lokibot | fea3f30556e99bb327e2584018334b8b5ba8d74ae25710626b9d58cf0666e41c

Analysis

max time kernel
120s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118.exe
Size

249KB
MD5

3a53c78fe9cd7f38f85258a17b37fe6e
SHA1

76f035dcaffc9087a2a959d0419d8653f6b29b39
SHA256

fea3f30556e99bb327e2584018334b8b5ba8d74ae25710626b9d58cf0666e41c
SHA512

b14c483b7ca03d15cc0f430914a865463ab69e6b16cc783a69525e5ebaf3fc9c7451c6ee8473fe169c84fc6d05a5e1023b1c3590d9339abbc09dd1fb2999baf1
SSDEEP

3072:pYbZ4Hwie5tR7c6ZGU05sHbf4bQl4F8jU8NRFJUuj4Il/ZbEyGvp0welfONmQTiA:pY8ipnMi4Vu734ID6hKlWVi3iE/jQCnw

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://107.175.150.73/~giftioz/.hokbi/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe

Executes dropped EXE 64 IoCs

Processes:

pid	process
2764	KtlVtDDtCbxIugvgma5.exe
3684	KtlVtDDtCbxIugvgma5.exe
5440	KtlVtDDtCbxIugvgma5.exe
1216	KtlVtDDtCbxIugvgma5.exe
5128	KtlVtDDtCbxIugvgma5.exe
2900	KtlVtDDtCbxIugvgma5.exe
5572	KtlVtDDtCbxIugvgma5.exe
5428	KtlVtDDtCbxIugvgma5.exe
3272	KtlVtDDtCbxIugvgma5.exe
4368	KtlVtDDtCbxIugvgma5.exe
5640	KtlVtDDtCbxIugvgma5.exe
2292	KtlVtDDtCbxIugvgma5.exe
2368	KtlVtDDtCbxIugvgma5.exe
2208	KtlVtDDtCbxIugvgma5.exe
4344	KtlVtDDtCbxIugvgma5.exe
5540	KtlVtDDtCbxIugvgma5.exe
3648	KtlVtDDtCbxIugvgma5.exe
5472	KtlVtDDtCbxIugvgma5.exe
2084	KtlVtDDtCbxIugvgma5.exe
5032	KtlVtDDtCbxIugvgma5.exe
3904	KtlVtDDtCbxIugvgma5.exe
3876	KtlVtDDtCbxIugvgma5.exe
1892	KtlVtDDtCbxIugvgma5.exe
1384	KtlVtDDtCbxIugvgma5.exe
2224	KtlVtDDtCbxIugvgma5.exe
4224	KtlVtDDtCbxIugvgma5.exe
3232	KtlVtDDtCbxIugvgma5.exe
3668	KtlVtDDtCbxIugvgma5.exe
5604	KtlVtDDtCbxIugvgma5.exe
4768	KtlVtDDtCbxIugvgma5.exe
752	KtlVtDDtCbxIugvgma5.exe
1836	KtlVtDDtCbxIugvgma5.exe
668	KtlVtDDtCbxIugvgma5.exe
5416	KtlVtDDtCbxIugvgma5.exe
2456	KtlVtDDtCbxIugvgma5.exe
5192	KtlVtDDtCbxIugvgma5.exe
5512	KtlVtDDtCbxIugvgma5.exe
4880	KtlVtDDtCbxIugvgma5.exe
1804	KtlVtDDtCbxIugvgma5.exe
5348	KtlVtDDtCbxIugvgma5.exe
4004	KtlVtDDtCbxIugvgma5.exe
4940	KtlVtDDtCbxIugvgma5.exe
5724	KtlVtDDtCbxIugvgma5.exe
2928	KtlVtDDtCbxIugvgma5.exe
2040	KtlVtDDtCbxIugvgma5.exe
840	KtlVtDDtCbxIugvgma5.exe
2780	KtlVtDDtCbxIugvgma5.exe
4720	KtlVtDDtCbxIugvgma5.exe
3880	KtlVtDDtCbxIugvgma5.exe
2092	KtlVtDDtCbxIugvgma5.exe
2548	KtlVtDDtCbxIugvgma5.exe
5804	KtlVtDDtCbxIugvgma5.exe
1036	KtlVtDDtCbxIugvgma5.exe
4476	KtlVtDDtCbxIugvgma5.exe
2040	KtlVtDDtCbxIugvgma5.exe
5232	KtlVtDDtCbxIugvgma5.exe
2524	KtlVtDDtCbxIugvgma5.exe
4644	KtlVtDDtCbxIugvgma5.exe
944	KtlVtDDtCbxIugvgma5.exe
1228	KtlVtDDtCbxIugvgma5.exe
2012	KtlVtDDtCbxIugvgma5.exe
4500	KtlVtDDtCbxIugvgma5.exe
2724	KtlVtDDtCbxIugvgma5.exe
4736	KtlVtDDtCbxIugvgma5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

description	pid	process	target process
PID 2764 set thread context of 2092	2764	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3684 set thread context of 5500	3684	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5440 set thread context of 400	5440	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 1216 set thread context of 5472	1216	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5128 set thread context of 432	5128	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2900 set thread context of 4604	2900	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5572 set thread context of 4852	5572	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5428 set thread context of 2052	5428	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3272 set thread context of 4904	3272	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4368 set thread context of 6136	4368	KtlVtDDtCbxIugvgma5.exe	cvtres.exe
PID 5640 set thread context of 3748	5640	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2292 set thread context of 1200	2292	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2368 set thread context of 3460	2368	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2208 set thread context of 4720	2208	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4344 set thread context of 1452	4344	KtlVtDDtCbxIugvgma5.exe	cvtres.exe
PID 5540 set thread context of 6008	5540	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3648 set thread context of 4208	3648	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5472 set thread context of 5796	5472	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2084 set thread context of 3748	2084	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5032 set thread context of 3532	5032	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3904 set thread context of 4888	3904	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3876 set thread context of 2208	3876	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 1892 set thread context of 5544	1892	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 1384 set thread context of 5540	1384	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2224 set thread context of 4472	2224	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4224 set thread context of 5536	4224	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3232 set thread context of 6052	3232	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3668 set thread context of 2648	3668	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5604 set thread context of 3332	5604	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4768 set thread context of 5736	4768	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 752 set thread context of 4440	752	KtlVtDDtCbxIugvgma5.exe	Conhost.exe
PID 1836 set thread context of 3928	1836	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 668 set thread context of 4472	668	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5416 set thread context of 2224	5416	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2456 set thread context of 2036	2456	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5192 set thread context of 2776	5192	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5512 set thread context of 1692	5512	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4880 set thread context of 3580	4880	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 1804 set thread context of 3612	1804	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5348 set thread context of 2468	5348	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4004 set thread context of 5128	4004	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4940 set thread context of 408	4940	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 5724 set thread context of 2388	5724	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2928 set thread context of 748	2928	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2040 set thread context of 5380	2040	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 840 set thread context of 4464	840	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2780 set thread context of 3748	2780	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4720 set thread context of 5204	4720	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3880 set thread context of 2320	3880	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2092 set thread context of 5128	2092	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2548 set thread context of 4916	2548	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5804 set thread context of 3904	5804	KtlVtDDtCbxIugvgma5.exe	cvtres.exe
PID 1036 set thread context of 2936	1036	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4476 set thread context of 1384	4476	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2040 set thread context of 1456	2040	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5232 set thread context of 4444	5232	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2524 set thread context of 5568	2524	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4644 set thread context of 2096	4644	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 944 set thread context of 2664	944	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 1228 set thread context of 4324	1228	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2012 set thread context of 4504	2012	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4500 set thread context of 1840	4500	KtlVtDDtCbxIugvgma5.exe	cvtres.exe
PID 2724 set thread context of 5388	2724	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 4736 set thread context of 1716	4736	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

KtlVtDDtCbxIugvgma5.exe

pid	process
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe
2764	KtlVtDDtCbxIugvgma5.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
2764	KtlVtDDtCbxIugvgma5.exe
3684	KtlVtDDtCbxIugvgma5.exe
5440	KtlVtDDtCbxIugvgma5.exe
1216	KtlVtDDtCbxIugvgma5.exe
5128	KtlVtDDtCbxIugvgma5.exe
2900	KtlVtDDtCbxIugvgma5.exe
2900	KtlVtDDtCbxIugvgma5.exe
5572	KtlVtDDtCbxIugvgma5.exe
5428	KtlVtDDtCbxIugvgma5.exe
5428	KtlVtDDtCbxIugvgma5.exe
3272	KtlVtDDtCbxIugvgma5.exe
3272	KtlVtDDtCbxIugvgma5.exe
4368	KtlVtDDtCbxIugvgma5.exe
5640	KtlVtDDtCbxIugvgma5.exe
2292	KtlVtDDtCbxIugvgma5.exe
2368	KtlVtDDtCbxIugvgma5.exe
2208	KtlVtDDtCbxIugvgma5.exe
4344	KtlVtDDtCbxIugvgma5.exe
4344	KtlVtDDtCbxIugvgma5.exe
5540	KtlVtDDtCbxIugvgma5.exe
3648	KtlVtDDtCbxIugvgma5.exe
5472	KtlVtDDtCbxIugvgma5.exe
2084	KtlVtDDtCbxIugvgma5.exe
2084	KtlVtDDtCbxIugvgma5.exe
5032	KtlVtDDtCbxIugvgma5.exe
3904	KtlVtDDtCbxIugvgma5.exe
3876	KtlVtDDtCbxIugvgma5.exe
1892	KtlVtDDtCbxIugvgma5.exe
1892	KtlVtDDtCbxIugvgma5.exe
1384	KtlVtDDtCbxIugvgma5.exe
2224	KtlVtDDtCbxIugvgma5.exe
4224	KtlVtDDtCbxIugvgma5.exe
3232	KtlVtDDtCbxIugvgma5.exe
3668	KtlVtDDtCbxIugvgma5.exe
5604	KtlVtDDtCbxIugvgma5.exe
5604	KtlVtDDtCbxIugvgma5.exe
4768	KtlVtDDtCbxIugvgma5.exe
752	KtlVtDDtCbxIugvgma5.exe
1836	KtlVtDDtCbxIugvgma5.exe
1836	KtlVtDDtCbxIugvgma5.exe
668	KtlVtDDtCbxIugvgma5.exe
5416	KtlVtDDtCbxIugvgma5.exe
2456	KtlVtDDtCbxIugvgma5.exe
2456	KtlVtDDtCbxIugvgma5.exe
5192	KtlVtDDtCbxIugvgma5.exe
5192	KtlVtDDtCbxIugvgma5.exe
5192	KtlVtDDtCbxIugvgma5.exe
5512	KtlVtDDtCbxIugvgma5.exe
4880	KtlVtDDtCbxIugvgma5.exe
4880	KtlVtDDtCbxIugvgma5.exe
1804	KtlVtDDtCbxIugvgma5.exe
1804	KtlVtDDtCbxIugvgma5.exe
1804	KtlVtDDtCbxIugvgma5.exe
5348	KtlVtDDtCbxIugvgma5.exe
5348	KtlVtDDtCbxIugvgma5.exe
4004	KtlVtDDtCbxIugvgma5.exe
4004	KtlVtDDtCbxIugvgma5.exe
4940	KtlVtDDtCbxIugvgma5.exe
5724	KtlVtDDtCbxIugvgma5.exe
2928	KtlVtDDtCbxIugvgma5.exe
2040	KtlVtDDtCbxIugvgma5.exe
840	KtlVtDDtCbxIugvgma5.exe
840	KtlVtDDtCbxIugvgma5.exe
840	KtlVtDDtCbxIugvgma5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeRegAsm.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exeKtlVtDDtCbxIugvgma5.exe

description	pid	process
Token: SeDebugPrivilege	2764	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3684	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2092	RegAsm.exe
Token: SeDebugPrivilege	5440	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1216	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5128	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2900	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	432	RegAsm.exe
Token: SeDebugPrivilege	5572	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5428	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3272	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2052	RegAsm.exe
Token: SeDebugPrivilege	4368	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5640	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2292	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3748	RegAsm.exe
Token: SeDebugPrivilege	2368	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2208	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4344	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4720	RegAsm.exe
Token: SeDebugPrivilege	5540	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3648	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5472	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4208	RegAsm.exe
Token: SeDebugPrivilege	2084	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5032	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3904	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3532	RegAsm.exe
Token: SeDebugPrivilege	3876	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1892	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1384	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5544	RegAsm.exe
Token: SeDebugPrivilege	2224	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4472	RegAsm.exe
Token: SeDebugPrivilege	4224	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3232	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	6052	RegAsm.exe
Token: SeDebugPrivilege	3668	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5604	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4768	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3332	RegAsm.exe
Token: SeDebugPrivilege	752	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4440	RegAsm.exe
Token: SeDebugPrivilege	1836	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	668	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5416	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4472	RegAsm.exe
Token: SeDebugPrivilege	2456	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5192	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5512	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2776	RegAsm.exe
Token: SeDebugPrivilege	4880	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1804	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3580	RegAsm.exe
Token: SeDebugPrivilege	5348	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4004	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4940	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5128	RegAsm.exe
Token: SeDebugPrivilege	5724	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2928	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2388	RegAsm.exe
Token: SeDebugPrivilege	2040	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	840	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2780	KtlVtDDtCbxIugvgma5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118.exeKtlVtDDtCbxIugvgma5.execsc.execsc.exeKtlVtDDtCbxIugvgma5.execsc.execsc.exeKtlVtDDtCbxIugvgma5.execsc.execsc.exeKtlVtDDtCbxIugvgma5.execsc.exe

description	pid	process	target process
PID 4464 wrote to memory of 2764	4464	3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118.exe	KtlVtDDtCbxIugvgma5.exe
PID 4464 wrote to memory of 2764	4464	3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118.exe	KtlVtDDtCbxIugvgma5.exe
PID 4464 wrote to memory of 2764	4464	3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118.exe	KtlVtDDtCbxIugvgma5.exe
PID 2764 wrote to memory of 3512	2764	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 2764 wrote to memory of 3512	2764	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 2764 wrote to memory of 3512	2764	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 3512 wrote to memory of 3908	3512	csc.exe	cvtres.exe
PID 3512 wrote to memory of 3908	3512	csc.exe	cvtres.exe
PID 3512 wrote to memory of 3908	3512	csc.exe	cvtres.exe
PID 2764 wrote to memory of 4320	2764	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 2764 wrote to memory of 4320	2764	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 2764 wrote to memory of 4320	2764	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 4320 wrote to memory of 4224	4320	csc.exe	cvtres.exe
PID 4320 wrote to memory of 4224	4320	csc.exe	cvtres.exe
PID 4320 wrote to memory of 4224	4320	csc.exe	cvtres.exe
PID 2764 wrote to memory of 2092	2764	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2764 wrote to memory of 2092	2764	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2764 wrote to memory of 2092	2764	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2764 wrote to memory of 2092	2764	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 2764 wrote to memory of 3684	2764	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 2764 wrote to memory of 3684	2764	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 2764 wrote to memory of 3684	2764	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 3684 wrote to memory of 1804	3684	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 3684 wrote to memory of 1804	3684	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 3684 wrote to memory of 1804	3684	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 1804 wrote to memory of 1424	1804	csc.exe	cvtres.exe
PID 1804 wrote to memory of 1424	1804	csc.exe	cvtres.exe
PID 1804 wrote to memory of 1424	1804	csc.exe	cvtres.exe
PID 3684 wrote to memory of 5536	3684	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 3684 wrote to memory of 5536	3684	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 3684 wrote to memory of 5536	3684	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 5536 wrote to memory of 3904	5536	csc.exe	cvtres.exe
PID 5536 wrote to memory of 3904	5536	csc.exe	cvtres.exe
PID 5536 wrote to memory of 3904	5536	csc.exe	cvtres.exe
PID 3684 wrote to memory of 5500	3684	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3684 wrote to memory of 5500	3684	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3684 wrote to memory of 5500	3684	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3684 wrote to memory of 5500	3684	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 3684 wrote to memory of 5440	3684	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 3684 wrote to memory of 5440	3684	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 3684 wrote to memory of 5440	3684	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 5440 wrote to memory of 5172	5440	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 5440 wrote to memory of 5172	5440	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 5440 wrote to memory of 5172	5440	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 5172 wrote to memory of 2516	5172	csc.exe	cvtres.exe
PID 5172 wrote to memory of 2516	5172	csc.exe	cvtres.exe
PID 5172 wrote to memory of 2516	5172	csc.exe	cvtres.exe
PID 5440 wrote to memory of 5080	5440	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 5440 wrote to memory of 5080	5440	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 5440 wrote to memory of 5080	5440	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 5080 wrote to memory of 2140	5080	csc.exe	cvtres.exe
PID 5080 wrote to memory of 2140	5080	csc.exe	cvtres.exe
PID 5080 wrote to memory of 2140	5080	csc.exe	cvtres.exe
PID 5440 wrote to memory of 400	5440	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5440 wrote to memory of 400	5440	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5440 wrote to memory of 400	5440	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5440 wrote to memory of 400	5440	KtlVtDDtCbxIugvgma5.exe	RegAsm.exe
PID 5440 wrote to memory of 1216	5440	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 5440 wrote to memory of 1216	5440	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 5440 wrote to memory of 1216	5440	KtlVtDDtCbxIugvgma5.exe	KtlVtDDtCbxIugvgma5.exe
PID 1216 wrote to memory of 2612	1216	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 1216 wrote to memory of 2612	1216	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 1216 wrote to memory of 2612	1216	KtlVtDDtCbxIugvgma5.exe	csc.exe
PID 2612 wrote to memory of 1236	2612	csc.exe	cvtres.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe 1
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sdff5cgy\sdff5cgy.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A0B.tmp" "c:\Users\Admin\AppData\Local\Temp\sdff5cgy\CSCB13FE3E3A2F6452185A544156C6F4EC.TMP"
4⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l1gs0ah1\l1gs0ah1.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B44.tmp" "c:\Users\Admin\AppData\Local\Temp\l1gs0ah1\CSC6E01159CB70B4BBC9C748923C17BE347.TMP"
4⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2qii0ie\q2qii0ie.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DF3.tmp" "c:\Users\Admin\AppData\Local\Temp\q2qii0ie\CSCBBF16D3634DC49AF9AB2D02D79CF961B.TMP"
5⤵
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v43yr5xn\v43yr5xn.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:5536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EAF.tmp" "c:\Users\Admin\AppData\Local\Temp\v43yr5xn\CSC681B1401B9B4431498E33F813376CBDC.TMP"
5⤵
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5500

