fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7

Analysis

max time kernel
51s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
Size

868KB
MD5

d419bae96cbc8ca22f5dc4462f8a6ca3
SHA1

786b5a894aa05a6d10eee9a42997eea18265d8af
SHA256

fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7
SHA512

3e6a4081c8471d0fc50f66cdb16d14c36fd942625af16dce716191d76769db84f426a3ff78f92efdb9ef497dc6bf6e9522d8b1981e83ceac7865b2672dc3b134
SSDEEP

12288:O0anuaIFAQHh+xk283kP5NE0fC/mtuwdEncMvsFw+USLFucawSiB4ivzjIjO:OjNIFbkxT5NE0fXtbEn3ewoGwSinfs

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
1320	temp.exe
1344	temp.exe
1960	temp.exe
1572	temp.exe
1612	temp.exe
732	cvtres.exe
676	temp.exe
1084	temp.exe
2168	temp.exe
2376	temp.exe
2552	temp.exe
2760	temp.exe
2968	temp.exe
2136	temp.exe
2224	temp.exe
2708	temp.exe
2600	temp.exe
3040	temp.exe
2492	temp.exe
2564	temp.exe
3036	vbc.exe
2300	temp.exe
3016	temp.exe
2944	temp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1320	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	28
PID 936 wrote to memory of 1320	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	28
PID 936 wrote to memory of 1320	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	28
PID 936 wrote to memory of 1332	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	98
PID 936 wrote to memory of 1332	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	98
PID 936 wrote to memory of 1332	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	98
PID 1320 wrote to memory of 1016	1320	temp.exe	96
PID 1320 wrote to memory of 1016	1320	temp.exe	96
PID 1320 wrote to memory of 1016	1320	temp.exe	96
PID 1320 wrote to memory of 648	1320	temp.exe	32
PID 1320 wrote to memory of 648	1320	temp.exe	32
PID 1320 wrote to memory of 648	1320	temp.exe	32
PID 1332 wrote to memory of 700	1332	dw20.exe	49
PID 1332 wrote to memory of 700	1332	dw20.exe	49
PID 1332 wrote to memory of 700	1332	dw20.exe	49
PID 1016 wrote to memory of 1644	1016	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	161
PID 1016 wrote to memory of 1644	1016	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	161
PID 1016 wrote to memory of 1644	1016	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	161
PID 1320 wrote to memory of 1344	1320	temp.exe	36
PID 1320 wrote to memory of 1344	1320	temp.exe	36
PID 1320 wrote to memory of 1344	1320	temp.exe	36
PID 936 wrote to memory of 532	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	35
PID 936 wrote to memory of 532	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	35
PID 936 wrote to memory of 532	936	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	35
PID 1344 wrote to memory of 1160	1344	temp.exe	43
PID 1344 wrote to memory of 1160	1344	temp.exe	43
PID 1344 wrote to memory of 1160	1344	temp.exe	43
PID 532 wrote to memory of 1092	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	39
PID 532 wrote to memory of 1092	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	39
PID 532 wrote to memory of 1092	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	39
PID 1344 wrote to memory of 1132	1344	temp.exe	38
PID 1344 wrote to memory of 1132	1344	temp.exe	38
PID 1344 wrote to memory of 1132	1344	temp.exe	38
PID 532 wrote to memory of 776	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	42
PID 532 wrote to memory of 776	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	42
PID 532 wrote to memory of 776	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	42
PID 1132 wrote to memory of 988	1132	vbc.exe	47
PID 1132 wrote to memory of 988	1132	vbc.exe	47
PID 1132 wrote to memory of 988	1132	vbc.exe	47
PID 776 wrote to memory of 1684	776	vbc.exe	44
PID 776 wrote to memory of 1684	776	vbc.exe	44
PID 776 wrote to memory of 1684	776	vbc.exe	44
PID 1344 wrote to memory of 1960	1344	temp.exe	46
PID 1344 wrote to memory of 1960	1344	temp.exe	46
PID 1344 wrote to memory of 1960	1344	temp.exe	46
PID 532 wrote to memory of 1036	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	45
PID 532 wrote to memory of 1036	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	45
PID 532 wrote to memory of 1036	532	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	45
PID 1036 wrote to memory of 1544	1036	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	48
PID 1036 wrote to memory of 1544	1036	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	48
PID 1036 wrote to memory of 1544	1036	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	48
PID 1960 wrote to memory of 700	1960	temp.exe	49
PID 1960 wrote to memory of 700	1960	temp.exe	49
PID 1960 wrote to memory of 700	1960	temp.exe	49
PID 1036 wrote to memory of 676	1036	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	84
PID 1036 wrote to memory of 676	1036	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	84
PID 1036 wrote to memory of 676	1036	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	84
PID 1960 wrote to memory of 1632	1960	temp.exe	272
PID 1960 wrote to memory of 1632	1960	temp.exe	272
PID 1960 wrote to memory of 1632	1960	temp.exe	272
PID 676 wrote to memory of 1784	676	temp.exe	60
PID 676 wrote to memory of 1784	676	temp.exe	60
PID 676 wrote to memory of 1784	676	temp.exe	60
PID 1036 wrote to memory of 2036	1036	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	65

C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
"C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Roaming\temp.exe
  "C:\Users\Admin\AppData\Roaming\temp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vpih6d4y.cmdline"
    3⤵
    PID:1016
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E59.tmp"
      4⤵
      PID:1644
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 436
    3⤵
    PID:648
- - C:\Users\Admin\AppData\Roaming\temp.exe
    C:\Users\Admin\AppData\Roaming\temp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqs4k9a-.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES425F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc424F.tmp"
        5⤵
        
        PID:988
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 428
      4⤵
      PID:1160
  - - C:\Users\Admin\AppData\Roaming\temp.exe
      C:\Users\Admin\AppData\Roaming\temp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        5⤵
        
        PID:700
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hmdsgvpd.cmdline"
        5⤵
        
        PID:1632
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES481A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4819.tmp"
        6⤵
        
        PID:1004
    - - C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        5⤵
        Executes dropped EXE
        
        PID:1572
      - C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        6⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        7⤵
        
