lokibot | fea3f30556e99bb327e2584018334b8b5ba8d74ae25710626b9d58cf0666e41c

Analysis

max time kernel
128s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KtlVtDDtCbxIugvgma5.exe
Size

101KB
MD5

fa27c746271b2c2e1e73b86a0a77b914
SHA1

4808bce9aa26cc07389480724b460f25512bb568
SHA256

00d716359a25f1e2b3aed74c005d10fc93365bf34607eabb58cafbb6b294eaa1
SHA512

e06911497ae6708076bb87b2fe4413858344bd6de67f52df3d7447768b39b8d8be42063ba899cebea26c778e466ef66f8ce7076e53863a1c5d6b93cda5843209
SSDEEP

1536:6P2L6sdYjNKG3rSzOJ6JLiGUUsCvm9Fs315Y:dL6sAwG3rSzg6piGU0OFsH

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://107.175.150.73/~giftioz/.hokbi/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	KtlVtDDtCbxIugvgma5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 54 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe

Suspicious use of SetThreadContext 35 IoCs

description	pid	Process	procid_target
PID 652 set thread context of 4608	652	KtlVtDDtCbxIugvgma5.exe	102
PID 4248 set thread context of 4132	4248	KtlVtDDtCbxIugvgma5.exe	114
PID 1444 set thread context of 4516	1444	KtlVtDDtCbxIugvgma5.exe	122
PID 4312 set thread context of 2688	4312	KtlVtDDtCbxIugvgma5.exe	131
PID 1072 set thread context of 4820	1072	KtlVtDDtCbxIugvgma5.exe	139
PID 2904 set thread context of 4296	2904	KtlVtDDtCbxIugvgma5.exe	147
PID 568 set thread context of 5068	568	KtlVtDDtCbxIugvgma5.exe	155
PID 4064 set thread context of 3156	4064	KtlVtDDtCbxIugvgma5.exe	165
PID 1344 set thread context of 1156	1344	KtlVtDDtCbxIugvgma5.exe	174
PID 4320 set thread context of 3920	4320	KtlVtDDtCbxIugvgma5.exe	183
PID 1808 set thread context of 228	1808	KtlVtDDtCbxIugvgma5.exe	244
PID 2008 set thread context of 1408	2008	KtlVtDDtCbxIugvgma5.exe	199
PID 400 set thread context of 2344	400	KtlVtDDtCbxIugvgma5.exe	207
PID 2356 set thread context of 3304	2356	KtlVtDDtCbxIugvgma5.exe	215
PID 1920 set thread context of 2288	1920	KtlVtDDtCbxIugvgma5.exe	223
PID 4340 set thread context of 2492	4340	KtlVtDDtCbxIugvgma5.exe	268
PID 4232 set thread context of 3152	4232	KtlVtDDtCbxIugvgma5.exe	241
PID 3956 set thread context of 400	3956	KtlVtDDtCbxIugvgma5.exe	250
PID 4276 set thread context of 2904	4276	KtlVtDDtCbxIugvgma5.exe	338
PID 1612 set thread context of 864	1612	KtlVtDDtCbxIugvgma5.exe	348
PID 4364 set thread context of 2872	4364	KtlVtDDtCbxIugvgma5.exe	276
PID 1176 set thread context of 4036	1176	KtlVtDDtCbxIugvgma5.exe	284
PID 4412 set thread context of 4080	4412	KtlVtDDtCbxIugvgma5.exe	292
PID 2252 set thread context of 664	2252	KtlVtDDtCbxIugvgma5.exe	300
PID 348 set thread context of 4264	348	KtlVtDDtCbxIugvgma5.exe	340
PID 2344 set thread context of 4372	2344	KtlVtDDtCbxIugvgma5.exe	316
PID 3272 set thread context of 2352	3272	KtlVtDDtCbxIugvgma5.exe	324
PID 1056 set thread context of 3612	1056	KtlVtDDtCbxIugvgma5.exe	333
PID 3440 set thread context of 2608	3440	KtlVtDDtCbxIugvgma5.exe	341
PID 3292 set thread context of 1744	3292	KtlVtDDtCbxIugvgma5.exe	415
PID 3536 set thread context of 4132	3536	KtlVtDDtCbxIugvgma5.exe	357
PID 3836 set thread context of 5104	3836	KtlVtDDtCbxIugvgma5.exe	365
PID 4592 set thread context of 4988	4592	KtlVtDDtCbxIugvgma5.exe	373
PID 2016 set thread context of 4932	2016	KtlVtDDtCbxIugvgma5.exe	381
PID 1712 set thread context of 3596	1712	KtlVtDDtCbxIugvgma5.exe	392