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3w0dvpi1\3w0dvpi1.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:5172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES417D.tmp" "c:\Users\Admin\AppData\Local\Temp\3w0dvpi1\CSCB3FE408E1F864149AA7C483B4257FCDA.TMP"
6⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4a1he2hh\4a1he2hh.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4258.tmp" "c:\Users\Admin\AppData\Local\Temp\4a1he2hh\CSCDA895B716384404885A1658D81B459C3.TMP"
6⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:400

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qhty5glq\qhty5glq.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES442D.tmp" "c:\Users\Admin\AppData\Local\Temp\qhty5glq\CSC5E0C6125FDB04C9EA0DE202FA2ADB36F.TMP"
7⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mwyxuuk5\mwyxuuk5.cmdline"
6⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4517.tmp" "c:\Users\Admin\AppData\Local\Temp\mwyxuuk5\CSC63C944AE6FEB4E3681F4231317786662.TMP"
7⤵
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:5472

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0excnv4j\0excnv4j.cmdline"
7⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4844.tmp" "c:\Users\Admin\AppData\Local\Temp\0excnv4j\CSC72B00E75D7CE4CA7B2E712974F8EC83E.TMP"
8⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0pc4q4fx\0pc4q4fx.cmdline"
7⤵
PID:5180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49AB.tmp" "c:\Users\Admin\AppData\Local\Temp\0pc4q4fx\CSC9640F36D1F52477EB29777B8EF99AB42.TMP"
8⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qmugcun4\qmugcun4.cmdline"
8⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C1C.tmp" "c:\Users\Admin\AppData\Local\Temp\qmugcun4\CSC59D389B4A54F474AB1D025E3E844CFB.TMP"
9⤵
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owhw0kgp\owhw0kgp.cmdline"
8⤵
PID:5656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CD8.tmp" "c:\Users\Admin\AppData\Local\Temp\owhw0kgp\CSC778627F464F946F784B1B852C7D4F.TMP"
9⤵
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:5772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:4604

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rsj0no3v\rsj0no3v.cmdline"
9⤵
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EEB.tmp" "c:\Users\Admin\AppData\Local\Temp\rsj0no3v\CSCADD5196DDAFE4321BA77F0F66DF45494.TMP"
10⤵
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzdvmbyz\uzdvmbyz.cmdline"
9⤵
PID:5784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FE5.tmp" "c:\Users\Admin\AppData\Local\Temp\uzdvmbyz\CSCB78774CE2543495EA472F566B1890BB.TMP"
10⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:4852

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\khnauiyq\khnauiyq.cmdline"
10⤵
PID:3400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5302.tmp" "c:\Users\Admin\AppData\Local\Temp\khnauiyq\CSC7D87A9A48EC24357AF2A5EF5256D3DD1.TMP"
11⤵
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y5t2qiwh\y5t2qiwh.cmdline"
10⤵
PID:6108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES540B.tmp" "c:\Users\Admin\AppData\Local\Temp\y5t2qiwh\CSCC8A03D70C7614BC596284D86E12DE5B4.TMP"
11⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:5412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmdkjory\tmdkjory.cmdline"
11⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES566D.tmp" "c:\Users\Admin\AppData\Local\Temp\tmdkjory\CSC99F4DC71C1A84897A2A9EB31846ED1.TMP"
12⤵
PID:5416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jnknxics\jnknxics.cmdline"
11⤵
PID:5760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5738.tmp" "c:\Users\Admin\AppData\Local\Temp\jnknxics\CSC67D07DD868194965BE9F2A5A1C6446F1.TMP"
12⤵
PID:5172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:4904

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qeynulc3\qeynulc3.cmdline"
12⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES590D.tmp" "c:\Users\Admin\AppData\Local\Temp\qeynulc3\CSCF340AA7C6E9B4FFB89E224B5F890D978.TMP"
13⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\henuq4vw\henuq4vw.cmdline"
12⤵
PID:6008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59C8.tmp" "c:\Users\Admin\AppData\Local\Temp\henuq4vw\CSCB0C607E7FE114DDD9440698EADF72FF.TMP"
13⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:6136

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3rgdgyfq\3rgdgyfq.cmdline"
13⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BBC.tmp" "c:\Users\Admin\AppData\Local\Temp\3rgdgyfq\CSC5F09B7CAF38F4ADAB4284D254ED10F6.TMP"
14⤵
PID:5852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ym0wjnj0\ym0wjnj0.cmdline"
13⤵
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C49.tmp" "c:\Users\Admin\AppData\Local\Temp\ym0wjnj0\CSC31DE8EF5865C49C0B8F47782EEABB16.TMP"
14⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u0ai2fli\u0ai2fli.cmdline"
14⤵
PID:6048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E3D.tmp" "c:\Users\Admin\AppData\Local\Temp\u0ai2fli\CSCF3B08C8E50F14E9EB385A6F159C2E7AF.TMP"
15⤵
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcvmzmps\hcvmzmps.cmdline"
14⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EE9.tmp" "c:\Users\Admin\AppData\Local\Temp\hcvmzmps\CSCB8B0D5EC910B422B9284297E48BAD834.TMP"
15⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1200

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kxdmuejc\kxdmuejc.cmdline"
15⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES611B.tmp" "c:\Users\Admin\AppData\Local\Temp\kxdmuejc\CSCFB9E3C197DF34713A6901051E590FBD0.TMP"
16⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q4xmtbii\q4xmtbii.cmdline"
15⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61E6.tmp" "c:\Users\Admin\AppData\Local\Temp\q4xmtbii\CSCEB9D09AC469445E0A5EA8188E8A953C5.TMP"
16⤵
PID:5384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:3460

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lsafgw2j\lsafgw2j.cmdline"
16⤵
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63EA.tmp" "c:\Users\Admin\AppData\Local\Temp\lsafgw2j\CSC6A9BB4AAEF940A3ACF5E71FE27E5A22.TMP"
17⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vm2p32xz\vm2p32xz.cmdline"
16⤵
PID:5312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64A5.tmp" "c:\Users\Admin\AppData\Local\Temp\vm2p32xz\CSCB9BA2880989D45AC8B58362283495D87.TMP"
17⤵
PID:6080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\csjblc2a\csjblc2a.cmdline"
17⤵
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6699.tmp" "c:\Users\Admin\AppData\Local\Temp\csjblc2a\CSCAD14A7C513C240759C9E95D37C95F81.TMP"
18⤵
PID:5464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ggbyrqms\ggbyrqms.cmdline"
17⤵
PID:5144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6784.tmp" "c:\Users\Admin\AppData\Local\Temp\ggbyrqms\CSCC2981CC3BE7548A295E283B3982AA7DB.TMP"
18⤵
PID:5420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1452

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rw40r22s\rw40r22s.cmdline"
18⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES692A.tmp" "c:\Users\Admin\AppData\Local\Temp\rw40r22s\CSC25D11FA8990D46CFBF987A15D4D33A85.TMP"
19⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmzo5fhr\tmzo5fhr.cmdline"
18⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69D6.tmp" "c:\Users\Admin\AppData\Local\Temp\tmzo5fhr\CSCBF836DBFEA8D44CAB652647DB962671.TMP"
19⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:6008

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzzbe53o\dzzbe53o.cmdline"
19⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BBA.tmp" "c:\Users\Admin\AppData\Local\Temp\dzzbe53o\CSC8194B0106DB14A8BA993DDF65DE84B41.TMP"
20⤵
PID:6016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i2ygfnxu\i2ygfnxu.cmdline"
19⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C75.tmp" "c:\Users\Admin\AppData\Local\Temp\i2ygfnxu\CSCA098797CF3C5438281446DAEA8F02895.TMP"
20⤵
PID:6136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vpmdnbek\vpmdnbek.cmdline"
20⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E79.tmp" "c:\Users\Admin\AppData\Local\Temp\vpmdnbek\CSCFA39B6A3B16F4BE4811889DF2A8120.TMP"
21⤵
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nnepuwai\nnepuwai.cmdline"
20⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F35.tmp" "c:\Users\Admin\AppData\Local\Temp\nnepuwai\CSCE0DACA85A04B46048DDA455D543E4924.TMP"
21⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:5796

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gjmeljsa\gjmeljsa.cmdline"
21⤵
PID:5656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70FA.tmp" "c:\Users\Admin\AppData\Local\Temp\gjmeljsa\CSCE5EE1BC43D2745E7881E4B8C327FB7AE.TMP"
22⤵
PID:5244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sds4z1er\sds4z1er.cmdline"
21⤵
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7196.tmp" "c:\Users\Admin\AppData\Local\Temp\sds4z1er\CSCE21622951B2940FE949A0DC8895B3D5.TMP"
22⤵
PID:464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:3748

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvm4zwie\gvm4zwie.cmdline"
22⤵
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73D8.tmp" "c:\Users\Admin\AppData\Local\Temp\gvm4zwie\CSC9BDF95871D74E36B73568D71FAEC615.TMP"
23⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyz1m3es\iyz1m3es.cmdline"
22⤵
PID:6112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7484.tmp" "c:\Users\Admin\AppData\Local\Temp\iyz1m3es\CSCC8D7F469289C49D6B07D3E28DA51C1A.TMP"
23⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p45fjxab\p45fjxab.cmdline"
23⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7678.tmp" "c:\Users\Admin\AppData\Local\Temp\p45fjxab\CSCE8CEE86F1E594B6F8A99B2D17578404B.TMP"
24⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\menoxwa2\menoxwa2.cmdline"
23⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7743.tmp" "c:\Users\Admin\AppData\Local\Temp\menoxwa2\CSCCBAB04FA4B940BBA544499C676BFA44.TMP"
24⤵
PID:6056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:4888

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wmdp1k0k\wmdp1k0k.cmdline"
24⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78F9.tmp" "c:\Users\Admin\AppData\Local\Temp\wmdp1k0k\CSC34E7E5CAD6654E299A2E32DCA089C168.TMP"
25⤵
PID:5548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ulfpcwfd\ulfpcwfd.cmdline"
24⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79C4.tmp" "c:\Users\Admin\AppData\Local\Temp\ulfpcwfd\CSCA852D12E2F944EC2851B7D59087BCB8.TMP"
25⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:2208

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\spdbu3z1\spdbu3z1.cmdline"
25⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B98.tmp" "c:\Users\Admin\AppData\Local\Temp\spdbu3z1\CSC6E5CC85E51C4103A6AADEC724754F57.TMP"
26⤵
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvetn2vl\yvetn2vl.cmdline"
25⤵
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C73.tmp" "c:\Users\Admin\AppData\Local\Temp\yvetn2vl\CSC39B3B52E34274125BF2AF4F9ED61260.TMP"
26⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlysa0a2\jlysa0a2.cmdline"
26⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EC5.tmp" "c:\Users\Admin\AppData\Local\Temp\jlysa0a2\CSC2D5E8F49BEE94955982D967EFD1F2D.TMP"
27⤵
PID:5984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bouvccyj\bouvccyj.cmdline"
26⤵
PID:4864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp" "c:\Users\Admin\AppData\Local\Temp\bouvccyj\CSCCF41C9616F544A92B74E7E21BAEDA6F.TMP"
27⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:5540

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l1oj02k3\l1oj02k3.cmdline"
27⤵
PID:5248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82BD.tmp" "c:\Users\Admin\AppData\Local\Temp\l1oj02k3\CSCA5E4216D8E9A40E6A03CBC3E3D4D8C12.TMP"
28⤵
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r3cmdsra\r3cmdsra.cmdline"
27⤵
PID:4868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8397.tmp" "c:\Users\Admin\AppData\Local\Temp\r3cmdsra\CSCFADA54FD33874E4AA240D67EF29FAA3B.TMP"
28⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvxyqfcv\fvxyqfcv.cmdline"
28⤵
PID:5228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8666.tmp" "c:\Users\Admin\AppData\Local\Temp\fvxyqfcv\CSC9C27BF4D4B724FC3BF959A33CC5CDD75.TMP"
29⤵
PID:5680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ry4flna1\ry4flna1.cmdline"
28⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES879F.tmp" "c:\Users\Admin\AppData\Local\Temp\ry4flna1\CSCBDC648DDC224408BB531F6EBA7DFC973.TMP"
29⤵
PID:5696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:5536

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qwk1nqvx\qwk1nqvx.cmdline"
29⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B38.tmp" "c:\Users\Admin\AppData\Local\Temp\qwk1nqvx\CSC1A6AAF13C2D54661BDFDE5D0701BF155.TMP"
30⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ginxwxir\ginxwxir.cmdline"
29⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C71.tmp" "c:\Users\Admin\AppData\Local\Temp\ginxwxir\CSCC3F670D692E4DCEBE31DD7E94D22FA.TMP"
30⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:6052

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qv2w1bho\qv2w1bho.cmdline"
30⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F4F.tmp" "c:\Users\Admin\AppData\Local\Temp\qv2w1bho\CSC5EBED514528A469FBC6ECB814A2183.TMP"
31⤵
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xl1emdjh\xl1emdjh.cmdline"
30⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES901A.tmp" "c:\Users\Admin\AppData\Local\Temp\xl1emdjh\CSC1EE83EF45A1D4636A66CBB471E4964A7.TMP"
31⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:2648

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t0mrgk5m\t0mrgk5m.cmdline"
31⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92F9.tmp" "c:\Users\Admin\AppData\Local\Temp\t0mrgk5m\CSC76832D3112C7473AB38A36B6FF666B3.TMP"
32⤵
PID:5192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nyyugcff\nyyugcff.cmdline"
31⤵
PID:6136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9422.tmp" "c:\Users\Admin\AppData\Local\Temp\nyyugcff\CSCDB6C397832D046209A39B2C573BA9BA1.TMP"
32⤵
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ky3vovmb\ky3vovmb.cmdline"
32⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9645.tmp" "c:\Users\Admin\AppData\Local\Temp\ky3vovmb\CSCB1B4FFEDD2314611888AF81A3AB99028.TMP"
33⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u5hudyvi\u5hudyvi.cmdline"
32⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES976D.tmp" "c:\Users\Admin\AppData\Local\Temp\u5hudyvi\CSC6E2C34F035384368ADEEB1ECE13605E.TMP"
33⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:5736

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
32⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0c41m3m\w0c41m3m.cmdline"
33⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A3C.tmp" "c:\Users\Admin\AppData\Local\Temp\w0c41m3m\CSC6607D5F295C94CF0AAD57757E6DDFCDE.TMP"
34⤵
PID:5844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n4ol5k0l\n4ol5k0l.cmdline"
33⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B46.tmp" "c:\Users\Admin\AppData\Local\Temp\n4ol5k0l\CSCB325166C8AF04D2F85D5CDF5B3F0474A.TMP"
34⤵
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnker5rc\tnker5rc.cmdline"
34⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DF5.tmp" "c:\Users\Admin\AppData\Local\Temp\tnker5rc\CSC3C9501A8E78D4511B1EF4D59DEF7B6B.TMP"
35⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w5ix42tq\w5ix42tq.cmdline"
34⤵
PID:2632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F0F.tmp" "c:\Users\Admin\AppData\Local\Temp\w5ix42tq\CSC9DEDF5DF7CCA4D46B55AE5F1233732.TMP"
35⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:3928

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
34⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qiy10yra\qiy10yra.cmdline"
35⤵
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA131.tmp" "c:\Users\Admin\AppData\Local\Temp\qiy10yra\CSCE4116020A26B4A6287C887EE4BDDC0B7.TMP"
36⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u5qtr5b5\u5qtr5b5.cmdline"
35⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA21C.tmp" "c:\Users\Admin\AppData\Local\Temp\u5qtr5b5\CSC8EA74DE1FAE8453AABC36DF5A35DEEDD.TMP"
36⤵
PID:4452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wy2yiwlu\wy2yiwlu.cmdline"
36⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA400.tmp" "c:\Users\Admin\AppData\Local\Temp\wy2yiwlu\CSCC661C1CA2E7C4A5F8558548D988F6B85.TMP"
37⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qubylrjr\qubylrjr.cmdline"
36⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4BC.tmp" "c:\Users\Admin\AppData\Local\Temp\qubylrjr\CSCED8CB069ABF3477DA49E979EEAC73FB7.TMP"
37⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2224

