrivilege	1480	vbc.exe
Token: SeCreatePagefilePrivilege	1480	vbc.exe
Token: SeBackupPrivilege	1480	vbc.exe
Token: SeRestorePrivilege	1480	vbc.exe
Token: SeShutdownPrivilege	1480	vbc.exe
Token: SeDebugPrivilege	1480	vbc.exe
Token: SeSystemEnvironmentPrivilege	1480	vbc.exe
Token: SeChangeNotifyPrivilege	1480	vbc.exe
Token: SeRemoteShutdownPrivilege	1480	vbc.exe
Token: SeUndockPrivilege	1480	vbc.exe
Token: SeManageVolumePrivilege	1480	vbc.exe
Token: SeImpersonatePrivilege	1480	vbc.exe
Token: SeCreateGlobalPrivilege	1480	vbc.exe
Token: 33	1480	vbc.exe
Token: 34	1480	vbc.exe
Token: 35	1480	vbc.exe
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe
Token: 35	1600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe
Token: 35	1600	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1480	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 524	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	26
PID 1552 wrote to memory of 524	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	26
PID 1552 wrote to memory of 524	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	26
PID 1552 wrote to memory of 524	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	26
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 524 wrote to memory of 568	524	cmd.exe	29
PID 524 wrote to memory of 568	524	cmd.exe	29
PID 524 wrote to memory of 568	524	cmd.exe	29
PID 524 wrote to memory of 568	524	cmd.exe	29
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 524 wrote to memory of 2016	524	cmd.exe	30
PID 524 wrote to memory of 2016	524	cmd.exe	30
PID 524 wrote to memory of 2016	524	cmd.exe	30
PID 524 wrote to memory of 2016	524	cmd.exe	30
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 524 wrote to memory of 1368	524	cmd.exe	31
PID 524 wrote to memory of 1368	524	cmd.exe	31
PID 524 wrote to memory of 1368	524	cmd.exe	31
PID 524 wrote to memory of 1368	524	cmd.exe	31
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 1552 wrote to memory of 1480	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	28
PID 524 wrote to memory of 1364	524	cmd.exe	32
PID 524 wrote to memory of 1364	524	cmd.exe	32
PID 524 wrote to memory of 1364	524	cmd.exe	32
PID 524 wrote to memory of 1364	524	cmd.exe	32
PID 524 wrote to memory of 1116	524	cmd.exe	33
PID 524 wrote to memory of 1116	524	cmd.exe	33
PID 524 wrote to memory of 1116	524	cmd.exe	33
PID 524 wrote to memory of 1116	524	cmd.exe	33
PID 524 wrote to memory of 1580	524	cmd.exe	34
PID 524 wrote to memory of 1580	524	cmd.exe	34
PID 524 wrote to memory of 1580	524	cmd.exe	34
PID 524 wrote to memory of 1580	524	cmd.exe	34
PID 524 wrote to memory of 1600	524	cmd.exe	35
PID 524 wrote to memory of 1600	524	cmd.exe	35
PID 524 wrote to memory of 1600	524	cmd.exe	35
PID 524 wrote to memory of 1600	524	cmd.exe	35
PID 524 wrote to memory of 564	524	cmd.exe	36
PID 524 wrote to memory of 564	524	cmd.exe	36
PID 524 wrote to memory of 564	524	cmd.exe	36
PID 524 wrote to memory of 564	524	cmd.exe	36
PID 1552 wrote to memory of 1836	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	37
PID 1552 wrote to memory of 1836	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	37
PID 1552 wrote to memory of 1836	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	37
PID 1552 wrote to memory of 1836	1552	f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe	37
PID 524 wrote to memory of 1668	524	cmd.exe	39
PID 524 wrote to memory of 1668	524	cmd.exe	39
PID 524 wrote to memory of 1668	524	cmd.exe	39
PID 524 wrote to memory of 1668	524	cmd.exe	39
PID 524 wrote to memory of 784	524	cmd.exe	40
PID 524 wrote to memory of 784	524	cmd.exe	40
PID 524 wrote to memory of 784	524	cmd.exe	40
PID 524 wrote to memory of 784	524	cmd.exe	40
PID 524 wrote to memory of 1124	524	cmd.exe	41
PID 524 wrote to memory of 1124	524	cmd.exe	41
PID 524 wrote to memory of 1124	524	cmd.exe	41