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe

Suspicious behavior: MapViewOfSection 50 IoCs

pid	Process
652	KtlVtDDtCbxIugvgma5.exe
652	KtlVtDDtCbxIugvgma5.exe
4248	KtlVtDDtCbxIugvgma5.exe
1444	KtlVtDDtCbxIugvgma5.exe
4312	KtlVtDDtCbxIugvgma5.exe
4312	KtlVtDDtCbxIugvgma5.exe
1072	KtlVtDDtCbxIugvgma5.exe
2904	KtlVtDDtCbxIugvgma5.exe
568	KtlVtDDtCbxIugvgma5.exe
4064	KtlVtDDtCbxIugvgma5.exe
4064	KtlVtDDtCbxIugvgma5.exe
4064	KtlVtDDtCbxIugvgma5.exe
1344	KtlVtDDtCbxIugvgma5.exe
1344	KtlVtDDtCbxIugvgma5.exe
4320	KtlVtDDtCbxIugvgma5.exe
4320	KtlVtDDtCbxIugvgma5.exe
1808	KtlVtDDtCbxIugvgma5.exe
2008	KtlVtDDtCbxIugvgma5.exe
400	KtlVtDDtCbxIugvgma5.exe
2356	KtlVtDDtCbxIugvgma5.exe
1920	KtlVtDDtCbxIugvgma5.exe
4340	KtlVtDDtCbxIugvgma5.exe
4232	KtlVtDDtCbxIugvgma5.exe
4232	KtlVtDDtCbxIugvgma5.exe
4232	KtlVtDDtCbxIugvgma5.exe
3956	KtlVtDDtCbxIugvgma5.exe
3956	KtlVtDDtCbxIugvgma5.exe
4276	KtlVtDDtCbxIugvgma5.exe
1612	KtlVtDDtCbxIugvgma5.exe
4364	KtlVtDDtCbxIugvgma5.exe
4364	KtlVtDDtCbxIugvgma5.exe
4364	KtlVtDDtCbxIugvgma5.exe
1176	KtlVtDDtCbxIugvgma5.exe
4412	KtlVtDDtCbxIugvgma5.exe
2252	KtlVtDDtCbxIugvgma5.exe
348	KtlVtDDtCbxIugvgma5.exe
2344	KtlVtDDtCbxIugvgma5.exe
3272	KtlVtDDtCbxIugvgma5.exe
1056	KtlVtDDtCbxIugvgma5.exe
1056	KtlVtDDtCbxIugvgma5.exe
3440	KtlVtDDtCbxIugvgma5.exe
3292	KtlVtDDtCbxIugvgma5.exe
3536	KtlVtDDtCbxIugvgma5.exe
3836	KtlVtDDtCbxIugvgma5.exe
4592	KtlVtDDtCbxIugvgma5.exe
2016	KtlVtDDtCbxIugvgma5.exe
1712	KtlVtDDtCbxIugvgma5.exe
1712	KtlVtDDtCbxIugvgma5.exe
1712	KtlVtDDtCbxIugvgma5.exe
1712	KtlVtDDtCbxIugvgma5.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4608	RegAsm.exe
Token: SeDebugPrivilege	4248	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4132	RegAsm.exe
Token: SeDebugPrivilege	1444	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4312	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2688	RegAsm.exe
Token: SeDebugPrivilege	1072	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2904	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4296	RegAsm.exe
Token: SeDebugPrivilege	568	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4064	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3156	RegAsm.exe
Token: SeDebugPrivilege	1344	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4320	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3920	RegAsm.exe
Token: SeDebugPrivilege	1808	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2008	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1408	RegAsm.exe
Token: SeDebugPrivilege	400	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2356	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3304	RegAsm.exe
Token: SeDebugPrivilege	1920	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4340	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2492	RegAsm.exe
Token: SeDebugPrivilege	4232	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3956	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	400	RegAsm.exe
Token: SeDebugPrivilege	4276	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1612	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	864	RegAsm.exe
Token: SeDebugPrivilege	4364	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1176	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4036	RegAsm.exe
Token: SeDebugPrivilege	4412	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2252	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	664	RegAsm.exe
Token: SeDebugPrivilege	348	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2344	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4372	RegAsm.exe
Token: SeDebugPrivilege	3272	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1056	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3612	RegAsm.exe
Token: SeDebugPrivilege	3440	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3292	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	1744	RegAsm.exe
Token: SeDebugPrivilege	3536	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	3836	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	5104	RegAsm.exe
Token: SeDebugPrivilege	4592	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	2016	KtlVtDDtCbxIugvgma5.exe
Token: SeDebugPrivilege	4932	RegAsm.exe
Token: SeDebugPrivilege	1712	KtlVtDDtCbxIugvgma5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 3952	652	KtlVtDDtCbxIugvgma5.exe	90
PID 652 wrote to memory of 3952	652	KtlVtDDtCbxIugvgma5.exe	90
PID 652 wrote to memory of 3952	652	KtlVtDDtCbxIugvgma5.exe	90
PID 3952 wrote to memory of 1412	3952	csc.exe	92
PID 3952 wrote to memory of 1412	3952	csc.exe	92
PID 3952 wrote to memory of 1412	3952	csc.exe	92
PID 652 wrote to memory of 3596	652	KtlVtDDtCbxIugvgma5.exe	93
PID 652 wrote to memory of 3596	652	KtlVtDDtCbxIugvgma5.exe	93
PID 652 wrote to memory of 3596	652	KtlVtDDtCbxIugvgma5.exe	93
PID 3596 wrote to memory of 3956	3596	csc.exe	95
PID 3596 wrote to memory of 3956	3596	csc.exe	95
PID 3596 wrote to memory of 3956	3596	csc.exe	95
PID 652 wrote to memory of 4368	652	KtlVtDDtCbxIugvgma5.exe	101
PID 652 wrote to memory of 4368	652	KtlVtDDtCbxIugvgma5.exe	101
PID 652 wrote to memory of 4368	652	KtlVtDDtCbxIugvgma5.exe	101
PID 652 wrote to memory of 4608	652	KtlVtDDtCbxIugvgma5.exe	102
PID 652 wrote to memory of 4608	652	KtlVtDDtCbxIugvgma5.exe	102
PID 652 wrote to memory of 4608	652	KtlVtDDtCbxIugvgma5.exe	102
PID 652 wrote to memory of 4608	652	KtlVtDDtCbxIugvgma5.exe	102
PID 652 wrote to memory of 4248	652	KtlVtDDtCbxIugvgma5.exe	107
PID 652 wrote to memory of 4248	652	KtlVtDDtCbxIugvgma5.exe	107
PID 652 wrote to memory of 4248	652	KtlVtDDtCbxIugvgma5.exe	107
PID 4248 wrote to memory of 5044	4248	KtlVtDDtCbxIugvgma5.exe	108
PID 4248 wrote to memory of 5044	4248	KtlVtDDtCbxIugvgma5.exe	108
PID 4248 wrote to memory of 5044	4248	KtlVtDDtCbxIugvgma5.exe	108
PID 5044 wrote to memory of 3168	5044	csc.exe	110
PID 5044 wrote to memory of 3168	5044	csc.exe	110
PID 5044 wrote to memory of 3168	5044	csc.exe	110
PID 4248 wrote to memory of 2140	4248	KtlVtDDtCbxIugvgma5.exe	111
PID 4248 wrote to memory of 2140	4248	KtlVtDDtCbxIugvgma5.exe	111
PID 4248 wrote to memory of 2140	4248	KtlVtDDtCbxIugvgma5.exe	111
PID 2140 wrote to memory of 1412	2140	csc.exe	113
PID 2140 wrote to memory of 1412	2140	csc.exe	113
PID 2140 wrote to memory of 1412	2140	csc.exe	113
PID 4248 wrote to memory of 4132	4248	KtlVtDDtCbxIugvgma5.exe	114
PID 4248 wrote to memory of 4132	4248	KtlVtDDtCbxIugvgma5.exe	114
PID 4248 wrote to memory of 4132	4248	KtlVtDDtCbxIugvgma5.exe	114
PID 4248 wrote to memory of 4132	4248	KtlVtDDtCbxIugvgma5.exe	114
PID 4248 wrote to memory of 1444	4248	KtlVtDDtCbxIugvgma5.exe	115
PID 4248 wrote to memory of 1444	4248	KtlVtDDtCbxIugvgma5.exe	115
PID 4248 wrote to memory of 1444	4248	KtlVtDDtCbxIugvgma5.exe	115
PID 1444 wrote to memory of 3596	1444	KtlVtDDtCbxIugvgma5.exe	116
PID 1444 wrote to memory of 3596	1444	KtlVtDDtCbxIugvgma5.exe	116
PID 1444 wrote to memory of 3596	1444	KtlVtDDtCbxIugvgma5.exe	116
PID 3596 wrote to memory of 2016	3596	csc.exe	118
PID 3596 wrote to memory of 2016	3596	csc.exe	118
PID 3596 wrote to memory of 2016	3596	csc.exe	118
PID 1444 wrote to memory of 3896	1444	KtlVtDDtCbxIugvgma5.exe	119
PID 1444 wrote to memory of 3896	1444	KtlVtDDtCbxIugvgma5.exe	119
PID 1444 wrote to memory of 3896	1444	KtlVtDDtCbxIugvgma5.exe	119
PID 3896 wrote to memory of 2904	3896	csc.exe	121
PID 3896 wrote to memory of 2904	3896	csc.exe	121
PID 3896 wrote to memory of 2904	3896	csc.exe	121
PID 1444 wrote to memory of 4516	1444	KtlVtDDtCbxIugvgma5.exe	122
PID 1444 wrote to memory of 4516	1444	KtlVtDDtCbxIugvgma5.exe	122
PID 1444 wrote to memory of 4516	1444	KtlVtDDtCbxIugvgma5.exe	122
PID 1444 wrote to memory of 4516	1444	KtlVtDDtCbxIugvgma5.exe	122
PID 1444 wrote to memory of 4312	1444	KtlVtDDtCbxIugvgma5.exe	123
PID 1444 wrote to memory of 4312	1444	KtlVtDDtCbxIugvgma5.exe	123
PID 1444 wrote to memory of 4312	1444	KtlVtDDtCbxIugvgma5.exe	123
PID 4312 wrote to memory of 3304	4312	KtlVtDDtCbxIugvgma5.exe	124
PID 4312 wrote to memory of 3304	4312	KtlVtDDtCbxIugvgma5.exe	124
PID 4312 wrote to memory of 3304	4312	KtlVtDDtCbxIugvgma5.exe	124
PID 3304 wrote to memory of 228	3304	csc.exe	126