        PID:1620
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n7znvby5.cmdline"
        7⤵
        
        PID:1644
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77A1.tmp"
        8⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        7⤵
        
        PID:732
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xh9jvdxj.cmdline"
        8⤵
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C71.tmp"
        9⤵
        
        PID:1720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        8⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        9⤵
        
        PID:932
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aiajfr38.cmdline"
        9⤵
        
        PID:1508
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82B8.tmp"
        10⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        9⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gr_obhd9.cmdline"
        10⤵
        
        PID:1444
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A75.tmp"
        11⤵
        
        PID:2128
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        10⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        10⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qctjpdbv.cmdline"
        11⤵
        
        PID:2268
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90CB.tmp"
        12⤵
        
        PID:2364
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        11⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        11⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        12⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a6utzubc.cmdline"
        12⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98B8.tmp"
        13⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        12⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smfipma3.cmdline"
        13⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA18F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA18E.tmp"
        14⤵
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        13⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        13⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nkh_nfob.cmdline"
        14⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA44.tmp"
        15⤵
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        14⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        14⤵
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        15⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihbmc68i.cmdline"
        15⤵
        
        PID:1304
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2DC.tmp"
        16⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        15⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i6jdifcg.cmdline"
        16⤵
        
        PID:2148
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA7A.tmp"
        17⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        16⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        16⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\atvphpsr.cmdline"
        17⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1CA.tmp"
        18⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        17⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        17⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        18⤵
        
        PID:2820
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xswvwmmt.cmdline"
        18⤵
        
        PID:2664
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC757.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC756.tmp"
        19⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        18⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        19⤵
        
        PID:2724
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o6labgox.cmdline"
        19⤵
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD4E.tmp"
        20⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        19⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        20⤵
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wy4nv8fz.cmdline"
        20⤵
        
        PID:2300
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3D4.tmp"
        21⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        20⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        21⤵
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ggpisip.cmdline"
        21⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA68.tmp"
        22⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        21⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zf_kadk3.cmdline"
        22⤵
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0DE.tmp"
        23⤵
        
        PID:1356
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        22⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        22⤵
        
        PID:3036
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        23⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sq7ydprr.cmdline"
        23⤵
        
        PID:2508
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE745.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE744.tmp"
        24⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        23⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        24⤵
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\optoplq3.cmdline"
        24⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE36.tmp"
        25⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        24⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ibvp756v.cmdline"
        25⤵
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF662.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF661.tmp"
        26⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        25⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        25⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9hjtrfrl.cmdline"
        26⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC4A.tmp"
        27⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        26⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        26⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4uumpran.cmdline"
        27⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES447.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc446.tmp"
        28⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        27⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        27⤵
        
        PID:1928
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        28⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvydfmyo.cmdline"
        28⤵
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAC.tmp"
        29⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        28⤵
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6vjf0mmt.cmdline"
        29⤵
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12A7.tmp"
        30⤵
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        29⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        29⤵
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        30⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akjncnhy.cmdline"
        30⤵
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18A0.tmp"
        31⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        30⤵
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wpe-4wqu.cmdline"
        31⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FD1.tmp"
        32⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        31⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        31⤵
        
        PID:2664
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        32⤵
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eagu6utd.cmdline"
        32⤵
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2609.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2608.tmp"
        33⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        32⤵
        
        PID:1068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7qpdmohn.cmdline"
        33⤵
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DC5.tmp"
        34⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        33⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        33⤵
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        34⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mwuaeycy.cmdline"
        34⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34C7.tmp"
        35⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        34⤵
        
        PID:952
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c1rc1lrr.cmdline"
        35⤵
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C17.tmp"
        36⤵
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        35⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        35⤵
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        36⤵
        
        PID:732
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\47dtxm98.cmdline"
        36⤵
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES429E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc429D.tmp"
        37⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        36⤵
        
        PID:552
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2hbgsqbu.cmdline"
        37⤵
        
        PID:2796
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49ED.tmp"
        38⤵
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        37⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        37⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        38⤵
        
        PID:2380
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2jogbs2p.cmdline"
        38⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES512E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc512D.tmp"
        39⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        38⤵
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmx4m-5n.cmdline"
        39⤵
        
        PID:2068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58DB.tmp"
        40⤵
        
        PID:2764
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        39⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        39⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        40⤵
        
        PID:2364
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bry0tysj.cmdline"
        40⤵
        
        PID:1340
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F8F.tmp"
        41⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        40⤵
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ldn6-sxz.cmdline"
        41⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6682.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6681.tmp"
        42⤵
        
        PID:1728
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        41⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        41⤵
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        42⤵
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bhp6ytwx.cmdline"
        42⤵
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D54.tmp"
        43⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        42⤵
        
        PID:940
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bdjoi2nt.cmdline"
        43⤵
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7570.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc756F.tmp"
        44⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        43⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        43⤵
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        44⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b9skibbh.cmdline"
        44⤵
        
        PID:2164
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C53.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C52.tmp"
        45⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        44⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mx3mdvwa.cmdline"
        45⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8393.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8392.tmp"
        46⤵
        
        PID:1440
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        45⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        45⤵
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        46⤵
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\urofm63k.cmdline"
        46⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES897D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc897C.tmp"
        47⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        46⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        47⤵
        
        PID:832
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\team6kmm.cmdline"
        47⤵
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES911B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc911A.tmp"
        48⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        47⤵
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        48⤵
        
        PID:2456
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ho9f8hxb.cmdline"
        48⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9781.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9780.tmp"
        49⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        48⤵
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        49⤵
        
        PID:1352
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fnsrlbxq.cmdline"
        49⤵
        
        PID:812
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DF5.tmp"
        50⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        49⤵
        
        PID:3036
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        50⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\crd9zeoo.cmdline"
        50⤵
        
        PID:2060
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA40E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA40D.tmp"
        51⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        50⤵
        
        PID:1076
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i_amocr2.cmdline"
        51⤵
        
        PID:1516
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB01.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB00.tmp"
        52⤵
        
        PID:1424
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        51⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        51⤵
        