Views/modifies file attributes 1 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1364	attrib.exe
1116	attrib.exe
1668	attrib.exe
784	attrib.exe
484	attrib.exe
1296	attrib.exe
568	attrib.exe
2016	attrib.exe
1368	attrib.exe
1580	attrib.exe
1124	attrib.exe
2004	attrib.exe
1556	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe
"C:\Users\Admin\AppData\Local\Temp\f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\A9823473.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Roaming\A9823473.bat +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:568
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2016
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1368
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1364
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Roaming\dclogs +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1116
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\check.txt -s -h
    3⤵
    - Views/modifies file attributes
    PID:1580
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process where name="cmd.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\SysWOW64\find.exe
    find "cmd" /c
    3⤵
    PID:564
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\check.txt +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1668
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\74658463.vbs -s -h
    3⤵
    - Views/modifies file attributes
    PID:784
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\982365827.vbs -s -h
    3⤵
    - Views/modifies file attributes
    PID:1124
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\749465939.vbs -s -h
    3⤵
    - Views/modifies file attributes
    PID:2004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74658463.vbs"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\74658463.vbs +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\982365827.vbs +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:484
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Users\Admin\AppData\Local\Temp\749465939.vbs +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1296
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 15 -w 1000
    3⤵
    - Runs ping.exe
    PID:960
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 4 -w 1000
    3⤵
    - Runs ping.exe
    PID:1784
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 4 -w 1000
    3⤵
    - Runs ping.exe
    PID:1952
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 4 -w 1000
    3⤵
    - Runs ping.exe
    PID:1832
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 4 -w 1000
    3⤵
    - Runs ping.exe
    PID:1260
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 4 -w 1000
    3⤵
    - Runs ping.exe
    PID:1000
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 4 -w 1000
    3⤵
    - Runs ping.exe
    PID:1112
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5 -w 1000
    3⤵
    - Runs ping.exe
    PID:540
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1636
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1580
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1332
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1116
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1308
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:472
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1488
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1556
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1900
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1788
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:836
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1984
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:892
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:984
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2024
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:364
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2504
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2596
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2688
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2784
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2876
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2128
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2432
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2832
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2344
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2452
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2560
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2792
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2896
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3012
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2208
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2332
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3028
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2148
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2076
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2192
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2348
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2840
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2984
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2224
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1212
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1888
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:688
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2476
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2764
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2444
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1472
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1752
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2888
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2740
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2404
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2572
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1892
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:800
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2488
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3056
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2756
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2576
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2900
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2252
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2752
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1644
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2188
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1464
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2648
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2376
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2120
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2860
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2052
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2588
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2364
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2260
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3704
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3796
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3888
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3980
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4072
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3344
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3644
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4044
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3116
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3224
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3780
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3896
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3204
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3452
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3572
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4052
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3576
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3840
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2604
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3252
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3660
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:2500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3404
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3552
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4032
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3184
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3364
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3604
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3760
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3928
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3308
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3360
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:1716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3420
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3756
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3476
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3836
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3596
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3900
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4024
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3628
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3860
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4084
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3788
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3124
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3280
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3128
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3688
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:3372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4448
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:5000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:5092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4364
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4464
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4764
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:5064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4352
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4800
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:5020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4224
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4588
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4708
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:5072
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4300
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4556
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:5088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4204
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4348
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4504
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:5080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4200
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4688
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:5008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4124
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4492
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4844
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74658463.vbs

Filesize
406B

MD5
89003d310490411cda7137d2759272ea

SHA1
c64d76a6e3bb32008a8fd13ba3b40da95a87eac1

SHA256
08ac0c196ca9bbd3e1790916b873391e58b644ffe260c8b7502dbc46b23420ec

SHA512
dc13671a3d04ec48fea7869b74caa267a1a53ff455015be403b69cf247569fb2955b9a92427ded90e5ab6efa935a1fc04dc6f6345cd20cd1c53a6f371ea29959