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
"C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1bzibzkh\1bzibzkh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4541.tmp" "c:\Users\Admin\AppData\Local\Temp\1bzibzkh\CSC973B2D94DBBA47F6861374A7FA1564DB.TMP"
    3⤵
    PID:1412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\svlhwebf\svlhwebf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4997.tmp" "c:\Users\Admin\AppData\Local\Temp\svlhwebf\CSCC325C869B284B4C8E81BD435533878.TMP"
    3⤵
    PID:3956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
  "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kws224g0\kws224g0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3EA.tmp" "c:\Users\Admin\AppData\Local\Temp\kws224g0\CSC4DAA6AAE1CA74E189A8DBB62EB2D597.TMP"
      4⤵
      PID:3168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lo5ed13v\lo5ed13v.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB62C.tmp" "c:\Users\Admin\AppData\Local\Temp\lo5ed13v\CSC74FAF0247CA44640A27D20F039C0A54F.TMP"
      4⤵
      PID:1412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- - C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
    "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iuoxbklo\iuoxbklo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD8E.tmp" "c:\Users\Admin\AppData\Local\Temp\iuoxbklo\CSCDAF957E75FF7469C95FB51D98A2E53D.TMP"
        5⤵
        
        PID:2016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2dmj5fsl\2dmj5fsl.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC07C.tmp" "c:\Users\Admin\AppData\Local\Temp\2dmj5fsl\CSCD24FB9F2967489B9853FDD194A5AFDD.TMP"
        5⤵
        
        PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
      "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cl0qppnt\cl0qppnt.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3304
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC781.tmp" "c:\Users\Admin\AppData\Local\Temp\cl0qppnt\CSC2C4EA8583B24F6F889087B112AAE883.TMP"
        6⤵
        
        PID:228
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2j2kgklr\2j2kgklr.cmdline"
        5⤵
        
        PID:4216
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC975.tmp" "c:\Users\Admin\AppData\Local\Temp\2j2kgklr\CSC7D085C47AA384B00B6AF81C9C0E07D9A.TMP"
        6⤵
        
        PID:3192
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1676
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        5⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymu43boy\ymu43boy.cmdline"
        6⤵
        
        PID:4108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE38.tmp" "c:\Users\Admin\AppData\Local\Temp\ymu43boy\CSCD6A2CBE3AA9A448C983E56F8666FA48E.TMP"
        7⤵
        
        PID:2920
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mj5wushw\mj5wushw.cmdline"
        6⤵
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFAF.tmp" "c:\Users\Admin\AppData\Local\Temp\mj5wushw\CSCAAB7BDBDFC44CA7A881961C5BB590B6.TMP"
        7⤵
        