        PID:1068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        52⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3lrwb2ch.cmdline"
        52⤵
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB147.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB146.tmp"
        53⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        52⤵
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        53⤵
        
        PID:1548
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4chihxih.cmdline"
        53⤵
        
        PID:1400
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB897.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB896.tmp"
        54⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        53⤵
        
        PID:2540
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        54⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\74q8z9le.cmdline"
        54⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF2B.tmp"
        55⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        54⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        55⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ziqnpd_z.cmdline"
        55⤵
        
        PID:2508
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC67C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC67B.tmp"
        56⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        55⤵
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        56⤵
        
        PID:1356
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8dlmd7v3.cmdline"
        56⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC26.tmp"
        57⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        56⤵
        
        PID:752
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        57⤵
        
        PID:1508
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c1mjfchx.cmdline"
        57⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2BB.tmp"
        58⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        57⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        58⤵
        
        PID:2228
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xw4injrb.cmdline"
        58⤵
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB91.tmp"
        59⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        58⤵
        
        PID:2768
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        59⤵
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ojeprlvi.cmdline"
        59⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE236.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE235.tmp"
        60⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        59⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        60⤵
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ntnlsepq.cmdline"
        60⤵
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc639.tmp"
        61⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        60⤵
        
        PID:1264
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twt3ev1-.cmdline"
        61⤵
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD79.tmp"
        62⤵
        
        PID:2068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        61⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        61⤵
        
        PID:1740
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        62⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9tqxp-9s.cmdline"
        62⤵
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1373.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1372.tmp"
        63⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        62⤵
        
        PID:1060
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        63⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1zzfrbfm.cmdline"
        63⤵
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B9D.tmp"
        64⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        63⤵
        
        PID:2060
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        64⤵
        
        PID:952
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kd5zx-yj.cmdline"
        64⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2271.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2270.tmp"
        65⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        64⤵
        
        PID:1340
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mli2jclu.cmdline"
        65⤵
        
        PID:1536
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2906.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2905.tmp"
        66⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        65⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        65⤵
        
        PID:1728
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        66⤵
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9f57ffnx.cmdline"
        66⤵
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FD8.tmp"
        67⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        66⤵
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rglopaug.cmdline"
        67⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37E3.tmp"
        68⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        67⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        67⤵
        
        PID:2212
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbctssdy.cmdline"
        68⤵
        
        PID:2508
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E39.tmp"
        69⤵
        
        PID:1200
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        68⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        68⤵
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        69⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e6kroxk8.cmdline"
        69⤵
        
        PID:1440
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES458A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4589.tmp"
        70⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        69⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        70⤵
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mu-jbedi.cmdline"
        70⤵
        
        PID:2460
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C4E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C4D.tmp"
        71⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        70⤵
        
        PID:1740
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7gttypwo.cmdline"
        71⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53EB.tmp"
        72⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        71⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        71⤵
        
        PID:2764
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        72⤵
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fvqb6grh.cmdline"
        72⤵
        
        PID:2060
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A70.tmp"
        73⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        72⤵
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xnuzcfkw.cmdline"
        73⤵
        
        PID:2576
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60D6.tmp"
        74⤵
        
        PID:2740
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        73⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        73⤵
        
        PID:316
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        74⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dujui_h8.cmdline"
        74⤵
        
        PID:952
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66DF.tmp"
        75⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        74⤵
        
        PID:1596
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rto_rnlo.cmdline"
        75⤵
        
        PID:876
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DF1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6DF0.tmp"
        76⤵
        
        PID:2516
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        75⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        75⤵
        
        PID:2668
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        76⤵
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jxfuz675.cmdline"
        76⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7476.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7475.tmp"
        77⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        76⤵
        
        PID:2068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ku8z2nky.cmdline"
        77⤵
        
        PID:1552
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AAD.tmp"
        78⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        77⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        
        C:\Users\Admin\AppData\Roaming\temp.exe
        77⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        78⤵
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kex8nv-w.cmdline"
        78⤵
        
        PID:876
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8114.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8113.tmp"
        79⤵
        
        PID:2892
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6nyxx9js.cmdline"
  2⤵
  PID:1332
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E39.tmp"
    3⤵
    PID:700
- C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
  C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 428
    3⤵
    PID:1092
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hul7oenf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4260.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc425E.tmp"
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
    C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 428
      4⤵
      PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
      C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
      4⤵
      PID:2036
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gqte1mdr.cmdline"
      4⤵
      PID:676

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4665.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4664.tmp"
1⤵
PID:1784

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 428
1⤵
PID:1392

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4-bbvq84.cmdline"
1⤵
PID:1300
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C4E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C4D.tmp"
  2⤵
  PID:1644

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 428
1⤵
PID:304

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vr2maj_f.cmdline"
1⤵
PID:1508
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C8B.tmp"
  2⤵
  PID:840

C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
1⤵
PID:1784
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 424
  2⤵
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mei78ds9.cmdline"
  2⤵
  PID:952
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7763.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7762.tmp"
    3⤵
    PID:676
- C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
  C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
  2⤵
  PID:1752
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 428
    3⤵
    PID:1364
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0cs0zrep.cmdline"
    3⤵
    PID:1552
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C13.tmp"
      4⤵
      PID:816
- - C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
    C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
    3⤵
    PID:1868
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 424
      4⤵
      PID:268
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r-s6wnv0.cmdline"
      4⤵
      PID:1812
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES827A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8279.tmp"
        5⤵
        
        PID:616
  - - C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
      C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qwnb8jqz.cmdline"
        5⤵
        
        PID:1508
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES896D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc896C.tmp"
        6⤵
        
        PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        5⤵
        
        PID:2112
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        6⤵
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        6⤵
        
        PID:2340
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 432
        7⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yys23exh.cmdline"
        7⤵
        
        PID:2448
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES984B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc984A.tmp"
        8⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        7⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        8⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v_jdin9m.cmdline"
        8⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FC9.tmp"
        9⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        8⤵
        
        PID:2716
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        9⤵
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nvzcwbnv.cmdline"
        9⤵
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA852.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA842.tmp"
        10⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        9⤵
        
        PID:2904
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        10⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m4eneyt8.cmdline"
        10⤵
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE4A.tmp"
        11⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        10⤵
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        11⤵
        