Download Submit
C:\Users\Admin\AppData\Local\Temp\749465939.vbs

Filesize
82B

MD5
2fa700a503431c22ab8b7fb8741b5866

SHA1
9a2d4b762940627623b2559332334ac01c93b306

SHA256
07f1a23f7fc5f8bdc865fd782d7c9d520f21e665fb797f4158fc42614f67acf1

SHA512
38fe63abc2371d8668063bff9134239b3f7be3d1ee307160294fd38642c5448a86749c65c034b90667599aae8ad17ac65a8151bf55ea7cf25385884c0acb44ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\982365827.vbs

Filesize
86B

MD5
b5e28c9e2c8fe8e090dff1d681b16879

SHA1
ad276939f9297392e9200f1a489dc01f984c407f

SHA256
94c9858b6251e0d1c915fecaa70ba499e885f7c5a40a39209abf7d4a54384663

SHA512
0e3bb85e98bf40714fc591c2041a302132fc1ecc613255ed339ab9f71757ef224cced54787f6ed35ea04912f49c14a81921c558fd19257a8a150e72da15cb324

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Roaming\A9823473.bat

Filesize
22KB

MD5
09bf5dc61147dd9cd83b45d689878360

SHA1
ea8629599471938123acc407ad3f6caa83eb4868

SHA256
4f3c489bcbc7dad7fd1b7d6b9c895e70fa883d510a8975175d26c6ea84c371f3

SHA512
9496f84188efd27fdc1ebdf55a36976e53f955702a8000f90d935072ec3d76629e4f83477024b72e44c8b94ed8079b95353a50c32d51114e5588a1336535aded

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.3MB

MD5
15d9a62c514046f4f05f8ee4e37f64ce

SHA1
386d2cf3986f961e023f48ff1617f5c9b627ba98

SHA256
f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377

SHA512
9280a47f581da7a9f665ddee4fdfff478e005543b11faf4e30a867ca0712496e8ea16a77b6fa39ef5c682bc765022b2355c07d7991f868ea2d5b3f294227179c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.3MB

MD5
15d9a62c514046f4f05f8ee4e37f64ce

SHA1
386d2cf3986f961e023f48ff1617f5c9b627ba98

SHA256
f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377

SHA512
9280a47f581da7a9f665ddee4fdfff478e005543b11faf4e30a867ca0712496e8ea16a77b6fa39ef5c682bc765022b2355c07d7991f868ea2d5b3f294227179c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe

Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe

Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe

Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.3MB

MD5
15d9a62c514046f4f05f8ee4e37f64ce

SHA1
386d2cf3986f961e023f48ff1617f5c9b627ba98

SHA256
f708ba4649d77f880a8802709642fe5dc226aaa6be3a597aaabfd05b0ab3f377

SHA512
9280a47f581da7a9f665ddee4fdfff478e005543b11faf4e30a867ca0712496e8ea16a77b6fa39ef5c682bc765022b2355c07d7991f868ea2d5b3f294227179c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe

Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
memory/112-981-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/320-1057-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/364-1076-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/472-588-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/472-583-0x000000000048F888-mapping.dmp

Download
memory/484-102-0x0000000000000000-mapping.dmp

Download
memory/524-57-0x0000000000000000-mapping.dmp

Download
memory/536-443-0x000000000048F888-mapping.dmp

Download
memory/536-447-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-87-0x0000000000000000-mapping.dmp

Download
memory/564-222-0x000000000048F888-mapping.dmp

Download
memory/564-226-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/568-62-0x0000000000000000-mapping.dmp

Download
memory/568-1095-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/676-112-0x0000000000000000-mapping.dmp

Download
memory/676-115-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/676-119-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/700-768-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/700-764-0x000000000048F888-mapping.dmp

Download
memory/784-94-0x0000000000000000-mapping.dmp

Download
memory/808-307-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/808-303-0x000000000048F888-mapping.dmp

Download
memory/836-867-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/844-327-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/844-323-0x000000000048F888-mapping.dmp

Download
memory/892-1000-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/960-106-0x0000000000000000-mapping.dmp

Download
memory/984-1019-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/988-367-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/988-363-0x000000000048F888-mapping.dmp

Download
memory/1000-828-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1000-246-0x0000000000000000-mapping.dmp