        PID:1820
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        6⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lyzjlaz4\lyzjlaz4.cmdline"
        7⤵
        
        PID:3896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD443.tmp" "c:\Users\Admin\AppData\Local\Temp\lyzjlaz4\CSC3A07B748C0DC44DE8C406857B98544D7.TMP"
        8⤵
        
        PID:4024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\alyd4smw\alyd4smw.cmdline"
        7⤵
        
        PID:4412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD666.tmp" "c:\Users\Admin\AppData\Local\Temp\alyd4smw\CSCF01E64E8E079451894E6BD8D6BDDEEBF.TMP"
        8⤵
        
        PID:228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        7⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gllgg3jb\gllgg3jb.cmdline"
        8⤵
        
        PID:2028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBE4.tmp" "c:\Users\Admin\AppData\Local\Temp\gllgg3jb\CSC140D5701DDD44893A16E2DFAC399F57.TMP"
        9⤵
        
        PID:1448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c5fgezdx\c5fgezdx.cmdline"
        8⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF10.tmp" "c:\Users\Admin\AppData\Local\Temp\c5fgezdx\CSC9D47A5659FFA44AC995F445DB6EF3ED.TMP"
        9⤵
        
        PID:4608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        8⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxnkldiu\rxnkldiu.cmdline"
        9⤵
        
        PID:5040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE50C.tmp" "c:\Users\Admin\AppData\Local\Temp\rxnkldiu\CSCFCEC2ABE237E4A6B84865A6627AD199B.TMP"
        10⤵
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\12fnjd32\12fnjd32.cmdline"
        9⤵
        
        PID:3204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE857.tmp" "c:\Users\Admin\AppData\Local\Temp\12fnjd32\CSC6B75C249AC994F5FA40BA25338B95C.TMP"
        10⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:1768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:3212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        9⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1tnkq1nb\1tnkq1nb.cmdline"
        10⤵
        
        PID:2204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECBC.tmp" "c:\Users\Admin\AppData\Local\Temp\1tnkq1nb\CSC849AEDB918B04E4AA652A6957CAAB320.TMP"
        11⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dhhhcst4\dhhhcst4.cmdline"
        10⤵
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEA1.tmp" "c:\Users\Admin\AppData\Local\Temp\dhhhcst4\CSCFDFB53C7A15C4C9A80B9DBBAEF4AF9A3.TMP"
        11⤵
        
        PID:3252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:4748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        10⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfitznoy\hfitznoy.cmdline"
        11⤵
        
        PID:4576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3D1.tmp" "c:\Users\Admin\AppData\Local\Temp\hfitznoy\CSCFA001CE984CC4F2EA7A8F877A4342C85.TMP"
        12⤵
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvfnwcb3\gvfnwcb3.cmdline"
        11⤵
        
        PID:2460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF671.tmp" "c:\Users\Admin\AppData\Local\Temp\gvfnwcb3\CSCF9101A55342243BE8C1A5736A1359360.TMP"
        12⤵
        
        PID:1072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        11⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlocagxo\jlocagxo.cmdline"
        12⤵
        
        PID:4896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC0E.tmp" "c:\Users\Admin\AppData\Local\Temp\jlocagxo\CSC4F839BB8E0E6459FB9A741EA1888A36.TMP"
        13⤵
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bg4ng5l2\bg4ng5l2.cmdline"
        12⤵
        
        PID:5068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEED.tmp" "c:\Users\Admin\AppData\Local\Temp\bg4ng5l2\CSC344854322F544C1CB694C1EBD0817E6A.TMP"
        13⤵
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        12⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ir0uods5\ir0uods5.cmdline"
        13⤵
        
        PID:1256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9.tmp" "c:\Users\Admin\AppData\Local\Temp\ir0uods5\CSC709A4AF6245C4C2AA935B341BC14937.TMP"
        14⤵
        
        PID:3616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\22zizb4n\22zizb4n.cmdline"
        13⤵
        
        PID:1548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES759.tmp" "c:\Users\Admin\AppData\Local\Temp\22zizb4n\CSCBBDE61BD64E4A8681B983578C1D0A8.TMP"
        14⤵
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        13⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b41moxim\b41moxim.cmdline"
        14⤵
        
        PID:5024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCE.tmp" "c:\Users\Admin\AppData\Local\Temp\b41moxim\CSC8EF500735924FFFB03CA94C446C8334.TMP"
        15⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0toc4or4\0toc4or4.cmdline"
        14⤵
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA6.tmp" "c:\Users\Admin\AppData\Local\Temp\0toc4or4\CSC5D53250444FA4FA8AE9D7BD28E301D9B.TMP"
        15⤵
        
        PID:1176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        14⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dtqvruqr\dtqvruqr.cmdline"
        15⤵
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15A1.tmp" "c:\Users\Admin\AppData\Local\Temp\dtqvruqr\CSCDAD3F0D0491E48C78650A96695B2071.TMP"
        16⤵
        
        PID:4264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ngzsats1\ngzsats1.cmdline"
        15⤵
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17D4.tmp" "c:\Users\Admin\AppData\Local\Temp\ngzsats1\CSC30D8E874561C46879AD826F57D5E2079.TMP"
        16⤵
        
        PID:3592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        15⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s0mr2ezs\s0mr2ezs.cmdline"
        16⤵
        
        PID:4304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C87.tmp" "c:\Users\Admin\AppData\Local\Temp\s0mr2ezs\CSC92A92DED7B654A9D8EF52CDE2B98E3E.TMP"
        17⤵
        
        PID:568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tiqtcnlb\tiqtcnlb.cmdline"
        16⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E3C.tmp" "c:\Users\Admin\AppData\Local\Temp\tiqtcnlb\CSC451EB124D7D743E796C71BA86CF47A20.TMP"
        17⤵
        
        PID:4108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        16⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\liau53rc\liau53rc.cmdline"
        17⤵
        
        PID:4508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22EF.tmp" "c:\Users\Admin\AppData\Local\Temp\liau53rc\CSCEA42765AE52C47629B87B4351C2151BE.TMP"
        18⤵
        