        PID:1860
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\my5pjbwo.cmdline"
        11⤵
        
        PID:2108
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB647.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB646.tmp"
        12⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        11⤵
        
        PID:1644
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z7sajunr.cmdline"
        12⤵
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE41.tmp"
        13⤵
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        12⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        12⤵
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        13⤵
        
        PID:1992
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfue2xcg.cmdline"
        13⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5EF.tmp"
        14⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        13⤵
        
        PID:2828
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        14⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i0gow8lx.cmdline"
        14⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBC8.tmp"
        15⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        14⤵
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        15⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0c17lbuw.cmdline"
        15⤵
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD30A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2F9.tmp"
        16⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        15⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 428
        16⤵
        
        PID:2204
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gfsw-yko.cmdline"
        16⤵
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD98F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD98E.tmp"
        17⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        16⤵
        
        PID:2456
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        17⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eg15xwbz.cmdline"
        17⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE053.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE042.tmp"
        18⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        17⤵
        
        PID:1312
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 424
        18⤵
        
        PID:2820
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmum8qsl.cmdline"
        18⤵
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5ED.tmp"
        19⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        
        C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
        18⤵
        
        PID:2976
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyobhpta.cmdline"
        6⤵
        
        PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1568077605-5334758061466490486-14462595171291021776392636232-41918438-2119740843"
1⤵
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20049711343162238051970506502-1770221639-542810455111734617799897651-2099249643"
1⤵
PID:840

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES905F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc905E.tmp"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1150486413-129674010549405561-1515035576-206071024-38615246612924011821429404485"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1520271004615276790-28806506-507628994-2005951233-1473815209-1065540168-1819431812"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1424129934845498176-1630586738693662749817952024-964768517-146999052-87871751"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4661645321453610270-9831171181497309703-2995985011691683936392057984-1498974772"
1⤵
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4865205815368514420104741131805742517-1938347458-1773534872113950075-225167426"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6779315121641356958930702000-14975694990108751097831051842823283681730594"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1835077500-16125740181786494070119902337-11883351131015237553-13587981521896753217"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1723276405962976128-152656829143023315411383295091962770574-21047358161922802967"
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1085725190-655387708-888491344-640251081-1929122080-621314356-1171542779-501121823"
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0cs0zrep.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cs0zrep.cmdline

Filesize
138B

MD5
c5de57f7b71a5737de5b26f73efb8b9e

SHA1
d57819d63edea1430019f0735d0d67b4986bc570

SHA256
6364a4b005ff447fcfdb474e44af74a16f02c3498d227448019c463096ff0e62

SHA512
820a51c6ea34b2636e57c54857b5f347de46e0f3a2d7ab480d0ab9475c9949e3d727206ded8776325b81cf6ba432565f1b2f58126778e0737ec0719a4b91a586

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cs0zrep.dll

Filesize
736KB

MD5
68cfb4319fb0c34c36c4f05f299696f3

SHA1
0183e7fa2260ecd3afd59425bc41617165f75e3f

SHA256
f007c56ce804f0d90ea6ad2de825940fb68a2461395c6db9754f7fa69b7f1b5b

SHA512
d82949355b90162efa9617ccbe98b190373c88477241f1201975d17ff874d8027a890c710373cd57fc900f52670e797acc70efc8888a93efdb40076c16bca64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4-bbvq84.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\4-bbvq84.cmdline

Filesize
138B

MD5
09f75abaa5572d513e38e9083dc7eab5

SHA1
d1dc593757b5b882f57720673921d3ea11b0075b

SHA256
c912549c55e57206e7a1e444058b924df894de7f0622506e1d8ecab7705a59a7

SHA512
17f28fcc1a3d232235592515ce0f5edd915196dd756f400573b63905da204b2e5aa4cd68942828e1edfe70b739344912a1f33a205abd178cbb8dec2490b371f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4-bbvq84.dll

Filesize
736KB

MD5
fb123701885032787652697378356f20

SHA1
e064d1e07dbbe92b4b7304cce622c17760168f13

SHA256
b808e49b675eb897d797c13b1e30ab73a77d61aaa5b57de7e603c2926f20a323

SHA512
0a438c61c0d548cdef4cc66b46f9a619eed00b98eb189a1936a0257dc133b23738536277964ca58eb2fa750c71833accb3b8cee6d468b8daec9a686fdba2b308

Download Submit
C:\Users\Admin\AppData\Local\Temp\6nyxx9js.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\6nyxx9js.cmdline

Filesize
138B

MD5
844fbc98dfa42bc145eb24fdc17ab360

SHA1
1698e798fbeed9835c4e9d72bb999f083bb5bdc0

SHA256
678cd1dd6ea6e4e2eac8b6e1e5e6dd74c36ceb31bd646780d73d22f4e5b0b0ee

SHA512
58d9b825a7ceeed4c89fb1b71d5969e1155d00c1a8f80ac3eab20e6a432cbaffca6ab137f3ff9b547e4d41849a7c1414be4ac20cd417f28fbe79fe4a61567bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6nyxx9js.dll

Filesize
736KB

MD5
bd31d3d5f0a5c14d0b0411c4a17365eb

SHA1
3016dd872d082c5b68a298ed1d5f284c21c0a325

SHA256
2aa223630cf31fbcb9782f2412c268f2e912776df483e0f41151520bd06af055

SHA512
02f8f459b73a9f335a54a90b3bde501ba8f4377657ee28afb85481681e95bc50ae1f426b0a08d001dd614141a04c780ecc1df0e223d53168b835888bd42c4f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E4A.tmp

Filesize
1KB

MD5
a61c2442a43e26015788650d38696778

SHA1
b42e108cd34e9ffcfbefa56f4c01c1fb8fd652ea

SHA256
b5156548c0d4a1e1e1e2640fee2fd493f21d77e6d018e3a0eb5d36e7cdba86d6

SHA512
a13ebd3dd9696a710c530cdc9c749b42d3d96a32d984cb4b2ba5a8119cc76575b8803d66499f7afd54495d510afa0f1fb487cf88d5f133e7eab485aa31b94590