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
36⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n0g42cf0\n0g42cf0.cmdline"
37⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA76B.tmp" "c:\Users\Admin\AppData\Local\Temp\n0g42cf0\CSCD1F88EC75FF944F592F49566AB4D4D4.TMP"
38⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m130lrw0\m130lrw0.cmdline"
37⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA894.tmp" "c:\Users\Admin\AppData\Local\Temp\m130lrw0\CSCDE77A015F058463F945D2AFC46B51D40.TMP"
38⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:2036

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3kdovpum\3kdovpum.cmdline"
38⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB24.tmp" "c:\Users\Admin\AppData\Local\Temp\3kdovpum\CSC51A7FF39CF6548C083EEC2131642FBB9.TMP"
39⤵
PID:636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p0bejosz\p0bejosz.cmdline"
38⤵
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABEF.tmp" "c:\Users\Admin\AppData\Local\Temp\p0bejosz\CSCB2CBB0EE9E0D4561B9A8C34CEB3E5037.TMP"
39⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
38⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\thkwlkfi\thkwlkfi.cmdline"
39⤵
PID:4328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
40⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE12.tmp" "c:\Users\Admin\AppData\Local\Temp\thkwlkfi\CSCDAA1F7B65854A22817453C35D1747B.TMP"
40⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5lovkhaw\5lovkhaw.cmdline"
39⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF5A.tmp" "c:\Users\Admin\AppData\Local\Temp\5lovkhaw\CSC7A27A36DEA494D949FE19CB1FA55767B.TMP"
40⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1692

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\21x3ksck\21x3ksck.cmdline"
40⤵
PID:5656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1DB.tmp" "c:\Users\Admin\AppData\Local\Temp\21x3ksck\CSC66EB1A127ABD4EFC842D22269F65CC.TMP"
41⤵
PID:5248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o4cy1o1w\o4cy1o1w.cmdline"
40⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2E5.tmp" "c:\Users\Admin\AppData\Local\Temp\o4cy1o1w\CSCB584ECD98FD44AB0AC7266BD64244674.TMP"
41⤵
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cnpj1m4o\cnpj1m4o.cmdline"
41⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB517.tmp" "c:\Users\Admin\AppData\Local\Temp\cnpj1m4o\CSC6D357F6CAE7B4934BD89C6F9C8A1C8.TMP"
42⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wzewymk0\wzewymk0.cmdline"
41⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5F2.tmp" "c:\Users\Admin\AppData\Local\Temp\wzewymk0\CSC9B6B0C1AB03B461788A6FFD263CD464.TMP"
42⤵
PID:5696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:3612

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ksjyc11k\ksjyc11k.cmdline"
42⤵
PID:5668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB834.tmp" "c:\Users\Admin\AppData\Local\Temp\ksjyc11k\CSCA84633FCB0994907AC6C18E585DBE4F5.TMP"
43⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcuuwfiw\gcuuwfiw.cmdline"
42⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB92E.tmp" "c:\Users\Admin\AppData\Local\Temp\gcuuwfiw\CSC4320F903A3C6499BAF7EA3CF9CD3BDE5.TMP"
43⤵
PID:5296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2468

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
42⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymcy2exd\ymcy2exd.cmdline"
43⤵
PID:5412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBBE.tmp" "c:\Users\Admin\AppData\Local\Temp\ymcy2exd\CSCA6BD0EEFDA7244F9BB97A2DADEB0FADB.TMP"
44⤵
PID:5384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kl0m1d43\kl0m1d43.cmdline"
43⤵
PID:5196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD26.tmp" "c:\Users\Admin\AppData\Local\Temp\kl0m1d43\CSC84C05E019E4C406794DE43030796E6.TMP"
44⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:5128

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pznrsxot\pznrsxot.cmdline"
44⤵
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC004.tmp" "c:\Users\Admin\AppData\Local\Temp\pznrsxot\CSC53983BEFB9954AA2B28BEAC53A3007E.TMP"
45⤵
PID:5784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3k5sces\f3k5sces.cmdline"
44⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC10E.tmp" "c:\Users\Admin\AppData\Local\Temp\f3k5sces\CSC8FA7CC29B48E48A1BC826115837E7E5E.TMP"
45⤵
PID:5240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:408

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sbus3jvv\sbus3jvv.cmdline"
45⤵
PID:5456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC43A.tmp" "c:\Users\Admin\AppData\Local\Temp\sbus3jvv\CSCF45400D1B9084BE48C2A93C3F5B42E9B.TMP"
46⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5reokck2\5reokck2.cmdline"
45⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC563.tmp" "c:\Users\Admin\AppData\Local\Temp\5reokck2\CSC607E9588367D46FB976D284CCED4E31F.TMP"
46⤵
PID:4872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hx0xhlkd\hx0xhlkd.cmdline"
46⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7A5.tmp" "c:\Users\Admin\AppData\Local\Temp\hx0xhlkd\CSC732CA979DB33455FA29F6EEACF042FD.TMP"
47⤵
PID:5660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pm0i32yp\pm0i32yp.cmdline"
46⤵
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC870.tmp" "c:\Users\Admin\AppData\Local\Temp\pm0i32yp\CSCA22B060A3C44DDCA5343F503A46D399.TMP"
47⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:748

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
46⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vov3ba40\vov3ba40.cmdline"
47⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA74.tmp" "c:\Users\Admin\AppData\Local\Temp\vov3ba40\CSCB262084949AD4614A48D9140A89E9843.TMP"
48⤵
PID:6072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0kjq2on\z0kjq2on.cmdline"
47⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB2F.tmp" "c:\Users\Admin\AppData\Local\Temp\z0kjq2on\CSCEF728FD53E5B4E308A4A9C5271DA9BE.TMP"
48⤵
PID:5652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:5380

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mj4xdg2n\mj4xdg2n.cmdline"
48⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD81.tmp" "c:\Users\Admin\AppData\Local\Temp\mj4xdg2n\CSC1CAE263F797D40DAB42CA6C9BBDE424.TMP"
49⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zcesds2y\zcesds2y.cmdline"
48⤵
PID:6084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE9A.tmp" "c:\Users\Admin\AppData\Local\Temp\zcesds2y\CSCD95C526D4788445D9CE4B8488890F2.TMP"
49⤵
PID:740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:5768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
- Accesses Microsoft Outlook profiles
PID:4464

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
48⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ktdpawdl\ktdpawdl.cmdline"
49⤵
PID:5860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD09E.tmp" "c:\Users\Admin\AppData\Local\Temp\ktdpawdl\CSCB7623786975549C8B3F31EC6B33BC4C.TMP"
50⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zk1i332m\zk1i332m.cmdline"
49⤵
PID:4116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
50⤵
PID:5296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD14A.tmp" "c:\Users\Admin\AppData\Local\Temp\zk1i332m\CSCC29326C6327744C1B2AFAF97FDEBFED.TMP"
50⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3748

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2txdy3x0\2txdy3x0.cmdline"
50⤵
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD37C.tmp" "c:\Users\Admin\AppData\Local\Temp\2txdy3x0\CSCD9F4F776FEE74F98B1623EA019FADDAA.TMP"
51⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjkhw4sw\kjkhw4sw.cmdline"
50⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD457.tmp" "c:\Users\Admin\AppData\Local\Temp\kjkhw4sw\CSC8310C5F1A2A4FEE8C44BC8A16F357FB.TMP"
51⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:5204

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0w5uxcl\o0w5uxcl.cmdline"
51⤵
PID:5392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
52⤵
PID:5784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD707.tmp" "c:\Users\Admin\AppData\Local\Temp\o0w5uxcl\CSC4207A0C2761D418CBA5AFC69C6CC443B.TMP"
52⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awv4nxxn\awv4nxxn.cmdline"
51⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD830.tmp" "c:\Users\Admin\AppData\Local\Temp\awv4nxxn\CSC372A22CA4B084E768D8178ED6C12619C.TMP"
52⤵
PID:5172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2320

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvr3zz3k\nvr3zz3k.cmdline"
52⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9F5.tmp" "c:\Users\Admin\AppData\Local\Temp\nvr3zz3k\CSC12AF177D69E240D2B3D0E266A6B3AAE6.TMP"
53⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xsd0lvin\xsd0lvin.cmdline"
52⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAA1.tmp" "c:\Users\Admin\AppData\Local\Temp\xsd0lvin\CSC79A0B7253ED4965BA92F16AE36415CA.TMP"
53⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:5128

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\swoxxe5l\swoxxe5l.cmdline"
53⤵
PID:408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD12.tmp" "c:\Users\Admin\AppData\Local\Temp\swoxxe5l\CSC544EEA902AE94A3CAC171E88D6673C.TMP"
54⤵
PID:4616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ul2vshvw\ul2vshvw.cmdline"
53⤵
PID:5132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDDD.tmp" "c:\Users\Admin\AppData\Local\Temp\ul2vshvw\CSCC4A569CF98D54A3786DDF8DEBADCD67C.TMP"
54⤵
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:4916

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bmrt5xiu\bmrt5xiu.cmdline"
54⤵
PID:4356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:5656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE03E.tmp" "c:\Users\Admin\AppData\Local\Temp\bmrt5xiu\CSC95D0FB6C693E4CDB97A5339DF43CF2CB.TMP"
55⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m4tsq0r5\m4tsq0r5.cmdline"
54⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE157.tmp" "c:\Users\Admin\AppData\Local\Temp\m4tsq0r5\CSCA88BB4E4289A46AFADA99B57F1B3D5E.TMP"
55⤵
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
- Accesses Microsoft Outlook profiles
PID:3904

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
54⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hdrup3v4\hdrup3v4.cmdline"
55⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE38A.tmp" "c:\Users\Admin\AppData\Local\Temp\hdrup3v4\CSCF0AB20A4888F44BF85127C12AB8AE1B3.TMP"
56⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j2ni2qlu\j2ni2qlu.cmdline"
55⤵
PID:2632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
56⤵
PID:5696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE474.tmp" "c:\Users\Admin\AppData\Local\Temp\j2ni2qlu\CSC3DF18132539B422BBE4FF82FA7147061.TMP"
56⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:5148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2936

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sjgptcws\sjgptcws.cmdline"
56⤵
PID:6020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE714.tmp" "c:\Users\Admin\AppData\Local\Temp\sjgptcws\CSC8610EB4A43BA4F6485CE895DE5335BF3.TMP"
57⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x34pmyvz\x34pmyvz.cmdline"
56⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7B0.tmp" "c:\Users\Admin\AppData\Local\Temp\x34pmyvz\CSC6186CCADA4AA49809453321EA36E53FB.TMP"
57⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
- Accesses Microsoft Outlook profiles
PID:1384

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
56⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0re1hse4\0re1hse4.cmdline"
57⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9F2.tmp" "c:\Users\Admin\AppData\Local\Temp\0re1hse4\CSC1B007C2BFBAB483AA792FEE67B34F3E.TMP"
58⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3bkrxate\3bkrxate.cmdline"
57⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA8F.tmp" "c:\Users\Admin\AppData\Local\Temp\3bkrxate\CSCFF8AFFCD71A94FB08D6542D496DF6E8.TMP"
58⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:1456

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0a213kj0\0a213kj0.cmdline"
58⤵
PID:6048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC44.tmp" "c:\Users\Admin\AppData\Local\Temp\0a213kj0\CSCA3D8CF65F9E24583985722EFCF6820A6.TMP"
59⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cawqtttu\cawqtttu.cmdline"
58⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECF0.tmp" "c:\Users\Admin\AppData\Local\Temp\cawqtttu\CSC7EA3DC0BCD604BB9A3968C88FFA1BE55.TMP"
59⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4444

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
58⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cgwbe34x\cgwbe34x.cmdline"
59⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEC5.tmp" "c:\Users\Admin\AppData\Local\Temp\cgwbe34x\CSCF617D5A9D8DE4E3F8592DD774C8126F3.TMP"
60⤵
PID:6040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\se4deu1c\se4deu1c.cmdline"
59⤵
PID:5828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF71.tmp" "c:\Users\Admin\AppData\Local\Temp\se4deu1c\CSCD8276698BACA4E83ABE85EC9B2199.TMP"
60⤵
PID:5456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
- Accesses Microsoft Outlook profiles
PID:5568

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dkzuxbnl\dkzuxbnl.cmdline"
60⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF117.tmp" "c:\Users\Admin\AppData\Local\Temp\dkzuxbnl\CSC72CDE6A18A7147BCA5CDE3BFBBBC7325.TMP"
61⤵
PID:5660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eojnvrr4\eojnvrr4.cmdline"
60⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1A3.tmp" "c:\Users\Admin\AppData\Local\Temp\eojnvrr4\CSC88EFCAFDDFD746E49316D3FB1BB913FF.TMP"
61⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2096

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
60⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfluqhz2\tfluqhz2.cmdline"
61⤵
PID:3800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3B6.tmp" "c:\Users\Admin\AppData\Local\Temp\tfluqhz2\CSC9DA37777A74D4E7DAA768025CE5C8863.TMP"
62⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pxe1ls1h\pxe1ls1h.cmdline"
61⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4B0.tmp" "c:\Users\Admin\AppData\Local\Temp\pxe1ls1h\CSC2163411B944F4EBE8ECAC8996293CD4.TMP"
62⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2664

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sdtighjp\sdtighjp.cmdline"
62⤵
PID:5236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7BE.tmp" "c:\Users\Admin\AppData\Local\Temp\sdtighjp\CSC7B01C7D09E2C4B82AD7DFFC88B5D1C3E.TMP"
63⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvrkik11\qvrkik11.cmdline"
62⤵
PID:3132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8A8.tmp" "c:\Users\Admin\AppData\Local\Temp\qvrkik11\CSCE68042C9BB7845A8BC3B34316DE53F8C.TMP"
63⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:4324

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3wu1lxm1\3wu1lxm1.cmdline"
63⤵
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA8C.tmp" "c:\Users\Admin\AppData\Local\Temp\3wu1lxm1\CSCD2651FB03F354E09B45B02C9BFCFBCE.TMP"
64⤵
PID:5848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxeleibq\wxeleibq.cmdline"
63⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBD5.tmp" "c:\Users\Admin\AppData\Local\Temp\wxeleibq\CSCB9B1A887262477EA9E481ADD8908DC.TMP"
64⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:4504

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ivvrsl5x\ivvrsl5x.cmdline"
64⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEC3.tmp" "c:\Users\Admin\AppData\Local\Temp\ivvrsl5x\CSC8280912129B549EFAD7AEB8D34EE20.TMP"
65⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m5rqvwcn\m5rqvwcn.cmdline"
64⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFFB.tmp" "c:\Users\Admin\AppData\Local\Temp\m5rqvwcn\CSC3BE7A057234043419B351F6557F4699D.TMP"
65⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
- Accesses Microsoft Outlook profiles
PID:1840

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
64⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bzg3cmkj\bzg3cmkj.cmdline"
65⤵
PID:224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DF.tmp" "c:\Users\Admin\AppData\Local\Temp\bzg3cmkj\CSC6EC98DDB63413CA8ECA5FF62F0C29.TMP"
66⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ovfssh0k\ovfssh0k.cmdline"
65⤵
PID:5240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES328.tmp" "c:\Users\Admin\AppData\Local\Temp\ovfssh0k\CSC7DF0B66FBB364660B43C8EF2F922B.TMP"
66⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:5388

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\orocgnsk\orocgnsk.cmdline"
66⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F6.tmp" "c:\Users\Admin\AppData\Local\Temp\orocgnsk\CSCFC984E3218D84201B1314712EF969ED.TMP"
67⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y2tjueh2\y2tjueh2.cmdline"
66⤵
PID:4520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AC.tmp" "c:\Users\Admin\AppData\Local\Temp\y2tjueh2\CSC32B9A7BFBB8C49F9819C3FDA114BDCF3.TMP"
67⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:1716

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
66⤵
- Checks computer location settings
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2rr0pl4\u2rr0pl4.cmdline"
67⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0D.tmp" "c:\Users\Admin\AppData\Local\Temp\u2rr0pl4\CSCE78D41EC79E446809BAC97A1E94F9FA.TMP"
68⤵
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g0ey15sq\g0ey15sq.cmdline"
67⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD8.tmp" "c:\Users\Admin\AppData\Local\Temp\g0ey15sq\CSC60890A23A18747EBBCF42BB1FF3105F.TMP"
68⤵
PID:5788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:5128

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
67⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\byqwb1es\byqwb1es.cmdline"
68⤵
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD6.tmp" "c:\Users\Admin\AppData\Local\Temp\byqwb1es\CSC7C98F6141A8043F796617EB41B2A1560.TMP"
69⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umg4zm4m\umg4zm4m.cmdline"
68⤵
PID:5348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEF.tmp" "c:\Users\Admin\AppData\Local\Temp\umg4zm4m\CSC8B330E691180422DA5F669C5081F08D.TMP"
69⤵
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
- Accesses Microsoft Outlook profiles
PID:4340