        PID:1176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l311cviv\l311cviv.cmdline"
        17⤵
        
        PID:3540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES259F.tmp" "c:\Users\Admin\AppData\Local\Temp\l311cviv\CSC38EDCF71E7EC49B485992CF828F16A69.TMP"
        18⤵
        
        PID:4820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        17⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lo4ayn32\lo4ayn32.cmdline"
        18⤵
        
        PID:5068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A71.tmp" "c:\Users\Admin\AppData\Local\Temp\lo4ayn32\CSC1863BA16E4B949D285A14ABAC322288.TMP"
        19⤵
        
        PID:1860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ogflctfp\ogflctfp.cmdline"
        18⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C75.tmp" "c:\Users\Admin\AppData\Local\Temp\ogflctfp\CSC83B6764C6B034815AADDA75308EE193.TMP"
        19⤵
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        18⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5nfwcgw5\5nfwcgw5.cmdline"
        19⤵
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3128.tmp" "c:\Users\Admin\AppData\Local\Temp\5nfwcgw5\CSCC2D3C7D1E2074F5EB7F61ABF914995A1.TMP"
        20⤵
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vio25pl\4vio25pl.cmdline"
        19⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34F1.tmp" "c:\Users\Admin\AppData\Local\Temp\4vio25pl\CSC694E83E2CDF64DA5A47ECBFEADE7A97.TMP"
        20⤵
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:1444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        19⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fg3kccar\fg3kccar.cmdline"
        20⤵
        
        PID:1176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A5F.tmp" "c:\Users\Admin\AppData\Local\Temp\fg3kccar\CSC78DCF8777BFC41689964615BB2138E7.TMP"
        21⤵
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3y5iw5en\3y5iw5en.cmdline"
        20⤵
        
        PID:4256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CD0.tmp" "c:\Users\Admin\AppData\Local\Temp\3y5iw5en\CSC37B47408ECDD48009A402D6012659EB2.TMP"
        21⤵
        
        PID:2052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        20⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtmm3fif\jtmm3fif.cmdline"
        21⤵
        
        PID:4056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42FB.tmp" "c:\Users\Admin\AppData\Local\Temp\jtmm3fif\CSC919CA9FDE77048D0B31CD2FD4954FB5C.TMP"
        22⤵
        
        PID:4312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e0c00mdk\e0c00mdk.cmdline"
        21⤵
        
        PID:1344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4675.tmp" "c:\Users\Admin\AppData\Local\Temp\e0c00mdk\CSC5255C817CF054F47A48E4EDE9C62BBF4.TMP"
        22⤵
        
        PID:1820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        21⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ejolvcq\3ejolvcq.cmdline"
        22⤵
        
        PID:2492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:4108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AF9.tmp" "c:\Users\Admin\AppData\Local\Temp\3ejolvcq\CSC1ED352CD38F64F868989D3B7A8A557FA.TMP"
        23⤵
        
        PID:3156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nzka5rud\nzka5rud.cmdline"
        22⤵
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CFD.tmp" "c:\Users\Admin\AppData\Local\Temp\nzka5rud\CSC186158F47DBB41A0BE464A89E49008.TMP"
        23⤵
        
        PID:4692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:4528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        22⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5dp2bzd0\5dp2bzd0.cmdline"
        23⤵
        
        PID:5040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES520E.tmp" "c:\Users\Admin\AppData\Local\Temp\5dp2bzd0\CSC424830F464CD4553B6B95EAEFA723D26.TMP"
        24⤵
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\truw1ujo\truw1ujo.cmdline"
        23⤵
        
        PID:3164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5402.tmp" "c:\Users\Admin\AppData\Local\Temp\truw1ujo\CSCD420033F841E4D1480A98CAADF12281F.TMP"
        24⤵
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        23⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kvwmhdff\kvwmhdff.cmdline"
        24⤵
        
        PID:1292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58B5.tmp" "c:\Users\Admin\AppData\Local\Temp\kvwmhdff\CSC42C2AD934CD4115B07A2B2445181153.TMP"
        25⤵
        
        PID:4132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\foi4adcr\foi4adcr.cmdline"
        24⤵
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BE2.tmp" "c:\Users\Admin\AppData\Local\Temp\foi4adcr\CSC6485CD01AAD34AD3BB8E6ED3E181097.TMP"
        25⤵
        
        PID:1228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        24⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4zrc0ap\i4zrc0ap.cmdline"
        25⤵
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES624A.tmp" "c:\Users\Admin\AppData\Local\Temp\i4zrc0ap\CSCB098C919BDEB47A0872F1A25118EC5CC.TMP"
        26⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3ia5yqd\f3ia5yqd.cmdline"
        25⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64AC.tmp" "c:\Users\Admin\AppData\Local\Temp\f3ia5yqd\CSC186399FEC8134E8390D5E1949FBF3DB3.TMP"
        26⤵
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        25⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ecvzbrp\4ecvzbrp.cmdline"
        26⤵
        
        PID:2428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6930.tmp" "c:\Users\Admin\AppData\Local\Temp\4ecvzbrp\CSC869772E1E6154BA889AFA08435C3129A.TMP"
        27⤵
        
        PID:4504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bruybw3t\bruybw3t.cmdline"
        26⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B53.tmp" "c:\Users\Admin\AppData\Local\Temp\bruybw3t\CSC638A0A542E864886A5EE2C7CD559C2BD.TMP"
        27⤵
        
        PID:4180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        26⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mclbnclb\mclbnclb.cmdline"
        27⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7238.tmp" "c:\Users\Admin\AppData\Local\Temp\mclbnclb\CSC50B90F94F34347EE9F1EAD59D0241ECB.TMP"
        28⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v4ivjyg0\v4ivjyg0.cmdline"
        27⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D8.tmp" "c:\Users\Admin\AppData\Local\Temp\v4ivjyg0\CSCEF148886B897438286E5BBF06B5F4F7D.TMP"
        28⤵
        