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E5A.tmp

Filesize
1KB

MD5
db9dae6c81ad3e21dbc8d42438126c16

SHA1
f63d80b4f33d60b1490387197e0df04ca0548829

SHA256
bfe13640bd01447835f873382ddbc05bcbc1f7d48b516c726867d003e9cdd32b

SHA512
8994c0c112fa9acf107d4f68808e4f8a8ae974f76275500c1cda787261ca9c1795a9505f1fe66e71abc4762d3b62f7dab557eeb096f74e47f68be5121a041906

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES425F.tmp

Filesize
1KB

MD5
fdde7a8e0ae801bf84834638f0716304

SHA1
e153583fc694fcf06b02a33dc572ac8ec89c89a3

SHA256
6400474f6d5bb3c8fecd6ea71aee91e4d5f9a0bb62a236b2de8e5d30ac58071b

SHA512
84bc71e62422b83334669b3d87826774ba19bbe23ec3869e2de97e7f29004d9cf04f828aa93bdddc36c82e1d3c08f9da43ae1798232f4f6d444a84c8d086958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4260.tmp

Filesize
1KB

MD5
f47b44a50fe32ca1866c79ca4d225a47

SHA1
b3890138492ec2396390692e5ce9b535d6929c3a

SHA256
f4a86cc20359b555780d282351a833e84b64526e488d52bf76446fb0a7066abf

SHA512
2b7be180c0a8ad0bf0a573f86d8d091dbae3ede358069259d3be650bd23d484d7daf48205126fb40e2b295eec6b85d8308be2af048f9c92bdfa0e27da7576494

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4665.tmp

Filesize
1KB

MD5
e544021e5de1c9d7de0350feee776be6

SHA1
726b372eec29d2eb01021490ae83ea75063672f5

SHA256
8aa6b51991bf774dc875a08aba55699764c96ba6e4bc070388643ef7deb36908

SHA512
3f74a06df9b0c92a071d2eeb5b7bb4ff722ae81312401f4291d826811527e1c1b538eb7f190c2effca5c2f38baaa68ed6a194c00c8c725cfe08812ae6ad729ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES481A.tmp

Filesize
1KB

MD5
20c0e6c985dafd25e0478911dadac28a

SHA1
af341cee69aa7ec8fe70834d3421067d6a01bca6

SHA256
9eb1387c8480c94257f1134c51e051fb5b0b3128e33b646c41b8ab609f4ebc4d

SHA512
b9bc4cdb30d772c9f966e7a31162d41bd5cab6aee4efce39c9bf43370defb0be9f2e3ee08fe6461b234ad12c672dfd819a416a8ef06bed128f8c7874d1c64580

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C4E.tmp

Filesize
1KB

MD5
83df1511e5e8e5937f6ba716432606be

SHA1
7063c366852dce3c33cdf5d6e0466346d9594e2c

SHA256
7928ec690cfbaba910d24201a5d40496582ce97b92862f2f07ab9c142a2a5e85

SHA512
f1c28944dfbb85e63d03b3702b279d49b81008a34e7a97924dc3052f92ce24a43eec6713b4c1c27504017e0a555da20a34177ec13cde1b6be04d5f4d86131810

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C8C.tmp

Filesize
1KB

MD5
09a7de9f73b70a16d6b2edb4c1bb2dc4

SHA1
b61e071971f4b581bbca48c1f71fba3296595e62

SHA256
fef375505c50bf5b6e963b97994f2a7c368c13bbd4397383b4ffa2aa68c09a2d

SHA512
6accad0c10a6b9baa88b7c4f505df6d0c589fc1c9dc282b19033c0e3a5f5506b79b1e4a2ade6ef1505e2ba64272cb6c60825acea321a93fad1b718500f21622f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7763.tmp

Filesize
1KB

MD5
7ff2da0c77fe106dd10fffd05fd50e81

SHA1
503fe6fdb15aee9d5b36fa145e890f6593201d73

SHA256
3c609d47696080461c6a0558365c8004bd548c1e121607009d0cd7458c278b10

SHA512
61b8fd87cd88626dd21da08dcccbbcf4a2bf3a027bea3e7ab0f4741d0cd830444f0dcffc80dff90ae11d300b53f55023b3fe44331c58630197c6fcedaca34706

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES77A2.tmp

Filesize
1KB

MD5
c234435ed4a9bfbfaa43f8870f0941f6

SHA1
d1401a44b9473f32aa62f2de684a201c9ac8f06d

SHA256
942f66bb0f89d7b0500a9aa6678407c8049bbe2f7ba503ea0a219b9ca9bd3b06

SHA512
b4665fc444509b46cd9aaaf9fe358528ad8fb9ab2e9440b50fba89ab42538abb57c3b8a76e66f5bb8aa777808ff88eb8fa7563e5fb8c15926e983b9e301076da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C24.tmp

Filesize
1KB

MD5
782de2d2da7583f2ef8d3c1f0095523d

SHA1
f53e645f16560f02a9064fac942342a9f0dd4776

SHA256
2b400ce7c49f0cf3151f57ea399e61c0e459e099a49097ab90b491c77ce36240

SHA512
d79a4b2f31032a8d130596341d858142d4f1a80c7ff473d2501a18c570f29907144b036522f22cbdb2d66bb83eb5305c00cc448d9007130693962e38df848d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqs4k9a-.0.vb

Filesize
104KB

MD5
d1e62009e817e620fff3f6bb21139c2b

SHA1
8d3ada7ae4a4fa648db961f9ba65bd74e68750d3

SHA256
9b01960cb2f6af89f669714c7c57dc039cb3058e5db3034d173cb0aa0b6205f3

SHA512
b460b675796cc79115729e263de8f50415b6fd307823928320050bf69c8d85270675626b82ea03bc543f3007b2d068bfac25a2053d9074c91a5f73837b6cbccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqs4k9a-.cmdline