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
68⤵
- Checks computer location settings
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x1mebf25\x1mebf25.cmdline"
69⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES123B.tmp" "c:\Users\Admin\AppData\Local\Temp\x1mebf25\CSC6132EF4F3C45A18087B92877AB3DD0.TMP"
70⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ou4mr5qx\ou4mr5qx.cmdline"
69⤵
PID:5572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1335.tmp" "c:\Users\Admin\AppData\Local\Temp\ou4mr5qx\CSCB15351BBB5984BCC96EA98EB2022D9.TMP"
70⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:1956

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
69⤵
- Checks computer location settings
PID:5848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mh41vwk5\mh41vwk5.cmdline"
70⤵
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1613.tmp" "c:\Users\Admin\AppData\Local\Temp\mh41vwk5\CSCE91B67A0694E89B21D4D61216B3D1.TMP"
71⤵
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vw01z50k\vw01z50k.cmdline"
70⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES174C.tmp" "c:\Users\Admin\AppData\Local\Temp\vw01z50k\CSC8CC0BA9798524E72AEC07696CE0FEA.TMP"
71⤵
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
- Accesses Microsoft Outlook profiles
PID:3652

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
70⤵
- Checks computer location settings
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kgzsfbwu\kgzsfbwu.cmdline"
71⤵
PID:5968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES198E.tmp" "c:\Users\Admin\AppData\Local\Temp\kgzsfbwu\CSC44CD3711DDD4D61888CA2BDB652BD28.TMP"
72⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uwwawoho\uwwawoho.cmdline"
71⤵
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A59.tmp" "c:\Users\Admin\AppData\Local\Temp\uwwawoho\CSCD8971516A34D4B5BBD6413DFD965A7A.TMP"
72⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:740

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
71⤵
- Checks computer location settings
PID:5392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jxpdssbq\jxpdssbq.cmdline"
72⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D95.tmp" "c:\Users\Admin\AppData\Local\Temp\jxpdssbq\CSCB0B83816F684EC599F4624A5D4D2155.TMP"
73⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g1v3goae\g1v3goae.cmdline"
72⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EBE.tmp" "c:\Users\Admin\AppData\Local\Temp\g1v3goae\CSCF435C735E7A34D0B9EB52774B8CF4A16.TMP"
73⤵
PID:5312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
- Accesses Microsoft Outlook profiles
PID:1928

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
72⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pvcgdyxq\pvcgdyxq.cmdline"
73⤵
PID:6120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2100.tmp" "c:\Users\Admin\AppData\Local\Temp\pvcgdyxq\CSCDDE13F606A2643209C8F9224FDC5A47F.TMP"
74⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5stl3vu0\5stl3vu0.cmdline"
73⤵
PID:6040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2268.tmp" "c:\Users\Admin\AppData\Local\Temp\5stl3vu0\CSCC4A7810F3FD44E7B96996BF1137BAF8C.TMP"
74⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:5068

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
73⤵
- Checks computer location settings
PID:4520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yrocmz1\4yrocmz1.cmdline"
74⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24AA.tmp" "c:\Users\Admin\AppData\Local\Temp\4yrocmz1\CSC51D91BAEE5D543DB87CA8EC5CE9935.TMP"
75⤵
PID:408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rgdjjaag\rgdjjaag.cmdline"
74⤵
PID:5856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:5788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25D3.tmp" "c:\Users\Admin\AppData\Local\Temp\rgdjjaag\CSC12EAB08F642746E187FDB0E7C588469.TMP"
75⤵
PID:3280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2724

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
74⤵
PID:5140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cbfviryq\cbfviryq.cmdline"
75⤵
PID:6068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2834.tmp" "c:\Users\Admin\AppData\Local\Temp\cbfviryq\CSCF3F4C5EE35AF42D0A01B9AA3C05E308A.TMP"
76⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3nxzetyc\3nxzetyc.cmdline"
75⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28EF.tmp" "c:\Users\Admin\AppData\Local\Temp\3nxzetyc\CSC8EFFB9AF2CDA4260813AB0DBD649372A.TMP"
76⤵
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:2096

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
75⤵
PID:5588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v4eadnyw\v4eadnyw.cmdline"
76⤵
PID:4168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B51.tmp" "c:\Users\Admin\AppData\Local\Temp\v4eadnyw\CSC7A902A905D6C4492B0D4609ABFE86883.TMP"
77⤵
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1dbhpu30\1dbhpu30.cmdline"
76⤵
PID:5696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C99.tmp" "c:\Users\Admin\AppData\Local\Temp\1dbhpu30\CSCD6DEC5E2B44E4FB2AB358B237115FA7F.TMP"
77⤵
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
- Accesses Microsoft Outlook profiles
PID:5012

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
76⤵
- Checks computer location settings
PID:4836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvospu2l\nvospu2l.cmdline"
77⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F68.tmp" "c:\Users\Admin\AppData\Local\Temp\nvospu2l\CSC6032D54295C4F2E821BD717781BC8.TMP"
78⤵
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qbjubzz0\qbjubzz0.cmdline"
77⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3052.tmp" "c:\Users\Admin\AppData\Local\Temp\qbjubzz0\CSCCD7DF8B2B8DE4A6FB2A1B4D66EA181D.TMP"
78⤵
PID:5248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:3144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:5048

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
77⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xbhvxxbx\xbhvxxbx.cmdline"
78⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3265.tmp" "c:\Users\Admin\AppData\Local\Temp\xbhvxxbx\CSC94DED384FF7E4F28A81684557F4FFFDE.TMP"
79⤵
PID:5680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lutf11so\lutf11so.cmdline"
78⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3311.tmp" "c:\Users\Admin\AppData\Local\Temp\lutf11so\CSC7EF839E48444D9180E36A5D11DDB1C1.TMP"
79⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:2524

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
78⤵
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwraq2cg\kwraq2cg.cmdline"
79⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES361E.tmp" "c:\Users\Admin\AppData\Local\Temp\kwraq2cg\CSCBB6013C6E5964A7FB7FFA6307C72A21.TMP"
80⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o05ij4hg\o05ij4hg.cmdline"
79⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3767.tmp" "c:\Users\Admin\AppData\Local\Temp\o05ij4hg\CSC61CB7F6EA2804D4AB15797139BBA26FD.TMP"
80⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:3968

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
79⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ws3i4nzb\ws3i4nzb.cmdline"
80⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B8.tmp" "c:\Users\Admin\AppData\Local\Temp\ws3i4nzb\CSC441427F2CCDB41B69AB6DC21C5C916B.TMP"
81⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\11v1lwwx\11v1lwwx.cmdline"
80⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AD2.tmp" "c:\Users\Admin\AppData\Local\Temp\11v1lwwx\CSC7E7A20FD2AC345A8B886B1BAB473A656.TMP"
81⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:5640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:5456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:948

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
80⤵
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2sqqymo\q2sqqymo.cmdline"
81⤵
PID:5808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DC0.tmp" "c:\Users\Admin\AppData\Local\Temp\q2sqqymo\CSC2BE68B70B9714CBB87BAFE99C2EADC57.TMP"
82⤵
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcpedkci\wcpedkci.cmdline"
81⤵
PID:5216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E9A.tmp" "c:\Users\Admin\AppData\Local\Temp\wcpedkci\CSC5BE8A13D583E4FF0A3E79D2D7755C146.TMP"
82⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:1320

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
81⤵
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nzs4t12q\nzs4t12q.cmdline"
82⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES408E.tmp" "c:\Users\Admin\AppData\Local\Temp\nzs4t12q\CSC7AAE3CDC65D04B6392DD960A8FE750.TMP"
83⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhoey1vn\lhoey1vn.cmdline"
82⤵
PID:3592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:6068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4179.tmp" "c:\Users\Admin\AppData\Local\Temp\lhoey1vn\CSC9E0DF72A655D40C990384493E9328F5C.TMP"
83⤵
PID:6116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:5368

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
82⤵
- Checks computer location settings
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ciq3itzn\ciq3itzn.cmdline"
83⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4447.tmp" "c:\Users\Admin\AppData\Local\Temp\ciq3itzn\CSCA57D3DC8408647878A2C347187CE24E7.TMP"
84⤵
PID:4300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\02miypfx\02miypfx.cmdline"
83⤵
PID:5700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
84⤵
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4513.tmp" "c:\Users\Admin\AppData\Local\Temp\02miypfx\CSC18C1EFCEBEFF4D4DB0E55DB6A733A997.TMP"
84⤵
PID:5984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
- Accesses Microsoft Outlook profiles
PID:5616

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
83⤵
- Checks computer location settings
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krud4lxj\krud4lxj.cmdline"
84⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47D2.tmp" "c:\Users\Admin\AppData\Local\Temp\krud4lxj\CSCD0C16737E8B748819DE25A50694AE19.TMP"
85⤵
PID:724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bq51xpv2\bq51xpv2.cmdline"
84⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48DB.tmp" "c:\Users\Admin\AppData\Local\Temp\bq51xpv2\CSC4A859F04220C4328989D73B0EAEE2AB2.TMP"
85⤵
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:2960

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
84⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jnfb0mox\jnfb0mox.cmdline"
85⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AFE.tmp" "c:\Users\Admin\AppData\Local\Temp\jnfb0mox\CSC65D3827DC4914CC78E227323EB23DDC7.TMP"
86⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3hvqoas\q3hvqoas.cmdline"
85⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BE9.tmp" "c:\Users\Admin\AppData\Local\Temp\q3hvqoas\CSC46A0E886BC6446E59BE6265534A446CE.TMP"
86⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
- Accesses Microsoft Outlook profiles
PID:6136

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
85⤵
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\praletr1\praletr1.cmdline"
86⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E88.tmp" "c:\Users\Admin\AppData\Local\Temp\praletr1\CSC65CA6E75FB344F80AE3B2144A580D96C.TMP"
87⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vswu4kha\vswu4kha.cmdline"
86⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F92.tmp" "c:\Users\Admin\AppData\Local\Temp\vswu4kha\CSC9DD522B9A33D40558B7E7934F2ADFD44.TMP"
87⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:3504

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
86⤵
- Checks computer location settings
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z2vwhph4\z2vwhph4.cmdline"
87⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5280.tmp" "c:\Users\Admin\AppData\Local\Temp\z2vwhph4\CSCFB4A489A47F547658A1CD9EF6A05E61.TMP"
88⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcx2r2tq\wcx2r2tq.cmdline"
87⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5399.tmp" "c:\Users\Admin\AppData\Local\Temp\wcx2r2tq\CSC24303A8969174FC886D3F97286475220.TMP"
88⤵
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
- Accesses Microsoft Outlook profiles
PID:652

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
87⤵
- Checks computer location settings
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b2ekmwge\b2ekmwge.cmdline"
88⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55DB.tmp" "c:\Users\Admin\AppData\Local\Temp\b2ekmwge\CSC3ED1AA33DF724BC28C5110327DA376C.TMP"
89⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sjgkfwoe\sjgkfwoe.cmdline"
88⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56B6.tmp" "c:\Users\Admin\AppData\Local\Temp\sjgkfwoe\CSC4E2CDA5D52F04C43835FF8E953CA7D.TMP"
89⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:5804

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
88⤵
- Checks computer location settings
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jhgq0bxh\jhgq0bxh.cmdline"
89⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES586C.tmp" "c:\Users\Admin\AppData\Local\Temp\jhgq0bxh\CSCB213573B416C4193A7A5C0AFA78406C.TMP"
90⤵
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uus2trtd\uus2trtd.cmdline"
89⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58E9.tmp" "c:\Users\Admin\AppData\Local\Temp\uus2trtd\CSC2C40409DA6C24A698D6367992FECB846.TMP"
90⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:6116

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
89⤵
- Checks computer location settings
PID:3288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5yy3axz\s5yy3axz.cmdline"
90⤵
PID:4784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A9E.tmp" "c:\Users\Admin\AppData\Local\Temp\s5yy3axz\CSCF1C74644649748768C83551EC85C93C.TMP"
91⤵
PID:3592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzypee20\rzypee20.cmdline"
90⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B69.tmp" "c:\Users\Admin\AppData\Local\Temp\rzypee20\CSCCA223E1B57C24442B4D72D927597736B.TMP"
91⤵
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
- Accesses Microsoft Outlook profiles
PID:4908

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
90⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2k1yxdos\2k1yxdos.cmdline"
91⤵
PID:4256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DBB.tmp" "c:\Users\Admin\AppData\Local\Temp\2k1yxdos\CSC2F2B98165174225B23E1E5BD9EE6.TMP"
92⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bs2o4ups\bs2o4ups.cmdline"
91⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E96.tmp" "c:\Users\Admin\AppData\Local\Temp\bs2o4ups\CSC2B517DCEB59C4FA091DE50A14274B17.TMP"
92⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:4288

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
91⤵
- Checks computer location settings
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ygffovgg\ygffovgg.cmdline"
92⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61B3.tmp" "c:\Users\Admin\AppData\Local\Temp\ygffovgg\CSC673568A61C1A401DAF9A70AA1C183A9.TMP"
93⤵
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v5p2uj51\v5p2uj51.cmdline"
92⤵
PID:4616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:5140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES627E.tmp" "c:\Users\Admin\AppData\Local\Temp\v5p2uj51\CSC5851A8050E3466A8B23BA5D35B7E288.TMP"
93⤵
PID:3352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:2420

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
92⤵
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t0s5g4ve\t0s5g4ve.cmdline"
93⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES651E.tmp" "c:\Users\Admin\AppData\Local\Temp\t0s5g4ve\CSCEED00986EF4341FFB4D767B9F2651EB3.TMP"
94⤵
PID:5976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zv330w4d\zv330w4d.cmdline"
93⤵
PID:1948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
94⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6666.tmp" "c:\Users\Admin\AppData\Local\Temp\zv330w4d\CSCE776F4437F6E4F598D3277B75B3D4933.TMP"
94⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
- Accesses Microsoft Outlook profiles
PID:4556

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
93⤵
PID:4468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0w42ai0m\0w42ai0m.cmdline"
94⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6889.tmp" "c:\Users\Admin\AppData\Local\Temp\0w42ai0m\CSC456AECF8D2F94D2EAFD16DFE15CC2C4.TMP"
95⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yt1fzqtl\yt1fzqtl.cmdline"
94⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6954.tmp" "c:\Users\Admin\AppData\Local\Temp\yt1fzqtl\CSC38449AEB7C3C448FB054A0CF6C9498.TMP"
95⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:5196

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
94⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1pbkjauc\1pbkjauc.cmdline"
95⤵
PID:5648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BF4.tmp" "c:\Users\Admin\AppData\Local\Temp\1pbkjauc\CSCFD9B6967C1D64AE9A29928E5329DE4E.TMP"
96⤵
PID:5532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ygv5l42k\ygv5l42k.cmdline"
95⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CAF.tmp" "c:\Users\Admin\AppData\Local\Temp\ygv5l42k\CSCD14D35822C1B481D965BD62B293933DC.TMP"
96⤵
PID:6092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:4904

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
95⤵
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjqp3roq\wjqp3roq.cmdline"
96⤵
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E94.tmp" "c:\Users\Admin\AppData\Local\Temp\wjqp3roq\CSC54F243E33F3D4AE1BE8BCFBCDD7AE8F.TMP"
97⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k1hceb1h\k1hceb1h.cmdline"
96⤵
PID:3280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F4F.tmp" "c:\Users\Admin\AppData\Local\Temp\k1hceb1h\CSCA2833B3E529C48689A4C3E05BF658CA.TMP"
97⤵
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2820

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
96⤵
- Checks computer location settings
PID:5856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3kkuchs\a3kkuchs.cmdline"
97⤵
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
98⤵
PID:5804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7133.tmp" "c:\Users\Admin\AppData\Local\Temp\a3kkuchs\CSC5817E7E228E044FCA9707EC725C34829.TMP"
98⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mezwchji\mezwchji.cmdline"
97⤵
PID:4716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71EF.tmp" "c:\Users\Admin\AppData\Local\Temp\mezwchji\CSC89109F859E403E97A0313AB2BEB992.TMP"
98⤵
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:4300

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
97⤵
PID:5372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bpfeichm\bpfeichm.cmdline"
98⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7431.tmp" "c:\Users\Admin\AppData\Local\Temp\bpfeichm\CSCE11643BE1EB141A79BD5C12DBB55E994.TMP"
99⤵
PID:452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\elkff1t0\elkff1t0.cmdline"
98⤵
PID:5368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74ED.tmp" "c:\Users\Admin\AppData\Local\Temp\elkff1t0\CSC66C835BCDF3747B4AABD634D91B2DDAB.TMP"
99⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:640

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
98⤵
- Checks computer location settings
PID:6068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jmq1x3z\5jmq1x3z.cmdline"
99⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7700.tmp" "c:\Users\Admin\AppData\Local\Temp\5jmq1x3z\CSCF993FF0F31A04A9B89FF7EECAAC821.TMP"
100⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qipzdpjk\qipzdpjk.cmdline"
99⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77AC.tmp" "c:\Users\Admin\AppData\Local\Temp\qipzdpjk\CSCF04D529A8EE944A59ECB5D2856C2A13.TMP"
100⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
- Accesses Microsoft Outlook profiles
PID:3764