        PID:4424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        27⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qdqwjssx\qdqwjssx.cmdline"
        28⤵
        
        PID:3292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES799B.tmp" "c:\Users\Admin\AppData\Local\Temp\qdqwjssx\CSCE9AB87F6571E4A96BD74BAFA25D3B0B7.TMP"
        29⤵
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ehda4ool\ehda4ool.cmdline"
        28⤵
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C89.tmp" "c:\Users\Admin\AppData\Local\Temp\ehda4ool\CSCA7490025D53445887DD6AC4C0DA7591.TMP"
        29⤵
        
        PID:1432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        28⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w5rwaiwe\w5rwaiwe.cmdline"
        29⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8217.tmp" "c:\Users\Admin\AppData\Local\Temp\w5rwaiwe\CSC9974D0222554704832926CC29C6E9A.TMP"
        30⤵
        
        PID:944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fmt1pfua\fmt1pfua.cmdline"
        29⤵
        
        PID:1536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8582.tmp" "c:\Users\Admin\AppData\Local\Temp\fmt1pfua\CSC24309ACCF77F41898C59E761868414.TMP"
        30⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:3764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        29⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hktar1ww\hktar1ww.cmdline"
        30⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:1820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A83.tmp" "c:\Users\Admin\AppData\Local\Temp\hktar1ww\CSC59F3D5E614D84125A2EEB3DF2B39431.TMP"
        31⤵
        
        PID:1604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvrzeagl\dvrzeagl.cmdline"
        30⤵
        
        PID:2904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA6.tmp" "c:\Users\Admin\AppData\Local\Temp\dvrzeagl\CSC72C5F4A13CC04E7F9DF08C4489DB866B.TMP"
        31⤵
        
        PID:4264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        30⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0arzqyzd\0arzqyzd.cmdline"
        31⤵
        
        PID:4108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94B4.tmp" "c:\Users\Admin\AppData\Local\Temp\0arzqyzd\CSC17E496D910B4E6E90D7AD56C8264A.TMP"
        32⤵
        
        PID:1100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j1zvpnps\j1zvpnps.cmdline"
        31⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9764.tmp" "c:\Users\Admin\AppData\Local\Temp\j1zvpnps\CSCF20B225CDEB54EC396771B37B52D2BC6.TMP"
        32⤵
        
        PID:864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        31⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u3nnyuvj\u3nnyuvj.cmdline"
        32⤵
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D01.tmp" "c:\Users\Admin\AppData\Local\Temp\u3nnyuvj\CSC271BFADDBFFD4A1C84C9EB132FFC6CB4.TMP"
        33⤵
        
        PID:2900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uv0muaep\uv0muaep.cmdline"
        32⤵
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F63.tmp" "c:\Users\Admin\AppData\Local\Temp\uv0muaep\CSC21CA9EC2818B4D73BE6E2959D2FD2DB9.TMP"
        33⤵
        
        PID:4432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        32⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nqqdepge\nqqdepge.cmdline"
        33⤵
        
        PID:748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA791.tmp" "c:\Users\Admin\AppData\Local\Temp\nqqdepge\CSC357C9D7BB0E14BF686C04DC574BDED9F.TMP"
        34⤵
        
        PID:1568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rcvl2c2u\rcvl2c2u.cmdline"
        33⤵
        
        PID:4428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAFC.tmp" "c:\Users\Admin\AppData\Local\Temp\rcvl2c2u\CSC6701387F6DA1476C8542C722C62197.TMP"
        34⤵
        
        PID:2636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        33⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ckjp1qqe\ckjp1qqe.cmdline"
        34⤵
        
        PID:1132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB01C.tmp" "c:\Users\Admin\AppData\Local\Temp\ckjp1qqe\CSCD215FED57DDD481C91A0D9ED500B66F.TMP"
        35⤵
        
        PID:4480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\db0qfhrc\db0qfhrc.cmdline"
        34⤵
        
        PID:864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB491.tmp" "c:\Users\Admin\AppData\Local\Temp\db0qfhrc\CSC57C65BCC15F14E45B87321CD79CF5072.TMP"
        35⤵
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        34⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gs4aknvr\gs4aknvr.cmdline"
        35⤵
        
        PID:1640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD4B.tmp" "c:\Users\Admin\AppData\Local\Temp\gs4aknvr\CSC7B51FBD0DDCB458B8C611D8510208271.TMP"
        36⤵
        
        PID:1856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fguqu1zt\fguqu1zt.cmdline"
        35⤵
        
        PID:3900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC20E.tmp" "c:\Users\Admin\AppData\Local\Temp\fguqu1zt\CSC24E203BE19BD4E4692EE1A193C2D8392.TMP"
        36⤵
        
        PID:4432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\frpg2elo\frpg2elo.cmdline"
        36⤵
        
        PID:348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBB3.tmp" "c:\Users\Admin\AppData\Local\Temp\frpg2elo\CSCD0D6075BBA9438598F1A847B9B5B833.TMP"
        37⤵
        
        PID:2364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btqugmin\btqugmin.cmdline"
        36⤵
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFE9.tmp" "c:\Users\Admin\AppData\Local\Temp\btqugmin\CSC8EB5B32B1C8B4229BA9C9A26568EE214.TMP"
        37⤵
        
        PID:3588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:1212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:4232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:2164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        36⤵
        
        PID:3896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yqd023kb\yqd023kb.cmdline"
        37⤵
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5B5.tmp" "c:\Users\Admin\AppData\Local\Temp\yqd023kb\CSC2F6EB08A7A0949AFA30AD87A987A116.TMP"
        38⤵
        
        PID:3760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nfqbjioo\nfqbjioo.cmdline"
        37⤵
        
        PID:4080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8F1.tmp" "c:\Users\Admin\AppData\Local\Temp\nfqbjioo\CSC10D9352318684547B5D96FF74E518DBC.TMP"
        38⤵
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        37⤵
        
        PID:1104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kzrhhq1l\kzrhhq1l.cmdline"
        38⤵
        