Filesize
138B

MD5
7cdaf9521100815a6708bbdec32f862e

SHA1
63928bbba347f340d732bf15a89aae17a71a57b1

SHA256
b5114aa168cee7386b979e3d02e8b8f9c77562d82b827c18a8ceacdfe46c4a54

SHA512
adbc64e0a4ec91d33234b3d7d7388cc51c0e16299df5dba93a83343be452f7aeca3907e516be2430fe8ef999842f6f2198774942cabd9ba2a0119629ebd8214c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqs4k9a-.dll

Filesize
220KB

MD5
c9e3137456298c74222562511d170d4a

SHA1
a48f7015b863e37e23ff645df521b631cd0bbb9f

SHA256
4aefb0799a5dc556274b2d0106a196ad90ba2ea3f730e92e6a9217459176b564

SHA512
1e7af5cf14afb87ba29a779bd670ec9c89332fbfafafdf7d6365616c69715f97e3719dd1c48b1ac12de80c37fcebf3f50443709759f7f632e989d948d0cd8819

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqte1mdr.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqte1mdr.cmdline

Filesize
138B

MD5
f8917ca164ed67656dfe1c2a892181ee

SHA1
687da3e00a1a8924ef0035086feb8a28e21c661a

SHA256
b1aba59841e1e2706840e8e5da0d110629f39d3c4bf92a25144a61f138ffd539

SHA512
b032e365abe12cd9eda6810b926a29c9e89f450adc10b67e1198054d6409022ca41335aa66003108219b834e7b3eec1a53b717052bba65cf635d18c2ac624d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqte1mdr.dll

Filesize
736KB

MD5
c6295e05c2e9d707f6a0e54adce61bf7

SHA1
0c8b649c80a0b9bbe89551508b10ad63b0ab3c20

SHA256
9e515a91c01a1c28b8529ed036a5a5266984fd8c29a3b7d38a23761786f48277

SHA512
65dd8adfd3551b67711b1a437b0b2a814f51e47a0ca77435d1662c89dcbcb7fdb1a5b0fc0da0b869f1f835fe1674b6e7294516ff3ff3011f15ef4b29f03e8bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmdsgvpd.0.vb

Filesize
104KB

MD5
d1e62009e817e620fff3f6bb21139c2b

SHA1
8d3ada7ae4a4fa648db961f9ba65bd74e68750d3

SHA256
9b01960cb2f6af89f669714c7c57dc039cb3058e5db3034d173cb0aa0b6205f3

SHA512
b460b675796cc79115729e263de8f50415b6fd307823928320050bf69c8d85270675626b82ea03bc543f3007b2d068bfac25a2053d9074c91a5f73837b6cbccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmdsgvpd.cmdline

Filesize
138B

MD5
62f33dddd6a9f1883c2b3aebd1255768

SHA1
b3d38ad09a41d162c6f851a896799b9d76acf01f

SHA256
251868a19727c93cddcccc5aadac07bc6e7fb31b37556efcb017d9a5a0b29984

SHA512
f1021b947c03624d0035ac8b2e1319deba9c75c20bf241b3d75b3f212b48249658e314e3a716f5392a82641b45ea3cb110f7dff4afb885d107c225eae70c1581

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmdsgvpd.dll

Filesize
220KB

MD5
9d119a7c0554f9c21cc874d9b9289373

SHA1
37c869663cc53908e94ca768b064825201591bf0

SHA256
8ad459e20f9d9de0f3c64b3689fc292ba87b51949f7922a5e5525aa53e934f4e

SHA512
6c21df6019bf6d3f975189b8a66438acafb6fbe147c0855641951259fa28e5cb73dbeac374563d6b6a5d29225283a130a476288fa77da75a2e269275a4e931da

Download Submit
C:\Users\Admin\AppData\Local\Temp\hul7oenf.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\hul7oenf.cmdline

Filesize
138B

MD5
85470ee0ca20c411d6432da19a65c1fa

SHA1
c5969ddc2be188b560bea655aa58052b11b37e31

SHA256
a32eab955a9f3eabdba643fe16fa30794b7c7ba69d8fb09d854e021238f797d7

SHA512
d33c3195251dbe54bc4b82dfccd55cf5f0e767308d746127dd4bdfad1c2119bab36d73fc8566bf4b6f4052ad0de27e3e1e119cb968a28c819188a8eb7cfa51fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hul7oenf.dll

Filesize
736KB

MD5
9d3f1147eddfb2c50484ea549d12e032

SHA1
9c5e4a537777dee3038de40c0cd8099be1700eab

SHA256
0d3b41f14413a68e3e455ac656da02669fc987faa70a59453db92550c051cf39

SHA512
8d622446fb8734a5cbdc57abe8447ba796939a341b9dc71cf16b429c5e47922324928157838d7205e5cb17a3aa0a7cb60927dc347450814b4c2250bfa92fcbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mei78ds9.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\mei78ds9.cmdline

Filesize
138B

MD5
860019fe6d01ef1b20bfe9e8f779a1ec

SHA1
263f94b6b0c9ff684038173315d02ceaa1288105

SHA256
b193bdf12c802b048bbb5840d544558196edc551e179fde42f76959bb31c7973

SHA512
9e84e1bd4a06415fd1aed5ae465d323782db17f43ae5e141e707eb65096395710de50006efd40cf30aa2f42b6db91b515875e069dfd538c2ddb1d13f089fdb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\mei78ds9.dll

Filesize
736KB

MD5
e0b98b900eaa93d602dfa0d990f3657a

SHA1
4e06105b044bde0d9326bbe31a9eaca2341e0b44

SHA256
8091eb51d5fca28ff2fdc5752b118444f57e93264e384f5d37855d58277e3eaf

SHA512
dbfa91c976143e47ffd07c02d1a8d1a4b13ee676b48fb27d5644b94299ca44276c65a348f83cbe0cbb2a59a81ac05d5993de31f6c1636918d321cc12194a47c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7znvby5.0.vb

Filesize
104KB

MD5
d1e62009e817e620fff3f6bb21139c2b

SHA1
8d3ada7ae4a4fa648db961f9ba65bd74e68750d3

SHA256
9b01960cb2f6af89f669714c7c57dc039cb3058e5db3034d173cb0aa0b6205f3

SHA512
b460b675796cc79115729e263de8f50415b6fd307823928320050bf69c8d85270675626b82ea03bc543f3007b2d068bfac25a2053d9074c91a5f73837b6cbccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7znvby5.cmdline