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
99⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vj40vmch\vj40vmch.cmdline"
100⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79EE.tmp" "c:\Users\Admin\AppData\Local\Temp\vj40vmch\CSC63BEDF0050B5481297B02C9DDDC283B.TMP"
101⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wd2cishh\wd2cishh.cmdline"
100⤵
PID:1424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AE8.tmp" "c:\Users\Admin\AppData\Local\Temp\wd2cishh\CSCC0223893F7944722873A66BB591A85EE.TMP"
101⤵
PID:5832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2428

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
100⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ljo13dy3\ljo13dy3.cmdline"
101⤵
PID:3416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
102⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D0B.tmp" "c:\Users\Admin\AppData\Local\Temp\ljo13dy3\CSCEDF4243ED87C49CDBBBD9D82FEB74F4C.TMP"
102⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\batauvyy\batauvyy.cmdline"
101⤵
PID:5420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DE5.tmp" "c:\Users\Admin\AppData\Local\Temp\batauvyy\CSCF4570CDFBBC14D5F8F19A9ED3944C2D.TMP"
102⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:3016

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
101⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jyqr4kbt\jyqr4kbt.cmdline"
102⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FF9.tmp" "c:\Users\Admin\AppData\Local\Temp\jyqr4kbt\CSC4D1EDA4397B842318E4B8598162541AE.TMP"
103⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzzgdvun\rzzgdvun.cmdline"
102⤵
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80B4.tmp" "c:\Users\Admin\AppData\Local\Temp\rzzgdvun\CSCD347CD4C46624A04A2A1B6C6C47EDF40.TMP"
103⤵
PID:6120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:3504

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
102⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqlwgivq\qqlwgivq.cmdline"
103⤵
PID:2388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
104⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8344.tmp" "c:\Users\Admin\AppData\Local\Temp\qqlwgivq\CSCD3E1CE6886648D7B5395747CDB9555.TMP"
104⤵
PID:5196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvqjt5gf\vvqjt5gf.cmdline"
103⤵
PID:5588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8410.tmp" "c:\Users\Admin\AppData\Local\Temp\vvqjt5gf\CSC37759D2423B451AAB4144978533D8.TMP"
104⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:5272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:4580

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
103⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pdwfny0e\pdwfny0e.cmdline"
104⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86A0.tmp" "c:\Users\Admin\AppData\Local\Temp\pdwfny0e\CSCD46D673DCD0A4BEB8AE48D67EB8D1A8.TMP"
105⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxgtf0b1\bxgtf0b1.cmdline"
104⤵
PID:5572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87A9.tmp" "c:\Users\Admin\AppData\Local\Temp\bxgtf0b1\CSC496FC87F88E747499FE5FDE261293324.TMP"
105⤵
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:5448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
- Accesses Microsoft Outlook profiles
PID:5788

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
104⤵
- Checks computer location settings
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\da1xxq3d\da1xxq3d.cmdline"
105⤵
PID:6044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
106⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89AD.tmp" "c:\Users\Admin\AppData\Local\Temp\da1xxq3d\CSC491CB6CDC476442D975C2FDF7518990.TMP"
106⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\idtbairo\idtbairo.cmdline"
105⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A78.tmp" "c:\Users\Admin\AppData\Local\Temp\idtbairo\CSCBAC5EE34A2A140FD886C61A62D889E21.TMP"
106⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:3184

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
105⤵
PID:3452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h4luwefa\h4luwefa.cmdline"
106⤵
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CCA.tmp" "c:\Users\Admin\AppData\Local\Temp\h4luwefa\CSC1EAB11F1A9524703A15387EE8F93454D.TMP"
107⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wnaa1z1g\wnaa1z1g.cmdline"
106⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DB4.tmp" "c:\Users\Admin\AppData\Local\Temp\wnaa1z1g\CSCFFCDBE9824748D29A378BFFA8E3C08C.TMP"
107⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:4852

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
106⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aw4hgaic\aw4hgaic.cmdline"
107⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9083.tmp" "c:\Users\Admin\AppData\Local\Temp\aw4hgaic\CSC4D2100775D2842E5B32C345149397410.TMP"
108⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wlmsylbi\wlmsylbi.cmdline"
107⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES911F.tmp" "c:\Users\Admin\AppData\Local\Temp\wlmsylbi\CSC6874C5C773E941C78EE664CC92928A16.TMP"
108⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:5644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
- Accesses Microsoft Outlook profiles
PID:5616

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
107⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0vgxkxq\f0vgxkxq.cmdline"
108⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9304.tmp" "c:\Users\Admin\AppData\Local\Temp\f0vgxkxq\CSCBA199CD4BB5F468A8AE335ED6318E8C3.TMP"
109⤵
PID:5436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iv33z2yd\iv33z2yd.cmdline"
108⤵
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES940D.tmp" "c:\Users\Admin\AppData\Local\Temp\iv33z2yd\CSC3A9572FF670D48D6A0CD4069DC6CFAD2.TMP"
109⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:3544

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
108⤵
PID:5136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yiiadbvz\yiiadbvz.cmdline"
109⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES968E.tmp" "c:\Users\Admin\AppData\Local\Temp\yiiadbvz\CSCE77A0FB66DD24AF080DB5CC655EEB99.TMP"
110⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tonvbfux\tonvbfux.cmdline"
109⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97B7.tmp" "c:\Users\Admin\AppData\Local\Temp\tonvbfux\CSC6E36F36BC0414C64AEEF96138B38B4A5.TMP"
110⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:5676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
- Accesses Microsoft Outlook profiles
PID:5728

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
109⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ugbhyheg\ugbhyheg.cmdline"
110⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A86.tmp" "c:\Users\Admin\AppData\Local\Temp\ugbhyheg\CSC5F7F4C883CC45DA92F0A0D08B637575.TMP"
111⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\asmofo1t\asmofo1t.cmdline"
110⤵
PID:5524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B60.tmp" "c:\Users\Admin\AppData\Local\Temp\asmofo1t\CSC37741187D80A464EB3F8CCD3AEB84EC7.TMP"
111⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2636

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
110⤵
- Checks computer location settings
PID:5048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nbowel30\nbowel30.cmdline"
111⤵
PID:4780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
112⤵
PID:5588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D83.tmp" "c:\Users\Admin\AppData\Local\Temp\nbowel30\CSC3DEA41D89EA649C1BA044F6CC1279E8.TMP"
112⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\51sf3eiy\51sf3eiy.cmdline"
111⤵
PID:5852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
112⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E4E.tmp" "c:\Users\Admin\AppData\Local\Temp\51sf3eiy\CSC8C39E54A536D41E2992C62DFA1B4AF65.TMP"
112⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
- Accesses Microsoft Outlook profiles
PID:1356

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
111⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hqh3ahce\hqh3ahce.cmdline"
112⤵
PID:664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA062.tmp" "c:\Users\Admin\AppData\Local\Temp\hqh3ahce\CSC84E1EEC875B34917A5C610F0BACAFAF9.TMP"
113⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0kcc2b3\f0kcc2b3.cmdline"
112⤵
PID:5476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA14C.tmp" "c:\Users\Admin\AppData\Local\Temp\f0kcc2b3\CSC6FA402EFF1AC4E088E86108A96E3804C.TMP"
113⤵
PID:3636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1484

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
112⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lyuk51gy\lyuk51gy.cmdline"
113⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA340.tmp" "c:\Users\Admin\AppData\Local\Temp\lyuk51gy\CSCD8D142158BBD40088D776920531CA4C8.TMP"
114⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ckfljxw\4ckfljxw.cmdline"
113⤵
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA41B.tmp" "c:\Users\Admin\AppData\Local\Temp\4ckfljxw\CSC284947BD9F754F65945C58A5BAE9929D.TMP"
114⤵
PID:6024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:5552

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
113⤵
- Checks computer location settings
PID:5060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bq5fo0b4\bq5fo0b4.cmdline"
114⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6CA.tmp" "c:\Users\Admin\AppData\Local\Temp\bq5fo0b4\CSC73F9551CF10840D99F4EC92FB222406F.TMP"
115⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\emszypwm\emszypwm.cmdline"
114⤵
PID:5568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E3.tmp" "c:\Users\Admin\AppData\Local\Temp\emszypwm\CSC352E8B4242CE4154ADBBD6FC3EA876A1.TMP"
115⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
- Accesses Microsoft Outlook profiles
PID:5472

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
114⤵
PID:5332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o230phsw\o230phsw.cmdline"
115⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9C8.tmp" "c:\Users\Admin\AppData\Local\Temp\o230phsw\CSCD38E9E7371CA4F399F1C6535A8AB7BB.TMP"
116⤵
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sdegtdlz\sdegtdlz.cmdline"
115⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAE1.tmp" "c:\Users\Admin\AppData\Local\Temp\sdegtdlz\CSC3B26E9A9B361414C9EBA568A7795A1A6.TMP"
116⤵
PID:3540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:5436

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
115⤵
- Checks computer location settings
PID:3972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yaxvyido\yaxvyido.cmdline"
116⤵
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD23.tmp" "c:\Users\Admin\AppData\Local\Temp\yaxvyido\CSCA8DC7B785FE74CD18C4E2FD57B412472.TMP"
117⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q4wlelkw\q4wlelkw.cmdline"
116⤵
PID:6056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE2D.tmp" "c:\Users\Admin\AppData\Local\Temp\q4wlelkw\CSCDBA990C84B744BFAA665566D452B725.TMP"
117⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:6004

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
116⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gbncbs5y\gbncbs5y.cmdline"
117⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB10B.tmp" "c:\Users\Admin\AppData\Local\Temp\gbncbs5y\CSC98FEDC4BB1D47B3A0B6859A6A1AFFE1.TMP"
118⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\imqejezy\imqejezy.cmdline"
117⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB224.tmp" "c:\Users\Admin\AppData\Local\Temp\imqejezy\CSC4CB80AE4A9244D9CA31D1CCFD8D12217.TMP"
118⤵
PID:4244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
- Accesses Microsoft Outlook profiles
PID:5976

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
117⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sx2gec0r\sx2gec0r.cmdline"
118⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4C4.tmp" "c:\Users\Admin\AppData\Local\Temp\sx2gec0r\CSC401E367F6AA047268A414D7DC9AEA167.TMP"
119⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tlh1cset\tlh1cset.cmdline"
118⤵
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5BE.tmp" "c:\Users\Admin\AppData\Local\Temp\tlh1cset\CSC341B7E0AE0614601B63BB243F8BEB09E.TMP"
119⤵
PID:3380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:2036

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
118⤵
- Checks computer location settings
PID:5524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\giyzvbzr\giyzvbzr.cmdline"
119⤵
PID:4800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
120⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB88D.tmp" "c:\Users\Admin\AppData\Local\Temp\giyzvbzr\CSC1A4E8371F7DB47C687B73062D2F54943.TMP"
120⤵
PID:6108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ijffkpi\1ijffkpi.cmdline"
119⤵
PID:5720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
120⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB987.tmp" "c:\Users\Admin\AppData\Local\Temp\1ijffkpi\CSC51F4A76CCAC495CB2C3DB5BC139783B.TMP"
120⤵
PID:804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:5268

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
119⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c2kcbhkj\c2kcbhkj.cmdline"
120⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB9A.tmp" "c:\Users\Admin\AppData\Local\Temp\c2kcbhkj\CSCC268938ADE6741FD8574D71EE678D6C.TMP"
121⤵
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqa3xz5q\zqa3xz5q.cmdline"
120⤵
PID:5348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC94.tmp" "c:\Users\Admin\AppData\Local\Temp\zqa3xz5q\CSC64855A7C46FC491FA923DB6C567079B.TMP"
121⤵
PID:4424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:3856

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
120⤵
- Checks computer location settings
PID:5236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0yw23cwo\0yw23cwo.cmdline"
121⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEF6.tmp" "c:\Users\Admin\AppData\Local\Temp\0yw23cwo\CSC2F1F8AA48B124CF1B5EAD6D712CA784.TMP"
122⤵
PID:4796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ixvh5rji\ixvh5rji.cmdline"
121⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFFF.tmp" "c:\Users\Admin\AppData\Local\Temp\ixvh5rji\CSC7DB25A202B3C40EFB623F924F03F87F6.TMP"
122⤵
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
- Accesses Microsoft Outlook profiles
PID:5640

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
121⤵
- Checks computer location settings
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ubdujhn3\ubdujhn3.cmdline"
122⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC251.tmp" "c:\Users\Admin\AppData\Local\Temp\ubdujhn3\CSC5ADFA1F2A5004C36AA201319CC6371C0.TMP"
123⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cx0qevat\cx0qevat.cmdline"
122⤵
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2ED.tmp" "c:\Users\Admin\AppData\Local\Temp\cx0qevat\CSC737BC62FA1B47338951DCABCD77C3C7.TMP"
123⤵
PID:5788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:5604

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
122⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zh4ehpcz\zh4ehpcz.cmdline"
123⤵
PID:2596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
124⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC59D.tmp" "c:\Users\Admin\AppData\Local\Temp\zh4ehpcz\CSC6876300A14B84CA2A83F9FE7214EDC19.TMP"
124⤵
PID:620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wvlavvkj\wvlavvkj.cmdline"
123⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC687.tmp" "c:\Users\Admin\AppData\Local\Temp\wvlavvkj\CSC9C939CFB4A454A58AB99F79E225B3C1F.TMP"
124⤵
PID:5696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
- Accesses Microsoft Outlook profiles
PID:3132

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
123⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4c0ploqj\4c0ploqj.cmdline"
124⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC87B.tmp" "c:\Users\Admin\AppData\Local\Temp\4c0ploqj\CSCA9453A7CC02F4F5691FF19AEF2BCF96.TMP"
125⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uu2qjx3z\uu2qjx3z.cmdline"
124⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC946.tmp" "c:\Users\Admin\AppData\Local\Temp\uu2qjx3z\CSCB3AC9B598D14491EB78B3F5C2D26C2E5.TMP"
125⤵
PID:6084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2724

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
124⤵
- Checks computer location settings
PID:5472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\chtwj2hv\chtwj2hv.cmdline"
125⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB69.tmp" "c:\Users\Admin\AppData\Local\Temp\chtwj2hv\CSCAF7EEE6669634201A6C4BC6C7C7144CE.TMP"
126⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vzjhz3yx\vzjhz3yx.cmdline"
125⤵
PID:5964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB1.tmp" "c:\Users\Admin\AppData\Local\Temp\vzjhz3yx\CSC1762ABE151B94D6ABFC2FD86E16745E3.TMP"
126⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:6004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:6040

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
125⤵
- Checks computer location settings
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5rvtuqpg\5rvtuqpg.cmdline"
126⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF42.tmp" "c:\Users\Admin\AppData\Local\Temp\5rvtuqpg\CSC63F11462CBDF4B34A7DEB8698712A980.TMP"
127⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bm4z1vls\bm4z1vls.cmdline"
126⤵
PID:5468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0A9.tmp" "c:\Users\Admin\AppData\Local\Temp\bm4z1vls\CSC404D5A4D6FA3461DACF662E19EB4D9F.TMP"
127⤵
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
- Accesses Microsoft Outlook profiles
PID:3416

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
126⤵
- Checks computer location settings
PID:3972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3gktcdou\3gktcdou.cmdline"
127⤵
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2FB.tmp" "c:\Users\Admin\AppData\Local\Temp\3gktcdou\CSCA21B3CA29C354B498DD5D6A7C6E6FEE.TMP"
128⤵
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1atv0wlx\1atv0wlx.cmdline"
127⤵
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3B6.tmp" "c:\Users\Admin\AppData\Local\Temp\1atv0wlx\CSC38657994168A4F68933FA1CF9ED526D0.TMP"
128⤵
PID:5976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:1212

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
127⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjmpydah\kjmpydah.cmdline"
128⤵
PID:5768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD637.tmp" "c:\Users\Admin\AppData\Local\Temp\kjmpydah\CSCEA344715A40C42268B4F4DA52652366F.TMP"
129⤵
PID:5500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dbwsku4j\dbwsku4j.cmdline"
128⤵
PID:4372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD740.tmp" "c:\Users\Admin\AppData\Local\Temp\dbwsku4j\CSCB2E7071859434B558FC6546A1AE9F7F2.TMP"
129⤵
PID:4604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
- Accesses Microsoft Outlook profiles
PID:228

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
128⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jkh1vitt\jkh1vitt.cmdline"
129⤵
PID:4656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9D1.tmp" "c:\Users\Admin\AppData\Local\Temp\jkh1vitt\CSCA9C866F96934A508E14A68068877AE.TMP"
130⤵
PID:4808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2k4ugzeh\2k4ugzeh.cmdline"
129⤵
PID:4324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAEA.tmp" "c:\Users\Admin\AppData\Local\Temp\2k4ugzeh\CSCB24EEDEC16ED45A8A38DA4DA2B6EFA74.TMP"
130⤵
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:2516