        PID:1056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEAE.tmp" "c:\Users\Admin\AppData\Local\Temp\kzrhhq1l\CSCE39AA83B657640E28CBBE33627269AE.TMP"
        39⤵
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shjdz3zt\shjdz3zt.cmdline"
        38⤵
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1BB.tmp" "c:\Users\Admin\AppData\Local\Temp\shjdz3zt\CSCC67D0880D1FA418BA88C99B55407890.TMP"
        39⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        38⤵
        
        PID:4896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zdl3v0me\zdl3v0me.cmdline"
        39⤵
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE99B.tmp" "c:\Users\Admin\AppData\Local\Temp\zdl3v0me\CSCD9E40776012400CA28CA12018CA7D69.TMP"
        40⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0fnbgdrn\0fnbgdrn.cmdline"
        39⤵
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC98.tmp" "c:\Users\Admin\AppData\Local\Temp\0fnbgdrn\CSCCE01C50AA252480AB7D8FEC8787A5264.TMP"
        40⤵
        
        PID:1744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        39⤵
        
        PID:5052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r4wmtmbq\r4wmtmbq.cmdline"
        40⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:3588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2F1.tmp" "c:\Users\Admin\AppData\Local\Temp\r4wmtmbq\CSC3AAEFB14459E4A42AA13FE44DB9C1FE4.TMP"
        41⤵
        
        PID:4004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lntnza11\lntnza11.cmdline"
        40⤵
        
        PID:2100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF737.tmp" "c:\Users\Admin\AppData\Local\Temp\lntnza11\CSCE4083884DA1F4274AC7326C39E6D3B2.TMP"
        41⤵
        
        PID:3656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        40⤵
        
        PID:2908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4yhim10\i4yhim10.cmdline"
        41⤵
        
        PID:4080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F.tmp" "c:\Users\Admin\AppData\Local\Temp\i4yhim10\CSC1D5B90D268014D2C865544E3A942CAEC.TMP"
        42⤵
        
        PID:3456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a40udfuj\a40udfuj.cmdline"
        41⤵
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D4.tmp" "c:\Users\Admin\AppData\Local\Temp\a40udfuj\CSCEC5EF52152F46979A37996A8907789.TMP"
        42⤵
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        41⤵
        
        PID:4064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fidoa1q\3fidoa1q.cmdline"
        42⤵
        
        PID:1412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA23.tmp" "c:\Users\Admin\AppData\Local\Temp\3fidoa1q\CSC41DDC62A16DD41728F683A1E732477AA.TMP"
        43⤵
        
        PID:4784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i5yko5dm\i5yko5dm.cmdline"
        42⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES106C.tmp" "c:\Users\Admin\AppData\Local\Temp\i5yko5dm\CSCC3087C6B910D4876859D170D497256.TMP"
        43⤵
        
        PID:4544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        42⤵
        
        PID:1744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cp3bzvgp\cp3bzvgp.cmdline"
        43⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16C5.tmp" "c:\Users\Admin\AppData\Local\Temp\cp3bzvgp\CSC96D50D0EA25A4F3B91B2DC44FCDA8CE.TMP"
        44⤵
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kfcbkcig\kfcbkcig.cmdline"
        43⤵
        
        PID:4144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19C3.tmp" "c:\Users\Admin\AppData\Local\Temp\kfcbkcig\CSCF7BD3FB9279545FDA41A027B4ADC3C4.TMP"
        44⤵
        
        PID:4912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        43⤵
        
        PID:4140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tg4304of\tg4304of.cmdline"
        44⤵
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20F7.tmp" "c:\Users\Admin\AppData\Local\Temp\tg4304of\CSCB300C1B5B80476CAE96184ED349E683.TMP"
        45⤵
        
        PID:2608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mzcdzbap\mzcdzbap.cmdline"
        44⤵
        
        PID:3104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23B6.tmp" "c:\Users\Admin\AppData\Local\Temp\mzcdzbap\CSC5B32DCD9DC5F413D949E2B2E9CD09826.TMP"
        45⤵
        
        PID:396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        44⤵
        
        PID:4412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gt0m5hgf\gt0m5hgf.cmdline"
        45⤵
        
        PID:5068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2982.tmp" "c:\Users\Admin\AppData\Local\Temp\gt0m5hgf\CSC320D4E643C3F47DEB5CE2A7F7356AEE0.TMP"
        46⤵
        
        PID:4020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqyavmr0\wqyavmr0.cmdline"
        45⤵
        
        PID:2204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B76.tmp" "c:\Users\Admin\AppData\Local\Temp\wqyavmr0\CSCA526F0308BCF43008D988681FB184E65.TMP"
        46⤵
        
        PID:3824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KtlVtDDtCbxIugvgma5.exe"
        45⤵
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzlsnffu\dzlsnffu.cmdline"
        46⤵
        
        PID:4432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3104.tmp" "c:\Users\Admin\AppData\Local\Temp\dzlsnffu\CSC547B168154BD478CB3EE81AB7D7A93.TMP"
        47⤵
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kpltjfwz\kpltjfwz.cmdline"
        46⤵
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3421.tmp" "c:\Users\Admin\AppData\Local\Temp\kpltjfwz\CSC94717669D2324EDFAED53EC180E94F3.TMP"
        47⤵
        
        PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bzibzkh\1bzibzkh.dll

Filesize
368KB

MD5
34a54d8d0b072a9e87363ac078e78947

SHA1
64c18ca12b03a7aa8ea4c3d0512573ab02f302bf

SHA256
a9845a500d452d12b624fceee9a23d39dd27c16f54c457e74e1baa949e2191d6

SHA512
a9c5e88f932d432e873a1a8438764d3e7d4366c8d18124e843a80669765c688b2b6c4e9347116d17286172996d4cada6ec59b4252374875cf7d1ce8f16da2b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dmj5fsl\2dmj5fsl.dll