Download
memory/1000-824-0x000000000048F888-mapping.dmp

Download
memory/1036-624-0x000000000048F888-mapping.dmp

Download
memory/1036-628-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-587-0x0000000000000000-mapping.dmp

Download
memory/1116-463-0x000000000048F888-mapping.dmp

Download
memory/1116-467-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1116-83-0x0000000000000000-mapping.dmp

Download
memory/1124-95-0x0000000000000000-mapping.dmp

Download
memory/1260-120-0x0000000000000000-mapping.dmp

Download
memory/1276-844-0x000000000048F888-mapping.dmp

Download
memory/1276-848-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1296-104-0x0000000000000000-mapping.dmp

Download
memory/1296-886-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1308-503-0x000000000048F888-mapping.dmp

Download
memory/1308-507-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-403-0x000000000048F888-mapping.dmp

Download
memory/1332-407-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1364-81-0x0000000000000000-mapping.dmp

Download
memory/1368-76-0x0000000000000000-mapping.dmp

Download
memory/1372-962-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1468-808-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1468-804-0x000000000048F888-mapping.dmp

Download
memory/1480-107-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-109-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1480-78-0x000000000048F888-mapping.dmp

Download
memory/1480-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1488-604-0x000000000048F888-mapping.dmp

Download
memory/1488-608-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1552-56-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-55-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1556-99-0x0000000000000000-mapping.dmp

Download
memory/1556-708-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1556-704-0x000000000048F888-mapping.dmp

Download
memory/1580-85-0x0000000000000000-mapping.dmp

Download
memory/1580-202-0x000000000048F888-mapping.dmp

Download
memory/1580-206-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1584-648-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1584-644-0x000000000048F888-mapping.dmp

Download
memory/1600-1096-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-125-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-122-0x0000000000000000-mapping.dmp

Download
memory/1600-86-0x0000000000000000-mapping.dmp

Download
memory/1616-924-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1620-567-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1620-563-0x000000000048F888-mapping.dmp

Download
memory/1636-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1636-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1636-141-0x000000000048F888-mapping.dmp

Download
memory/1652-162-0x000000000048F888-mapping.dmp

Download
memory/1652-166-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1668-423-0x000000000048F888-mapping.dmp

Download
memory/1668-427-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1668-92-0x0000000000000000-mapping.dmp

Download
memory/1724-383-0x000000000048F888-mapping.dmp

Download
memory/1724-387-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-905-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1744-483-0x000000000048F888-mapping.dmp

Download
memory/1744-487-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1784-116-0x0000000000000000-mapping.dmp

Download
memory/1788-748-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1788-744-0x000000000048F888-mapping.dmp

Download
memory/1808-547-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1808-543-0x000000000048F888-mapping.dmp

Download
memory/1832-118-0x0000000000000000-mapping.dmp

Download
memory/1836-110-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1836-89-0x0000000000000000-mapping.dmp

Download
memory/1836-121-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1836-108-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1844-98-0x0000000000000000-mapping.dmp

Download
memory/1900-724-0x000000000048F888-mapping.dmp

Download
memory/1900-728-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1912-784-0x000000000048F888-mapping.dmp

Download
memory/1912-788-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1932-523-0x000000000048F888-mapping.dmp

Download
memory/1932-527-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1940-263-0x000000000048F888-mapping.dmp

Download
memory/1940-267-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1952-664-0x000000000048F888-mapping.dmp

Download
memory/1952-117-0x0000000000000000-mapping.dmp

Download
memory/1952-668-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1960-688-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1960-684-0x000000000048F888-mapping.dmp

Download
memory/1984-943-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1996-242-0x000000000048F888-mapping.dmp

Download
memory/1996-247-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2004-96-0x0000000000000000-mapping.dmp

Download
memory/2008-287-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2008-283-0x000000000048F888-mapping.dmp

Download
memory/2016-71-0x0000000000000000-mapping.dmp

Download
memory/2020-186-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2020-182-0x000000000048F888-mapping.dmp

Download
memory/2024-1038-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2036-343-0x000000000048F888-mapping.dmp

Download
memory/2036-347-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2136-1115-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2228-1134-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2320-1153-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download