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
129⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bfjnntpp\bfjnntpp.cmdline"
130⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD6B.tmp" "c:\Users\Admin\AppData\Local\Temp\bfjnntpp\CSCD99D991589FD4E6D8F1CE757DF5AAD8.TMP"
131⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iacwu5j0\iacwu5j0.cmdline"
130⤵
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:5568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE65.tmp" "c:\Users\Admin\AppData\Local\Temp\iacwu5j0\CSCAE0FD51DD92A4291A057CF43BF3718A.TMP"
131⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
- Accesses Microsoft Outlook profiles
PID:5552

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
130⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnpfnlyx\xnpfnlyx.cmdline"
131⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE124.tmp" "c:\Users\Admin\AppData\Local\Temp\xnpfnlyx\CSCA864941D4B9E4DD2898CE895CFE373A2.TMP"
132⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gi14kd3r\gi14kd3r.cmdline"
131⤵
PID:5512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
132⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE24D.tmp" "c:\Users\Admin\AppData\Local\Temp\gi14kd3r\CSCD0323A562F614BE6980BE2A28C44.TMP"
132⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:5132

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
131⤵
- Checks computer location settings
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a4bs1p03\a4bs1p03.cmdline"
132⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE460.tmp" "c:\Users\Admin\AppData\Local\Temp\a4bs1p03\CSCD2007DE4105F4F328682E49BF192FD53.TMP"
133⤵
PID:5636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lddgbslo\lddgbslo.cmdline"
132⤵
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE54A.tmp" "c:\Users\Admin\AppData\Local\Temp\lddgbslo\CSCB35A5104B3A49F6BCF87592A858F6D6.TMP"
133⤵
PID:5380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
- Accesses Microsoft Outlook profiles
PID:3616

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
132⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mezaxzfy\mezaxzfy.cmdline"
133⤵
PID:5760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE77D.tmp" "c:\Users\Admin\AppData\Local\Temp\mezaxzfy\CSC78B47BF4FB504963B4514A2B714631CA.TMP"
134⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3cgocrst\3cgocrst.cmdline"
133⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE848.tmp" "c:\Users\Admin\AppData\Local\Temp\3cgocrst\CSC2B06EDB0CFBC45FB9B5CB0958EDA6197.TMP"
134⤵
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:4612

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
133⤵
- Checks computer location settings
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4traekfb\4traekfb.cmdline"
134⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA5B.tmp" "c:\Users\Admin\AppData\Local\Temp\4traekfb\CSC3B635363F64079BC16B161F85F6114.TMP"
135⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mbjxugq3\mbjxugq3.cmdline"
134⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB36.tmp" "c:\Users\Admin\AppData\Local\Temp\mbjxugq3\CSC6C67CB5C82984E3A8D5CA55A4A29291.TMP"
135⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:5676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:3028

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
134⤵
PID:6016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yjkc2hko\yjkc2hko.cmdline"
135⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDD6.tmp" "c:\Users\Admin\AppData\Local\Temp\yjkc2hko\CSC723CBE3A99344C479225A2C96288572.TMP"
136⤵
PID:5608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cyamunby\cyamunby.cmdline"
135⤵
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEB0.tmp" "c:\Users\Admin\AppData\Local\Temp\cyamunby\CSC9258CD4BED9B41F19A7AB4C1F8ECC880.TMP"
136⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:6020

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
135⤵
- Checks computer location settings
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\saasbphd\saasbphd.cmdline"
136⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF095.tmp" "c:\Users\Admin\AppData\Local\Temp\saasbphd\CSC52FD6282DD914497AEF69BC8CD158BD6.TMP"
137⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fuixqyyr\fuixqyyr.cmdline"
136⤵
PID:3720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF19E.tmp" "c:\Users\Admin\AppData\Local\Temp\fuixqyyr\CSCF3B784B7A9254CFDB55E5F7E5A86F20.TMP"
137⤵
PID:5768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2672

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
136⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rjevikw1\rjevikw1.cmdline"
137⤵
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
138⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3A2.tmp" "c:\Users\Admin\AppData\Local\Temp\rjevikw1\CSC5090ED29B0947E290BE1A3985D11EE.TMP"
138⤵
PID:4808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qm43e0ws\qm43e0ws.cmdline"
137⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF44E.tmp" "c:\Users\Admin\AppData\Local\Temp\qm43e0ws\CSC2550EDAABCF64659B2BCE587BC7906D.TMP"
138⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:3684

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
137⤵
PID:5960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v2iwataa\v2iwataa.cmdline"
138⤵
PID:5456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF632.tmp" "c:\Users\Admin\AppData\Local\Temp\v2iwataa\CSCF3C40A92E8E5423C9FFD948B1166DED7.TMP"
139⤵
PID:636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\knyevvmo\knyevvmo.cmdline"
138⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6DE.tmp" "c:\Users\Admin\AppData\Local\Temp\knyevvmo\CSC7013EA283BC549888B7BA12F6AC36978.TMP"
139⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
- Accesses Microsoft Outlook profiles
PID:5012

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
138⤵
- Checks computer location settings
PID:3352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3n3gebxj\3n3gebxj.cmdline"
139⤵
PID:608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF874.tmp" "c:\Users\Admin\AppData\Local\Temp\3n3gebxj\CSC50B39D0CCE824D3EB8F61A9DB2C46EE.TMP"
140⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\keiyb0wc\keiyb0wc.cmdline"
139⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF911.tmp" "c:\Users\Admin\AppData\Local\Temp\keiyb0wc\CSCEF773A9BB691484B851862BFF7AC449.TMP"
140⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:372

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
139⤵
- Checks computer location settings
PID:5288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vw0ukfyt\vw0ukfyt.cmdline"
140⤵
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA97.tmp" "c:\Users\Admin\AppData\Local\Temp\vw0ukfyt\CSC5D37CD937D4A48298B1BF0F6A372C64.TMP"
141⤵
PID:3144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d1bkcp3a\d1bkcp3a.cmdline"
140⤵
PID:5552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB43.tmp" "c:\Users\Admin\AppData\Local\Temp\d1bkcp3a\CSCBA485FA0878742A5A32BB30AF35A4FA.TMP"
141⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:4464

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
140⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\01mrqvbg\01mrqvbg.cmdline"
141⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCBA.tmp" "c:\Users\Admin\AppData\Local\Temp\01mrqvbg\CSC883E54E7A42F4FAAB2D059676957C297.TMP"
142⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44urravb\44urravb.cmdline"
141⤵
PID:5416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD66.tmp" "c:\Users\Admin\AppData\Local\Temp\44urravb\CSC4AE66A173C864DA3A8E5A21CB33F1542.TMP"
142⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
- Accesses Microsoft Outlook profiles
PID:1116

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
141⤵
- Checks computer location settings
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o02o2rug\o02o2rug.cmdline"
142⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF1C.tmp" "c:\Users\Admin\AppData\Local\Temp\o02o2rug\CSCA5D4A563F07B43E5A4416B79E8F06C7F.TMP"
143⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0qyzfxxt\0qyzfxxt.cmdline"
142⤵
PID:4448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF99.tmp" "c:\Users\Admin\AppData\Local\Temp\0qyzfxxt\CSC1D8DF3CF4EB54CFAADCB7460F04D9066.TMP"
143⤵
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:5220

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
142⤵
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0dc5frp\a0dc5frp.cmdline"
143⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13E.tmp" "c:\Users\Admin\AppData\Local\Temp\a0dc5frp\CSC3BAD0445C1EE4598898A4AB254678497.TMP"
144⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3u45z0qy\3u45z0qy.cmdline"
143⤵
PID:5804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AC.tmp" "c:\Users\Admin\AppData\Local\Temp\3u45z0qy\CSC6502E57D51804BD79BB7FA4C591B23A.TMP"
144⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:4428

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
143⤵
- Checks computer location settings
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0bpzztyf\0bpzztyf.cmdline"
144⤵
PID:4352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES361.tmp" "c:\Users\Admin\AppData\Local\Temp\0bpzztyf\CSC171572962E604D69A58F15A782757BA1.TMP"
145⤵
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wyak3oio\wyak3oio.cmdline"
144⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42C.tmp" "c:\Users\Admin\AppData\Local\Temp\wyak3oio\CSC1CA3CF1553944F148976A89B55EB9E4A.TMP"
145⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3720

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
144⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iupysn5f\iupysn5f.cmdline"
145⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES611.tmp" "c:\Users\Admin\AppData\Local\Temp\iupysn5f\CSC28332B1F19C14C6EA47D21A055E0E5CA.TMP"
146⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14c5nsns\14c5nsns.cmdline"
145⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CC.tmp" "c:\Users\Admin\AppData\Local\Temp\14c5nsns\CSCE73C6E9085764606B5165953E1D62EE.TMP"
146⤵
PID:4424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:4528

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
145⤵
- Checks computer location settings
PID:876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2g2w13vq\2g2w13vq.cmdline"
146⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B1.tmp" "c:\Users\Admin\AppData\Local\Temp\2g2w13vq\CSC69DC0678F3404C8CB463AD71926D39.TMP"
147⤵
PID:6136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ucwnaqaq\ucwnaqaq.cmdline"
146⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94D.tmp" "c:\Users\Admin\AppData\Local\Temp\ucwnaqaq\CSC9630E3C62254750AC33442AAD9DFC62.TMP"
147⤵
PID:5968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:3628

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
146⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f2g1mzp4\f2g1mzp4.cmdline"
147⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB41.tmp" "c:\Users\Admin\AppData\Local\Temp\f2g1mzp4\CSC6AE86905805B424CA9D8C5357019395.TMP"
148⤵
PID:3540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3qinetz\a3qinetz.cmdline"
147⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBE.tmp" "c:\Users\Admin\AppData\Local\Temp\a3qinetz\CSC4F4DAA68EEB642A083FC7FDBB387CE55.TMP"
148⤵
PID:4324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:4768

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
147⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anyupn1o\anyupn1o.cmdline"
148⤵
PID:5644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC2.tmp" "c:\Users\Admin\AppData\Local\Temp\anyupn1o\CSC71F64025C06642BD9369EF23DD871D3.TMP"
149⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\smunioqp\smunioqp.cmdline"
148⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4E.tmp" "c:\Users\Admin\AppData\Local\Temp\smunioqp\CSC777EE77D58440CF929198614C1CB85.TMP"
149⤵
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:2092

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
148⤵
PID:5680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qavvhvfd\qavvhvfd.cmdline"
149⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD5.tmp" "c:\Users\Admin\AppData\Local\Temp\qavvhvfd\CSC2DF13ED6859B4045AA3A86B63FBDEEF5.TMP"
150⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g2qf0tyg\g2qf0tyg.cmdline"
149⤵
PID:668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1061.tmp" "c:\Users\Admin\AppData\Local\Temp\g2qf0tyg\CSCFDCBBD902B2C428AA7E43521ED594292.TMP"
150⤵
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:4536

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
149⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vlaxgkwy\vlaxgkwy.cmdline"
150⤵
PID:5700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11D8.tmp" "c:\Users\Admin\AppData\Local\Temp\vlaxgkwy\CSC3A8C966B82D14805BC371445A46E4B68.TMP"
151⤵
PID:5608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vdepigph\vdepigph.cmdline"
150⤵
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12A4.tmp" "c:\Users\Admin\AppData\Local\Temp\vdepigph\CSC11F4DFC58E7F424B94644F45F0E7E85A.TMP"
151⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:4320

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
150⤵
PID:5292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcvu35u0\hcvu35u0.cmdline"
151⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1498.tmp" "c:\Users\Admin\AppData\Local\Temp\hcvu35u0\CSCE3DDFA4888FB487B94267E4ECE1BBBE1.TMP"
152⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qjkierx\1qjkierx.cmdline"
151⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1524.tmp" "c:\Users\Admin\AppData\Local\Temp\1qjkierx\CSC52EB62777278447EA5AB1C966020D0B9.TMP"
152⤵
PID:3752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:3188

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
151⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\whj00441\whj00441.cmdline"
152⤵
PID:3636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16AB.tmp" "c:\Users\Admin\AppData\Local\Temp\whj00441\CSCCEFCF5054597461E87A111C1212E3DC.TMP"
153⤵
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kh1azce4\kh1azce4.cmdline"
152⤵
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1747.tmp" "c:\Users\Admin\AppData\Local\Temp\kh1azce4\CSCC36EB9CB4E234D84BA51D4BFDB93C9E.TMP"
153⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:2036

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
152⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5verkawu\5verkawu.cmdline"
153⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES189F.tmp" "c:\Users\Admin\AppData\Local\Temp\5verkawu\CSC6B41FD00662044C78A1535DCB73A9.TMP"
154⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f1lzqv1g\f1lzqv1g.cmdline"
153⤵
PID:5624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
154⤵
PID:5268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197A.tmp" "c:\Users\Admin\AppData\Local\Temp\f1lzqv1g\CSCECF0CE141B294D4DB4B5AF5E5DFCA1B2.TMP"
154⤵
PID:5548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:4412

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
153⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\40ieuymq\40ieuymq.cmdline"
154⤵
PID:3756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7D.tmp" "c:\Users\Admin\AppData\Local\Temp\40ieuymq\CSC8D24EA04B087418F86AA468F696399C2.TMP"
155⤵
PID:5276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wuku04lx\wuku04lx.cmdline"
154⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C39.tmp" "c:\Users\Admin\AppData\Local\Temp\wuku04lx\CSCCCF13C80A73C4352882F921B32B8A3E6.TMP"
155⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:5596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:5464

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
154⤵
PID:5140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nrk2bx1e\nrk2bx1e.cmdline"
155⤵
PID:5348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
156⤵
PID:5720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DCF.tmp" "c:\Users\Admin\AppData\Local\Temp\nrk2bx1e\CSC162A57B142D64558977626825FB2274.TMP"
156⤵
PID:5132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lwgf0k2u\lwgf0k2u.cmdline"
155⤵
PID:5540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E3C.tmp" "c:\Users\Admin\AppData\Local\Temp\lwgf0k2u\CSC13BDFFEF74DE457C94C14942611651B4.TMP"
156⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:4368

C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe"
155⤵
PID:4464

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0excnv4j\0excnv4j.dll
Filesize
368KB

MD5
867c284b6149c0c0cf25b323d901c0c2

SHA1
8ec39a3930012f8becf8f07a125bda7ac7474a82

SHA256
b2fd146386c4edfb2b9cdd55a384df9e48105dae8d727870f95876989a23ef3c

SHA512
f9ce13008a2953fb212877081c3a8eff23cf084ecaa9e2fdf837bb94afe79bac29f27ccbab4908a874c354c0c765d44b3e69102badcc1bbec2b9a3f440a7ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\0pc4q4fx\0pc4q4fx.dll
Filesize
368KB

MD5
ed748e8a2359def398167056499f70d2

SHA1
757651ea474001f30450ba2ab6e4ec7746ccfff0

SHA256
03fc411270d86f877d1ef47aa6d6c24d977a6d369e0937b14284c0a0f223b480

SHA512
8c1e573b7496e5b12e0bc03a4bb4612f680aca1f53111c5513ab5328e50bbb1c9181dbea030cae3b48c0bffa979c76b323f92e22b7f15325c3895a9a6a14d4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3w0dvpi1\3w0dvpi1.dll
Filesize
368KB

MD5
4b209741103e247a848580a6fa6e4c6f

SHA1
7d3a24be2d7d139384b14266ed0ce85eec325908

SHA256
2d16d1716c3db1236fd1172600d02fb4caf60ed3466995c58f7bc51f09415ae3

SHA512
ca8021dff2de2e2b000ac292ecf26d5b7c4f024943ea91762bfa363c8ad0c8fd5b2cb472f7b1b692c57c53eeb825081fda962b0da3db87892b8d6ea6220d14d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a1he2hh\4a1he2hh.dll
Filesize
368KB

MD5
a988696db2eee1485c5cf7547e7f3aa9

SHA1
5584e69fc6519bfba73e16d17409b65ab120978e

SHA256
6361b1204b1d23fe1009ae04db01a91e542aa2cbe369cd5e0cf8765418e6b80b

SHA512
6b0f2f67bbc72fe075aee4734090a4dc1c7250e5a379a535b5aea6e41c98aa937f2ddfd7875493e2468612b26a021682f2b8750a7d20756b803797c175819084

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A0B.tmp
Filesize
1KB

MD5
6fbd15afca6eb857af912a355dfa86b1

SHA1
412f7d68aee26341305af873957e0eb07d50e757

SHA256
df0e2866c62948cb73fdbfb370ff94d11a4798664247f682b2a1bd21f919ac5f

SHA512
600fa5eddabdd35f8feec0cdca1b51c4f3943b679c01caad873f39199e32fc1c2cb5fd499a5ca025210b5f1c5d0e10b4b1e20e7619f56b31770c08e37e2123e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B44.tmp
Filesize
1KB

MD5
a7bcff5d3cbc7e713123e36ef32952d9

SHA1
03e9eeddaffb89f10c05108b3660c24c1fcda0f7

SHA256
4f60a8581b810d89f06ba0bc1d73c35619749f64c528f83b72390eacb8cac2c2

SHA512
9fc9e9fbc8138b38631206871345767f2ec8be336355b58de643c7b872816f0a74ff02b9fe221ded40d62d4762e56ffc1903f389011a4faf3082eb860e830c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3DF3.tmp
Filesize
1KB