Filesize
138B

MD5
d9fcf3165cc3907671809f2db3adb689

SHA1
230eecfcf54fb51b1f4bd8756d5d0de6a3feaefe

SHA256
14609d60f8e2967c433ae99b0a9131f9f396c50fc6c7127e440a4c242df3eb61

SHA512
ecd6cacc0bcd0bfbb1226f578553389cfd3d5c2d54fc4feebb58b16ee4654a4118262cc7bfe39b25ec59cd492ae350f56b9cb40e9e6eea35ae0a03031b22b076

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7znvby5.dll

Filesize
220KB

MD5
8406ae0ff3383aba82b97552008f25ab

SHA1
53fde28e50d5ac3d393e435052d911aae3e12764

SHA256
efb3d5dbeb3ab66a3c4c4902a637a601fbc67ceef890e83a864d1297579c59aa

SHA512
7644506f27d87a4e21ea63f77f3f9b783fbf262c32b04cd48e493762688f55ebc0b5a15f70476bd0b078a8b7e6079bb8b3387a50327f0e8d0933e297fb3c5420

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E39.tmp

Filesize
652B

MD5
f1e98275b312b9c47f7f19a45a22b00f

SHA1
1706fdc6f5a4d67435325e6a812c9d79b00e61bc

SHA256
2d3b8e8fdff45f853dae833896367e7f33a1250022a6ccbb6f6d3fa2b4960e61

SHA512
226d07a98b02d89fd9905675f98f2eddbe3d8bed3f328fa9bee3f5ce9975109b0670168fcc9c8bd4993b1004dccb982d62956959761b755a701f9ccdb6f060b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E59.tmp

Filesize
652B

MD5
76feff272170963927723361fa1af21b

SHA1
ead6f1ace6ed8b9c4e488af841b8adab8ac6707e

SHA256
ae02ab5c0643f6874eaa59cd87487ab960b7ac42d80ebe4bb3354a982336a809

SHA512
10e4ced0a1d1d603f54656588708ace5a7c47ccd31235a77f2e8e20b042b6f9f47921489e60eac15ac9eaca17c7609cc568b409dbf6a13f2d040f49f36de65da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc424F.tmp

Filesize
652B

MD5
1482409c44676e5fd80cf5640ebb16ee

SHA1
b00e6ce919839560bb98248171d35fece519d1cc

SHA256
0e2a7bd83362e3e73b243d71d9bb083a6d0e01e37b27312f7ca0203806389516

SHA512
014c114374dcdfe7835cb6a9fae5017af6e7b5d379462bae5a3175c5f6684a8d4f5d3eb2e4d21d289a3b7f30551cf31d328bcb26e67b71ff3ba777ec6a202ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc425E.tmp

Filesize
652B

MD5
f31d1ec958ffb034ad0cf08fa2b481af

SHA1
ac33f0a2f11ab3b14e91346481ca562d5d40d8de

SHA256
187908159f0937818a97842535e6ff1231adba84727769df8e3bbc3bb730cb2d

SHA512
9dd79cbf1944838eda0ed3e061dff1a6bc838b0e0098d75af10e587db92c602e3f3e68a15ed59743637b159027e329cec54604a020c1ff4b64631da9b207a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4664.tmp

Filesize
652B

MD5
348dd427a136ec8da3c0a041641059ec

SHA1
f94d63d7999b7c946ee04b9020641fdfa26ecf59

SHA256
2285b435d092b151cec96f7ea07a8f897293dbc45a6d6fca0d6b6c1142d6abbf

SHA512
62b7ee5a56144a876374bce0a753e8490fb1d5728d7ba4782d90440fce86f38e59e1252e0ec19b3c095c38785d356c377800cb1cb02cd9270a29c242aa05f089

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4819.tmp

Filesize
652B

MD5
487f910b757e07587dbb258e542158c9

SHA1
7f6b12c7898778494e8bfa3c79169520a6f1a9aa

SHA256
55cbae5b83b4796cf750cb405ee60aeb1423ca9dc4586000d12981413bf8d77e

SHA512
2c7f47d265e4c5582ca71ca0bef43b72806a133dca46ac865164ea5471b1402d82b53d5c118932246b6299e931f9e6a81f2f4ab71ef9d7a0c82b2cc5f7f59bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C4D.tmp

Filesize
652B

MD5
9ef1546ce397f58912ddc6f1e25728e4

SHA1
e0b0a8fa9f3d2b9df69a5126dc8d26de3582108c

SHA256
c200a96c214fcd439e11f0f46e80b8b0eb6927bcf24bba0ec602c3324400e114

SHA512
533c1b4e2cc39f11ac1bfeb5e606425b8640b5c11376ac6920138bab7fb54b1eacf1c1f5da3d1a51ef2b6517405d3038e098d261272f7e620e433ecfb5146ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C8B.tmp

Filesize
652B

MD5
db269d62d4bab4b6a095fb0a0c195f70

SHA1
26db78b9734c26cbd3a9df57f5f777f3bf1d3c27

SHA256
1c5dfd3ad1f0c8909d3f3cbf8434362f6a43298ce0ccbeea010cf33efe3d6ea9

SHA512
c5fd0a9cda8b735ef5ae90ee00941bab51b7d787148d233784ef695993d2bdfd6dca42d0e530b2174b6413e30bccfa8e0b0cde436086a3ef2d20fc4cb6a99d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7762.tmp

Filesize
652B

MD5
a773a571e0c69855c0b3d57cf0857ea6

SHA1
63f66d32a185bb6aa28f52a1b9bbe8e10bf70ab9

SHA256
6f2e23de49442d23d0a8227a55da562560fa6e3bf47d4e679e06f1c1e682ba17

SHA512
1d47bb68be692b5504dbdfccbefb8c2c4d442105172487f15e1eaae6c5936de6c271b3665cfab103688a9f0fa9a82e976567b02eacf71b0dc52295867a177336

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc77A1.tmp

Filesize
652B

MD5
7e00a5039b8430d61332d54a4e05109b

SHA1
0a640a213044cd1b29ce131ec5b76f9d0c815d87

SHA256
8731fb536042d4c7e1af3a92429e03767b71c09e0b60dde63cb43a5e3e1cadf3

SHA512
816a470ee6f6e5c8541226d5e6c6ba7d0a40edebd4e3d383d2dcda6a22acdeb3a89efa1eda7e4a0763c4dae7449ba4286439c6fd5ae8090f463479f47a61165c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7C13.tmp

Filesize
652B

MD5
c86a8d3a42cadd2ad40a1703351bb16a

SHA1
0af878977d1d3a2bb07cd0c7df0f734aeeea0456

SHA256
5e5458a6d6554e9e31a4dbb3f4f5aa7138f6e92bd9d293999f8baac40d5b4ec3

SHA512
bd798f75a8ba6e5f41b826d1f2e534e8f267101a04312beca0355ccb11601e908b3f6d8b31f7e5b13da98b46115e7b195c478d4e4b10d34ac213ce0dd9d3ba72

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpih6d4y.0.vb

Filesize
104KB

MD5
d1e62009e817e620fff3f6bb21139c2b

SHA1
8d3ada7ae4a4fa648db961f9ba65bd74e68750d3

SHA256
9b01960cb2f6af89f669714c7c57dc039cb3058e5db3034d173cb0aa0b6205f3

SHA512
b460b675796cc79115729e263de8f50415b6fd307823928320050bf69c8d85270675626b82ea03bc543f3007b2d068bfac25a2053d9074c91a5f73837b6cbccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpih6d4y.cmdline

Filesize
138B

MD5
d5d915bc11b6b6e42c609e14fe4f93b0

SHA1
094445a5742ff129d9ec3073f8e6c10ae423e7d1

SHA256
03d5348863e8ebac88c8874d5de671212933dfc8f961b16d8ee48cc75f5866ad

SHA512
2b32fb2410794050f77dc421769fc8022bca37b8258335fec5f702e741f0f1b4ab23be0ad28cae88d500de85e7439446b4f320b0391afbae24b562a6de60e366

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpih6d4y.dll

Filesize
220KB

MD5
c36be2e83125cb75d1363e30f0b0a739

SHA1
a9c38249cfe76013499ba285239c7ae72fb68983

SHA256
7c6b5079057f5f4cf9df73eaba20a60f482cb950de2928a6dff955aa76613a11

SHA512
639b37df3983a3c3dcd9047a395cc124c7543ae826b60242efe31388fee46a77b6b5541420a619752f4ff16fa121638a3c97001c14b0024469d6984d7569f6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr2maj_f.0.vb

Filesize
104KB

MD5
d1e62009e817e620fff3f6bb21139c2b

SHA1
8d3ada7ae4a4fa648db961f9ba65bd74e68750d3

SHA256
9b01960cb2f6af89f669714c7c57dc039cb3058e5db3034d173cb0aa0b6205f3

SHA512
b460b675796cc79115729e263de8f50415b6fd307823928320050bf69c8d85270675626b82ea03bc543f3007b2d068bfac25a2053d9074c91a5f73837b6cbccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr2maj_f.cmdline

Filesize
138B

MD5
07b9c8623961d3a1cd55f07ed4733704

SHA1
82a550804c82443bd71ddd80a79360d346abefb7

SHA256
18b1bc0bea45fe4d7dae674471e8b9c8df09878a26f62cbd25932e39c9da4eb7

SHA512
8dfa2724cb65c56a467b59b790056371c51a6179e138c99c7cdcc79e0c3ad8a2e1c7f5e77167729934ca6498ba1c9e58981c202404538112dd9a743c2de0db6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr2maj_f.dll

Filesize
220KB

MD5
06dd2a2031fb17d2fc66b4a4dabc0cf3

SHA1
71defb99e1ccaf6ab029adbbadc0ff481aadbc0f

SHA256
572f2b13c0482a09695177bc5e2bbe6df7ab7ca927b0d2ddb2023a88145f02b4

SHA512
125f017ccea44b2110972716c7d17ff8b84d0946bf44076b5c700d8c7c6aa3c43822ac3786d13712a35d702ceb2a5eb4fdad07c7e318884b62b6b7773f77aeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh9jvdxj.0.vb

Filesize
104KB

MD5
d1e62009e817e620fff3f6bb21139c2b

SHA1
8d3ada7ae4a4fa648db961f9ba65bd74e68750d3

SHA256
9b01960cb2f6af89f669714c7c57dc039cb3058e5db3034d173cb0aa0b6205f3

SHA512
b460b675796cc79115729e263de8f50415b6fd307823928320050bf69c8d85270675626b82ea03bc543f3007b2d068bfac25a2053d9074c91a5f73837b6cbccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh9jvdxj.cmdline

Filesize
138B

MD5
da8065e9d29c7a0c874abb80c6233698

SHA1
09ceab00cf9a05beb24eb5b68dee8900d0dc2c49

SHA256
18d97e05ff92337625001ec9e28268b68e4c1c855fb08e1f17bf1c6ebaf58640

SHA512
e4e1d4206e34d58e24425b5316ee80018dde92df91c5f98ad515c8a1a1d139a86995ff1ccff9c7fe36340b984b1d44c0ec446788a1b551c52c11cf60c7565cdd

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
memory/532-83-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/532-81-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/676-204-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/676-203-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/732-182-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/732-184-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/936-54-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/936-56-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/936-55-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1016-215-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1016-217-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1036-107-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1036-106-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1084-218-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1084-216-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1320-61-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1320-60-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1344-82-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1344-84-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1572-133-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1572-136-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1612-159-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1612-158-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1752-183-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1752-180-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1784-157-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1784-154-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1868-202-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/1868-201-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1960-108-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1960-109-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/2036-123-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/2036-125-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/2112-230-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/2112-228-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/2168-231-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/2168-232-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/2340-234-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/2340-236-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/2376-235-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/2376-237-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/2552-241-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/2552-242-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/2568-239-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/2568-240-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download
memory/2716-244-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/2716-245-0x000007FEF2F70000-0x000007FEF4006000-memory.dmp

Filesize
16.6MB

Download