MD5
61aff37298fd8d3e78e03c62d0c50bba

SHA1
dcdcca94c33f4c8c96ece8686d6b05907b202a34

SHA256
fda94f5a7b6b57a18e8340fb08678e3216a78aa9ccf075da750d2b78cb37319e

SHA512
4739fec0a6d7f46833e23ad204c75a1d4091b7565497003b60db1c6f5fe653954abb627fffbf78a2e701f135ec7e877caae7eb8b81893c89528978de060fb16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3EAF.tmp
Filesize
1KB

MD5
18161c66044934a87f98fdbf42f73439

SHA1
13133a66ef66992fc6d8afaff94099cf5049c725

SHA256
3cdd2af1265674362f89e84214badbff8529d89b007895889428aee1ef7f4cb4

SHA512
ea4bc6af4e8f6934c22a61147bbabe1779389ffd801af5b7be6c671351e50c646f5ddc3f33f32d98a28afe31f6a787e370ef27ca6b2ec3b3eadea4d6e9c35a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES417D.tmp
Filesize
1KB

MD5
d9802e05406217fd49d7ea4665b78292

SHA1
1053ce03652c06a726e1bd4f8af4a9182ee58104

SHA256
75d07014a6ee45c4cd3348d8302b8c106e6fb7208549e1fd2bbb2d7cb3ada3a7

SHA512
782ca54e01d4e2faf4a5fb4c417f1e6f2293c81e5630da8a4fbea3e9fb085272c5bc35685253f146a639aa069d8b4c1274bfbb1eb62b16ceebdc3465a1ec45ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4258.tmp
Filesize
1KB

MD5
503c8cbccbacea3d149c814b3e111acc

SHA1
40f864e1e9a7404b069585aa17d4e2094da08c54

SHA256
f06cd2aa7f278e2dfdcd374c428ee559293a8da7fd6695a95c21607f7be59d58

SHA512
2054c10c78a73f7c935b51b7a5df53a23f9ee0be10b19917f86033584c62f840081d240c5c0bc4e53061533c2d169842751279e20d6e7fe946354ab286a3f8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES442D.tmp
Filesize
1KB

MD5
8047777570c20092f3e25cdd36935ca0

SHA1
08134b15bfbb7fad23c85be2e8903e63690f5d5b

SHA256
6dfa92453a0418368c66411a0295716f9853f76133a63611716c55943877c713

SHA512
ffaf2a53de9908ba95cf256e2e9aeecc8f560f0749b18ef28459f1447609b12191ecab9ade89045c2f1ab1e01981e040632fccb3288d2161f3ae52f79f9bd96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4517.tmp
Filesize
1KB

MD5
67933c83121335c65fe0ed1401a87ab8

SHA1
9d9d4695d052532b5c9010ccf6eef517efd76543

SHA256
d9db5115bdff56b499af2c5c84176af1bf01ab22b82e1d1e92db5104c045ea42

SHA512
bf3d552801401e85706d2f66ecea6e03ec54e5ccd90df5e666ba6181c27627cf317200307f8b3d3dc2b96446784946e18ecdf6f0b477e5b3f5bb580f8fc3409c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4844.tmp
Filesize
1KB

MD5
fdc03c4023d2d5d8613837d72315526d

SHA1
4cd3acefa2f93c74d6ac8c132d95dd9e21529c28

SHA256
8888d5230535aff8d6b7e532065371488058ebfeee1698990d808c663c602f89

SHA512
69738adf7470e73810bcadded6fe13bcd795f14ee702e5ae9951bf5f83d19ce823ec9354804aca669bfc4d938bc8177dce6659b3ba77d5ead94a0534a4be6be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49AB.tmp
Filesize
1KB

MD5
011d0d2920fe7c962bf9e1b0576b24f8

SHA1
01bd4b392d1ad765a72cfcea5d97d643020d0b2d

SHA256
beebe54899c58e328d338cad093fcd90d602d4de62e8a0f9d0906e54556accab

SHA512
67d69a457032078e5fa22e61266d02c211ec22052564399a4761a631e0bbded4e665df7840b1359244df381b15f244b57e5823d6e3586dc7d286e408f0391ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C1C.tmp
Filesize
1KB

MD5
219ee3c3b498839b165d6a292e0bc6f7

SHA1
e6551ec9cc938523c5b1d1edc1b85dd8d1311b65

SHA256
4c2dfdc9593772f4a1d8a69c836d825fb2e093d8fcf1d7a49cc4ada5352a7f49

SHA512
12a018b2dc756f6bf21b1e1343813f92bedc088e69df542da1554e386f744add7bd4873d2b15273b2aae07556d413e649f2ffeaff5b07cfd113be1fe8f227199

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1gs0ah1\l1gs0ah1.dll
Filesize
368KB

MD5
6114f31a19566d9d96094c2aaeaa0eb3

SHA1
2a980db8820798ece2871cab10d2a607c2030b5a

SHA256
457643abe6e0d26a83682d8f4b7e140b4e8730eaf066840ffe70b8840c397a44

SHA512
9c487d54cd4989e091f770b56290c6708af895cb790d3ca30081243ad0f1443296fc3736a5b572394df1c22ffcec4b05fe215cd70387467c835c9345afad489e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwyxuuk5\mwyxuuk5.dll
Filesize
368KB

MD5
9c9875897424e455dd3fc9327312aedc

SHA1
66a05dec0d759b7d6aa9e9c40fabd48c18f3e78f

SHA256
d0af0198d83a4c143604129b717501315c88f3ee1b998c24aa3dab1f07beed51

SHA512
d4b02747d6ed74722a88422377cdb3b5606f5f482da3bed7ca2fe66891842ec861f2f0dfee7a7fd8482bb5d21a38a2f8aaf4e6f6b46c8335b94e73ee76a8304a

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2qii0ie\q2qii0ie.dll
Filesize
368KB

MD5
82c773fafc58033c35d4c05eb5cacc17

SHA1
4f16b24d7fb9f97e9b11063be9b1b78b1fc64285

SHA256
1e0d107487392a7e7eac80e12f53f1797157ab3b1c0caf628ae7cf17102d0911

SHA512
97b7f41113b6a6922a051ad0f468716ea072d3fdd9da208d0a351523f299f43b0796dee55e71eca3eb45051d1100fc1fca4c422a0d60ff3e89da5d3c0dac15d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhty5glq\qhty5glq.dll
Filesize
368KB

MD5
43f8aa3a31112c82e1f8d2737c749b3d

SHA1
018233e212372cc2f4f762cfeffd9a878471cb26

SHA256
cde792aa106dd76c70b78e29c6d03499c6a949d0f04504d76f712a3dae696d9f

SHA512
bccc722aff2fc83c199f590ecd723a64d44ef2ae53be8c1d75d1b2d7213d93495f21d1d90d0e7a9d92253de3616a6baba6870ccbf6a884f419749390f6c47719

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmugcun4\qmugcun4.dll
Filesize
368KB

MD5
22907277d3518d8668b0fa80b3787ef5

SHA1
1f788ec9a64a75879023b0452228ed25800bb63e

SHA256
51d11462c2407d92183277a7c1c3f5638610a2ccb3e5f46827330728ef2186bf

SHA512
f9ed4e933ade623301045f43f4f8dd56d6773a2b8225d435dd827a119435deb8713f086b122ca0844cc63894dc217531ab0a26b56fc4e93e7844ef23882406c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdff5cgy\sdff5cgy.dll
Filesize
368KB

MD5
f100eb6780aecfbde2f02d4e9d819547

SHA1
87e52488797def8df5c417562b5af0be74ed4297

SHA256
f60846d1c3867e6d96be603caa7f51602245bd7d30849890fe3767871159ad25

SHA512
76d5806d1c238615385a0f37346d3ef5694583de51d382d496c86b11e1d552df675af50710efa9b191cd7585bd8e5df45877da1644c28c41df4dd912f006f959

Download Submit
C:\Users\Admin\AppData\Local\Temp\v43yr5xn\v43yr5xn.dll
Filesize
368KB

MD5
f5ec3b50f5a8005a0d0e1c739d979fd8

SHA1
1091c5c9b50eb42f3d0b6d694ad68253d2556393

SHA256
041346789d85fa7df05750a2db31768ed8f7443b6e4c4cbe7f81e4d1ffdc73fe

SHA512
e46df8d3219ab089772678ada69a49ac22e6074ccb380a38a909efa99c3fd8052884f4e14a579c354b042833d72494913b33b6685ca9ec21306e862f9ec89a11

Download Submit
C:\Users\Admin\AppData\Roaming\A06ED9\911A25.lck
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgm
Filesize
548KB

MD5
759df20fc9033fe2ce3af881567a0829

SHA1
d0fc50a7b88b54a573b5ffdfaba36c380da5f222

SHA256
dd52fa10a43e5082981ecf90523d3f308fbdffea66844148e96a547ad133c8e7

SHA512
60381d28369bbcb9f08396abd5cbcff336758e546223086d93e76b77c478cf200dfbed77e8120406fb589abb304e8fb466be7d0e06e579e9f4ec6fc67560fdc9

Download Submit
C:\Users\Admin\AppData\Roaming\KtlVtDDtCbxIugvgma5.exe
Filesize
101KB

MD5
fa27c746271b2c2e1e73b86a0a77b914

SHA1
4808bce9aa26cc07389480724b460f25512bb568

SHA256
00d716359a25f1e2b3aed74c005d10fc93365bf34607eabb58cafbb6b294eaa1

SHA512
e06911497ae6708076bb87b2fe4413858344bd6de67f52df3d7447768b39b8d8be42063ba899cebea26c778e466ef66f8ce7076e53863a1c5d6b93cda5843209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-540404634-651139247-2967210625-1000\0f5007522459c86e95ffcc62f32308f1_41e50f4a-4a76-42e1-a3df-51306e426307
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-540404634-651139247-2967210625-1000\0f5007522459c86e95ffcc62f32308f1_41e50f4a-4a76-42e1-a3df-51306e426307
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0excnv4j\0excnv4j.cmdline
Filesize
302B

MD5
d6a084b7d3340c55d0cae910966c78f4

SHA1
5fee43fd09c5ab6c135660f118a2fbbf4d0e6721

SHA256
8e1047ec1a83ab3d978271706e5ac1ebc3ac783f6e3fa8120dd8049c2f0f5d7b

SHA512
4e9f1b9e87a2fb5ac4b2ee2a46e2a77b43bb966b2f0b52337e41d72089e0f2134bfa23b7fccb2900dc8da7a351dfc6afe0d830de0b7602a08d75ad87a32ebaa9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0excnv4j\CSC72B00E75D7CE4CA7B2E712974F8EC83E.TMP
Filesize
652B

MD5
9278546d4b7ba4c170c456b2cb6053bb

SHA1
838215e946b7da9e751c10ef97edfb63a4f18cd1

SHA256
653a86b49f699efde361e42fc5013a394b307c775afedd0107e689e4da20237e

SHA512
c8a4c8ff3143f436a090dac486043f2cd6a0ce85c9a44eb99f1a15afc8653fd84da76840ac068294cbd3ee0a00303eed77e5529983e6147517fb4cb7fef0f4a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0pc4q4fx\0pc4q4fx.cmdline
Filesize
302B

MD5
5e86499784da75cc3b6fbf1a97576ad2

SHA1
eecd2b7db248d571044a9f1c450d0d2120aa6a32

SHA256
c34a18b37237415601317d7cb81163c22cc47d91562351f078bfececb2e42f8c

SHA512
1fdefc31688bac4d0c2650b1cd273364fe2412fe45034f53178a75b3d934dfa77617bf595013d3aa279bec9886ef69b2aa848ba9fb6f58b90e1299e614f561bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0pc4q4fx\CSC9640F36D1F52477EB29777B8EF99AB42.TMP
Filesize
652B

MD5
6b93477a1413022c496b76c7ec826c06

SHA1
8421338f0a83d2e9da35a9d3dc29997f874b0caa

SHA256
bbaa83ded0a54002477fdd138e1f7114d08ba5abb11e81216e3634d0886355c8

SHA512
44448f6fe9c17fac92974aea6de61bb13fad463a1e6684c41f626c916d1df8358249ea862bd29e3bf23e7ebe48c2d0816384b7587bbd7c4a137888570fd709b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3w0dvpi1\3w0dvpi1.cmdline
Filesize
302B

MD5
c57e48c71075267e4e53ddb1c0e95e32

SHA1
096c5299777b02068d6534e98918a1f3ced21f08

SHA256
eac70116bc5bb4db37b781030d8ba0da3f9c60c8d5e43257e2aec3b94708d7e9

SHA512
a67d64a7663d5fb22b7b1d38a4e13c6a9c430d57ed0facc0d65187e38ed84d532c35b5d949ede4714bbc811654aa715fd46c549127710af6153288a1cea4f87b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3w0dvpi1\CSCB3FE408E1F864149AA7C483B4257FCDA.TMP
Filesize
652B

MD5
46155a52ae7dde26b494d93e9d8117e3

SHA1
332bd90b398b00c63e2742c9565b6ba09bbc5395

SHA256
312e0dfd64aaf6ab97048e566321bad43d60451eed47704b0f900bd3367e2c9c

SHA512
eceae73dbec38e84fce5289b3adbeefc95f8d1eaca9bc34c3d8bd12d42e4821e50356dae71b4984e0bfb58e8c14ff06c64b23c9e5f3abeec22647202da12964e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4a1he2hh\4a1he2hh.cmdline
Filesize
302B

MD5
b9b927a5b3d8993c900528c84259457d

SHA1
96f1957818ec6a0fdad38bad90d6f8deb80b97f4

SHA256
3ae5a09a87676292c32d74e690e43cfe508ed13230b851f62bf1ee4c543489ec

SHA512
feb8a7f8b114863c3ae8504cba1eb67efa63795b85e83dc0b9f57cca31b747d4bf65cfbaf472fbe3e2280764b010a66a20493f3ff3236b50d2f609e436a14330

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4a1he2hh\CSCDA895B716384404885A1658D81B459C3.TMP
Filesize
652B

MD5
02dd6043c29e4bdcddff4cff808e2e0c

SHA1
54416ea78db2a26bee006206e0d8d19389e8ab0d

SHA256
6d9cffe0823ec3157da60c4315d99ad7f086f8cafdcdc4bf4c4b5cff33859e6c

SHA512
f30ce3d69f15ad24813fc3303e384b3625c6910d6621cfd2696c7c35f7edf149210dfcec495d86fd72ad4cd353a5ca8237256a12e73385fc176c32ff8618a93b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l1gs0ah1\CSC6E01159CB70B4BBC9C748923C17BE347.TMP
Filesize
652B

MD5
5c1e2fd15318a95313e1b4e57acc3734

SHA1
05f074f9486457bc34b81f43a3becf9d59da488f

SHA256
f31b7cb10e6800d6df3daeafe5cd4bedc246770f53cffc418b8a50c8cc28f165

SHA512
5a71ec1de40ee026d5a001809bb6b3f9e8655b5b1f6107366a55285108e78f2489dd31b445debecb42fe6708a8273ea314c9d9d96068e530557f06b074fa4d7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l1gs0ah1\l1gs0ah1.cmdline
Filesize
302B

MD5
b6ffb4d926b974f74afbe23d3a1adce8

SHA1
a41a11e191a8ec31abf66c6d69e94972a38c99a1

SHA256
f5fe318ba8af23982aa6fa73f7831e24ef5fb84085865d14323405121c707879

SHA512
6e3bf4ad70cb198dd83b0f58718a3d0568c4a54c17cae6a099b24aac11d2c30f9112450e654ad908fff924703b5e54c9aae015fb1a4a38abbbcc78ac38987500

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mwyxuuk5\CSC63C944AE6FEB4E3681F4231317786662.TMP
Filesize
652B

MD5
3286613b0cbf31d88ed5f9e62b3f4006

SHA1
9f3f1ed75644c87d76965932f008d11398e1c4cb

SHA256
0f7f86ed71efacf8e713512bace2aa1fc502e4f7e8a4f1e77c3ce31ae6da9ba9

SHA512
3f60722fbe232dff64251599bff5865fe6eed519c2575fa51ae3e9cc02503ed75ecffd392c3ec45d30660a5b72a9b256e35871be8061de944be796b110cea106

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mwyxuuk5\mwyxuuk5.cmdline
Filesize
302B

MD5
16201352b33a792cabcb7d5a4b431e85

SHA1
10adede1dabf52b532c8cfab515be71be81215f4

SHA256
574958390efed17216d8c8d31822839dadd242bbe3803f37d7fd0738e7f04a8a

SHA512
65131e2b2e9eba2325f246b74ddfaa3e63ea7a21db456a0640f86f31b2aa0c6d05ac35305bf06827f4e5b29fb60cfda8e7673ac586d5ea25e7c2c93a507962cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\owhw0kgp\owhw0kgp.cmdline
Filesize
302B

MD5
eda5af9538a31bbe4f35641f4d9e95e3

SHA1
c561154dbc32305c977b1be214262a5d857aeaa3

SHA256
2da731d1d817900502a62c169752919f5f1ef159ff75ae8a02fec7827a2f1f18

SHA512
02713c7168703f355520dfda044e6350948b73cc686fd0832670caa24ed12b5ca64ace706734a6017c8579899ee761b2ff08563678639cc42c75d12357fa48d9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q2qii0ie\CSCBBF16D3634DC49AF9AB2D02D79CF961B.TMP
Filesize
652B

MD5
3f5fca3313d007761f12d9dd00730db8

SHA1
5dfd7380ddfb3b13fe25a279846fcc568c130dc2

SHA256
d4da4e11ac648ef4601cd0cea00205c594299e4cdf86422d0dad6f7a269652cd

SHA512
c64588bb0efd40700bcb8c1e990b5c7594c47b395b597fbc7e13e8a51b85ada121892b04e98eee0bb46a9573b71b834e6ff2e3be246f9e317e7d4cfddbdc6d86

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q2qii0ie\q2qii0ie.cmdline
Filesize
302B

MD5
8ed874924030a29b63dd895a12ec4737

SHA1
bc221b1c18ccf25fc17682dd41cd22c865085ea8

SHA256
a1297e6d04996f255f28f565df3b9e5198365fbb8a338cbdc14ae6577329d37b

SHA512
b661c65b089acfecab249c05827fb234783a979b338ba70f1701c0ac897e2d926bdbebec7d8fa823d0fb7da4d2aa94a1636e24381014de663ab4da1ba75f3f6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qhty5glq\CSC5E0C6125FDB04C9EA0DE202FA2ADB36F.TMP
Filesize
652B

MD5
d58501d711d06755b4d97df9c97c81d1

SHA1
a86f54feddaf8759ce82ab10ef42856467b838b4

SHA256
52cf4b25828e89ccb26f1ecc43d59d9142e2fa8c35d58e72b62b986998dcf3b5

SHA512
90e85343ca7740a91b72fd9034f1d65f9594629b3ef3f1c70b64300e7d3cb50115c9a26b9cd9cc06a8a59eb86c0d504fb83a8caf9c6e077cbbedf6476d90b65f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qhty5glq\qhty5glq.cmdline
Filesize
302B

MD5
93f261d522dc91fb13e4ae71752a31ba

SHA1
943b092077e43de015c0f5684a160ea321ffb3b7

SHA256
9baaf5c2f9b6a350319cb993a8b6d2b85d86428c94d7088f8f443f951579ac59

SHA512
5c8224aa6c705b9e439d2001bdfd9edc9b00963c0e5e1867cb2e56332df60f60b7d8da4b76d89e3cd0274c3100afe14977fc0a68387580f52274916b0cac190d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qmugcun4\CSC59D389B4A54F474AB1D025E3E844CFB.TMP
Filesize
652B

MD5
c9c577108726b478d32e072d86bab59a

SHA1
dfa32ee5aabbffe528e5822904b56ffec71e5a4e

SHA256
a224362e9c34e963df276dc692af83b8850bf41a670ef7cbf24121fba506023b

SHA512
38085f9ad9a76e954d745f39354cc6cec3e243bc3af3b76b1a59dbb2a1755478e140a7cff151a41296849e7ec9fe741d5da6ba63108f3bc014d36b93e461a7ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qmugcun4\qmugcun4.cmdline
Filesize
302B

MD5
8ba941a4b79177fc475b9ff02160d6f4

SHA1
8ca05b081b54d64c44f0b44b9529b63da108af10

SHA256
3302a2f96a70e2606fb303a9d77ee1e696ac728ce37b5a6aca723f89dcf93e91

SHA512
1d752dd713111cd0f0df3cb5b88604ce14e6f90ac8204565f43325e5d51d9b9ad4b08ec2ec8f7e6f65636a78d3d5a9a7816eed2e3e1bbf3dd80f7f652cf4af71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sdff5cgy\CSCB13FE3E3A2F6452185A544156C6F4EC.TMP
Filesize
652B

MD5
320c8f46880fe582f8dac3b0af86216d

SHA1
81c4f1c9877ef49bbe64ecabf0f61cefba4ce3f2

SHA256
f76a6db57921317fbba05eafec46a4b83290efe47f844f5dd3360d2d15febd3d

SHA512
6eca7f8a34e0ed587faf1c7a0b7f7aaf63669934d0df9d58e56ea69cea870e3f2de637e5625b2d35928b2b98591df9bd845b29222e5306c7e0d35ae78d5ca956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sdff5cgy\sdff5cgy.0.cs
Filesize
548KB

MD5
e58500c185aa3db747092f20e836c157

SHA1
dccc26b1bc025eee0000a735f971ac3aba8d063b

SHA256
90d35cc16bb2207477339b07702bea2817978321538dbdd6cf066aa6d628690b

SHA512
1dbdbf25f960395b95c8061c587856a09ed40307971a5b98c0fada88103ef6740f768862160457d21c8666dd0995b6e37dbb5e95d873f78f1419f3ca6744a4a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sdff5cgy\sdff5cgy.cmdline
Filesize
302B

MD5
dff11a19e2016ad6676c701d69c6143a

SHA1
87ab5303f6240bd66d9dca34db6267487f10d88d

SHA256
22a0f4c64147d4a2321a6bdb2b4c8727921e8ed04b9fbb7fa1b8de7124307568

SHA512
97fc9f1bfb7b765d41507a3d722afdfe2586457bc97a785ab95af6ad7d1b7ffb337e456e7a4bbc4632ffcc91c34bc40834aa2b25ad6f82f63cb91b1fa0afbf9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v43yr5xn\CSC681B1401B9B4431498E33F813376CBDC.TMP
Filesize
652B

MD5
e74498b708b25a1586e0641bb90193df

SHA1
581f5849c31a6e0ffeaeb5d41d4dabc12075d131

SHA256
2752c70fca698eb655579b242a7476b2ce64ffcf52d9dae8bd30288077b782ea

SHA512
5097368e7bbfc6583f7b4d69720a7fb1eb6b38dc025be4e2f119ff5f7a71b340b10bf37b04ed740266099cc09015e799488e0e758d36cb00861bf4ca1a32de5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v43yr5xn\v43yr5xn.cmdline
Filesize
302B

MD5
d25b306bdad63a0a741c17fbcaa3dad4

SHA1
0a7e3538cf9718e86eda3cf970c0700619f7e7ee

SHA256
9da45328117de7510436621de0cc5eddedbf4a035d44ee6b9a8e127f9cdac572

SHA512
be0238cf44d28e700482499ac7dd9af19b12737f3055306ad19236043adaf7deadf8e0d9dbeab8f7dcedaaa10ca338e026dbd7b72c986120c99b9a9603b6370e

Download Submit
memory/432-251-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/668-948-0x00000000056C0000-0x0000000005722000-memory.dmp

Filesize
392KB

Download
memory/668-959-0x0000000005730000-0x0000000005792000-memory.dmp

Filesize
392KB

Download
memory/752-900-0x0000000004AD0000-0x0000000004B32000-memory.dmp

Filesize
392KB

Download
memory/752-889-0x0000000004A70000-0x0000000004AD2000-memory.dmp

Filesize
392KB

Download
memory/840-1305-0x0000000005260000-0x00000000052C2000-memory.dmp

Filesize
392KB

Download
memory/1216-136-0x00000000050F0000-0x0000000005152000-memory.dmp

Filesize
392KB

Download
memory/1216-151-0x0000000005160000-0x00000000051C2000-memory.dmp

Filesize
392KB

Download
memory/1384-687-0x0000000003020000-0x0000000003082000-memory.dmp

Filesize
392KB

Download
memory/1384-675-0x0000000002FC0000-0x0000000003022000-memory.dmp

Filesize
392KB

Download
memory/1804-1120-0x0000000005250000-0x00000000052B2000-memory.dmp

Filesize
392KB

Download
memory/1804-1108-0x00000000050C0000-0x0000000005122000-memory.dmp

Filesize
392KB

Download
memory/1836-911-0x0000000004FB0000-0x0000000005012000-memory.dmp

Filesize
392KB

Download
memory/1836-924-0x0000000005020000-0x0000000005082000-memory.dmp

Filesize
392KB

Download
memory/1892-664-0x0000000004D00000-0x0000000004D62000-memory.dmp

Filesize
392KB

Download
memory/1892-655-0x0000000002720000-0x0000000002782000-memory.dmp

Filesize
392KB

Download
memory/2040-1292-0x0000000004FC0000-0x0000000005022000-memory.dmp

Filesize
392KB

Download
memory/2040-1282-0x0000000004F50000-0x0000000004FB2000-memory.dmp

Filesize
392KB

Download
memory/2052-330-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2084-548-0x0000000005570000-0x00000000055D2000-memory.dmp

Filesize
392KB

Download
memory/2084-563-0x00000000055D0000-0x0000000005632000-memory.dmp

Filesize
392KB

Download
memory/2092-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2092-143-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2092-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2208-427-0x0000000005610000-0x0000000005672000-memory.dmp

Filesize
392KB

Download
memory/2208-418-0x00000000055A0000-0x0000000005602000-memory.dmp

Filesize
392KB

Download
memory/2224-713-0x00000000052A0000-0x0000000005302000-memory.dmp

Filesize
392KB

Download
memory/2224-723-0x0000000005300000-0x0000000005362000-memory.dmp

Filesize
392KB

Download
memory/2292-368-0x0000000004EE0000-0x0000000004F42000-memory.dmp

Filesize
392KB

Download
memory/2292-359-0x0000000004E80000-0x0000000004EE2000-memory.dmp

Filesize
392KB

Download
memory/2368-396-0x0000000005050000-0x00000000050B2000-memory.dmp

Filesize
392KB

Download
memory/2368-405-0x00000000050B0000-0x0000000005112000-memory.dmp

Filesize
392KB

Download
memory/2456-1016-0x0000000005250000-0x00000000052B2000-memory.dmp

Filesize
392KB

Download
memory/2456-1001-0x0000000002C90000-0x0000000002CF2000-memory.dmp

Filesize
392KB

Download
memory/2764-71-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2764-37-0x0000000005810000-0x0000000005838000-memory.dmp

Filesize
160KB

Download
memory/2764-5-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/2764-35-0x00000000057B0000-0x0000000005812000-memory.dmp

Filesize
392KB

Download
memory/2764-6-0x0000000000E80000-0x0000000000EA0000-memory.dmp

Filesize
128KB

Download
memory/2764-12-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2764-21-0x0000000005740000-0x00000000057A2000-memory.dmp

Filesize
392KB

Download
memory/2900-200-0x0000000004F80000-0x0000000004FE2000-memory.dmp

Filesize
392KB

Download
memory/2900-210-0x0000000004FF0000-0x0000000005052000-memory.dmp

Filesize
392KB

Download
memory/2928-1258-0x0000000005110000-0x0000000005172000-memory.dmp

Filesize
392KB

Download
memory/2928-1246-0x0000000002B10000-0x0000000002B72000-memory.dmp

Filesize
392KB

Download
memory/3232-773-0x00000000053D0000-0x0000000005432000-memory.dmp

Filesize
392KB

Download
memory/3232-782-0x0000000005430000-0x0000000005492000-memory.dmp

Filesize
392KB

Download
memory/3272-280-0x0000000004DD0000-0x0000000004E32000-memory.dmp

Filesize
392KB

Download
memory/3272-292-0x0000000004E30000-0x0000000004E92000-memory.dmp

Filesize
392KB

Download
memory/3532-646-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3648-497-0x0000000005660000-0x00000000056C2000-memory.dmp

Filesize
392KB

Download
memory/3648-506-0x00000000056E0000-0x0000000005742000-memory.dmp

Filesize
392KB

Download
memory/3668-796-0x00000000054E0000-0x0000000005542000-memory.dmp

Filesize
392KB

Download
memory/3668-806-0x0000000005540000-0x00000000055A2000-memory.dmp

Filesize
392KB

Download
memory/3684-53-0x0000000005390000-0x00000000053F2000-memory.dmp

Filesize
392KB

Download
memory/3684-67-0x0000000005430000-0x0000000005492000-memory.dmp

Filesize
392KB

Download
memory/3748-409-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3876-627-0x00000000052A0000-0x0000000005302000-memory.dmp

Filesize
392KB

Download
memory/3876-642-0x0000000005300000-0x0000000005362000-memory.dmp

Filesize
392KB

Download
memory/3904-596-0x00000000048E0000-0x0000000004942000-memory.dmp

Filesize
392KB

Download
memory/3904-608-0x0000000004940000-0x00000000049A2000-memory.dmp

Filesize
392KB

Download
memory/4004-1176-0x00000000023C0000-0x0000000002422000-memory.dmp

Filesize
392KB

Download
memory/4004-1167-0x0000000000A70000-0x0000000000AD2000-memory.dmp

Filesize
392KB

Download
memory/4208-567-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4224-737-0x00000000030F0000-0x0000000003152000-memory.dmp

Filesize
392KB

Download
memory/4224-751-0x0000000005640000-0x00000000056A2000-memory.dmp

Filesize
392KB

Download
memory/4344-438-0x0000000002240000-0x00000000022A2000-memory.dmp

Filesize
392KB

Download
memory/4344-450-0x0000000004900000-0x0000000004962000-memory.dmp

Filesize
392KB

Download
memory/4368-326-0x0000000004870000-0x00000000048D2000-memory.dmp

Filesize
392KB

Download
memory/4368-311-0x0000000004810000-0x0000000004872000-memory.dmp

Filesize
392KB

Download
memory/4720-488-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4768-852-0x0000000005470000-0x00000000054D2000-memory.dmp

Filesize
392KB

Download
memory/4768-864-0x00000000054D0000-0x0000000005532000-memory.dmp

Filesize
392KB

Download
memory/4880-1097-0x0000000005640000-0x00000000056A2000-memory.dmp

Filesize
392KB

Download
memory/4880-1086-0x00000000055E0000-0x0000000005642000-memory.dmp

Filesize
392KB

Download
memory/4940-1187-0x0000000004E80000-0x0000000004EE2000-memory.dmp

Filesize
392KB

Download
memory/4940-1199-0x0000000004EE0000-0x0000000004F42000-memory.dmp

Filesize
392KB

Download
memory/5032-576-0x0000000005660000-0x00000000056C2000-memory.dmp

Filesize
392KB

Download
memory/5032-585-0x00000000056C0000-0x0000000005722000-memory.dmp

Filesize
392KB

Download
memory/5128-183-0x0000000004AB0000-0x0000000004B12000-memory.dmp

Filesize
392KB

Download
memory/5128-168-0x0000000004900000-0x0000000004962000-memory.dmp

Filesize
392KB

Download
memory/5192-1029-0x0000000004C20000-0x0000000004C82000-memory.dmp

Filesize
392KB

Download
memory/5192-1038-0x0000000004C90000-0x0000000004CF2000-memory.dmp

Filesize
392KB

Download
memory/5348-1145-0x0000000005100000-0x0000000005162000-memory.dmp

Filesize
392KB

Download
memory/5348-1155-0x0000000005170000-0x00000000051D2000-memory.dmp

Filesize
392KB

Download
memory/5416-970-0x0000000002180000-0x00000000021E2000-memory.dmp

Filesize
392KB

Download
memory/5416-979-0x00000000048A0000-0x0000000004902000-memory.dmp

Filesize
392KB

Download
memory/5428-259-0x0000000004E80000-0x0000000004EE2000-memory.dmp

Filesize
392KB

Download
memory/5428-269-0x0000000004EE0000-0x0000000004F42000-memory.dmp

Filesize
392KB

Download
memory/5440-88-0x0000000004C20000-0x0000000004C82000-memory.dmp

Filesize
392KB

Download
memory/5440-104-0x0000000004C80000-0x0000000004CE2000-memory.dmp

Filesize
392KB

Download
memory/5472-529-0x0000000004CF0000-0x0000000004D52000-memory.dmp

Filesize
392KB

Download
memory/5472-517-0x0000000004C90000-0x0000000004CF2000-memory.dmp

Filesize
392KB

Download
memory/5512-1061-0x0000000004BC0000-0x0000000004C22000-memory.dmp

Filesize
392KB

Download
memory/5512-1049-0x0000000004B60000-0x0000000004BC2000-memory.dmp

Filesize
392KB

Download
memory/5540-483-0x0000000004ED0000-0x0000000004F32000-memory.dmp

Filesize
392KB

Download
memory/5540-469-0x0000000004E70000-0x0000000004ED2000-memory.dmp

Filesize
392KB

Download
memory/5544-710-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5572-247-0x0000000004A10000-0x0000000004A72000-memory.dmp

Filesize
392KB

Download
memory/5572-232-0x0000000004980000-0x00000000049E2000-memory.dmp

Filesize
392KB

Download
memory/5604-841-0x0000000004CB0000-0x0000000004D12000-memory.dmp

Filesize
392KB

Download
memory/5604-831-0x0000000000EA0000-0x0000000000F02000-memory.dmp

Filesize
392KB

Download
memory/5640-348-0x00000000049E0000-0x0000000004A42000-memory.dmp

Filesize
392KB

Download
memory/5640-339-0x0000000004940000-0x00000000049A2000-memory.dmp

Filesize
392KB

Download
memory/5724-1225-0x00000000026B0000-0x0000000002712000-memory.dmp

Filesize
392KB

Download
memory/5724-1235-0x0000000004B70000-0x0000000004BD2000-memory.dmp

Filesize
392KB

Download