Filesize
368KB

MD5
efe26af7c5ea6c3bfa111ff2f3d9f387

SHA1
ddee27979c3f2328280cff345cc3d88a5df52fd3

SHA256
d7026a40fc7e9c5afc8ec57d5a84de600f45813cda98c7655be82c4f82b55000

SHA512
27939810f12a5322e297030b0de6dd7ccfc88eb81ddb5d9c30b1b2d2e818e582b433cfbd060fc2d3da58f24caa0ecbc8ef7e7574c66651c30789ca1aecc4dee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2j2kgklr\2j2kgklr.dll

Filesize
368KB

MD5
d05e695e2e4f5d3b8605c0af462bbec5

SHA1
073c1409cb25b1a529c7cbd9b57a896f02e6bcc8

SHA256
11ad3b6bbd69dca4eea6909e7834fafb70c1d6794185b8bb588d199ccaa08cff

SHA512
83e22f96ac58b7079f0cedac5699328a014a9c02c103b5662de948ddaeabbdbdd459bde60daf1e950e3e68e0385fd797a1805b06d1b700855383e9c5fb0d47ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4541.tmp

Filesize
1KB

MD5
2d9b640336f4bcd9848f52ee5a68085a

SHA1
8ee7d0d2b1668c4e7fc6cc7f13ace849a1a46b11

SHA256
e9d310b1752d728af2d3f44697af74e86b67d89ea5378ad5f75758dc0ed82400

SHA512
34740b89706a46c8300f10f8eaf0e1ab2aba9a7548d181f6055ad9ae92212bdcf361291d827b1e2ff5c71af0c195aec6792a08782603a60f24c160392be90322

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4997.tmp

Filesize
1KB

MD5
ef003e4eed21b779be28ae9ffbde3dde

SHA1
95ba308f52acdcf7e2d8f3be68cc8dbc4972dad1

SHA256
4377fcf2442eb9bb0f2c5c02a2534edaec6be9c2ece1e614ed1df766e525ac0c

SHA512
8c5022fd53572f063685a0aa027ae652f284e8273fc352bf09d965fa5f7d6af182ae1b98430da79bfeb4d42ac01ea5a10ec025fb9c39c9f5e03f5b9cd6cc9cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3EA.tmp

Filesize
1KB

MD5
2b60d4d54263fd7d9cb0f1273d8052c8

SHA1
bda01152b19a90e5b1eef75b43ebcc08c2b3cd9d

SHA256
8d33362382499f3c5f72d94b26820ca1b475e99afa45e56b5f1d833af5dec7e2

SHA512
467d55f1f43e4c47aae75f9ab96d9939fecf22693170a1ca454b03f1c99f4cfca22271fb687d54e6bce750ddb9c0ea095202ed33ce9561f5b94632ebad481d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB62C.tmp

Filesize
1KB

MD5
862da9c430ee3ab6d7ea6c3bdb2eb422

SHA1
7eebfabcaa7b7a72f31b08d7552dbc5f59f1ed95

SHA256
4e9f10dbf154f0eb980a2baef2393e3ce27fe0cbb5fc4a80dbbfbd61bf1675bf

SHA512
ec673ef52f7022224734cb494248baca27d5c5b77f9010b9ab5c98dc711ef3b31b2e5e15ac9146c9f01d0a839bf4a4e7f22529ec9ca6cb6e9f5fa5e5576d9a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD8E.tmp

Filesize
1KB

MD5
f2f35d3d2ab3df2817fd9d87e92dc3cb

SHA1
b45fecf0e80b35fa85439f6517e58473c9871744

SHA256
b008b65451e4014cc92472cc7cb5739b43f6df2302b75777b3c5c711ec2815ee

SHA512
fda23f5076cf3eaa3608838701edba725435cae9af19ff6eca83ddf2532e3e4c17210eb6276a9fddb195aeded8630061c332a7a28e0a27fcdae3004147b225b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC07C.tmp

Filesize
1KB

MD5
c2a0f802a42d41e9a365e0beaa7ef1bc

SHA1
47964e6d15968972f976ac2a3fd9a5d7969bbd5c

SHA256
cd2d02b8831d9b6a37d929f23937ebe7415b8e473ce14064d65cd6c2b86dc844

SHA512
86d7c77da9a181930e7a0a6a98d8f7149230f077d8039909e5e1a5211d2c22b61ccb13bffbf61ce3108cdd97937ea18721582ffe43b5e25edabfc737d4b03375

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC781.tmp

Filesize
1KB

MD5
c28560858fb5a448848f8f9c2dbfa4e1

SHA1
8f632f025d0cda9bb17a0106a77967c5c1710bd1

SHA256
c84a3872eba21868e86c113a2c4fda11452c61becee69a06e3148dc38ff5b65a

SHA512
a73071f83b15167e470c09b315ee4fa14e2b2e3c9f4a8906a9dd23680bdd2a98d3c744c902e422c6c94226a07e6c909f568c44a1317097b9710fb073c01ef47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC975.tmp

Filesize
1KB

MD5
2596af081e4ebac4c2817c6bf8674a80

SHA1
517be8407a0cdcee19e0d1bc211ea60cb3c304cd

SHA256
ca8c8380d917fe5e22baa7b973e1a4b8dd86477cc95941ff27715a4bec879030

SHA512
880c5535b44c7b6d3bc0a11e59f1b9db149e83897aa296b158656afca7a4ac13e07997d967718099218280c3ec0b73c6e04c69bd52a0814f96f05bb4da62871f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE38.tmp

Filesize
1KB

MD5
41b1c6583b1b26fc61dd4cf42f898a13

SHA1
3cb2fd197f0e31bf0c5f12acfb3dde1e59803b3f

SHA256
5e2fa86bad282e0101fd1bdbea4e73ee1dc15d7dbc7b0b92ae037682e3d81896

SHA512
27c56f1945ef4ab845276a7527c45e2f2678c8b8ff05c70a5aaab279d6f2c74297842a926995b8bc79cb6e4006eaa18349bf63cbcbbdc9fe5c71b9092eaae195

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFAF.tmp

Filesize
1KB

MD5
a7703e60930db9264ed66f7ec5ae00cc

SHA1
194f9e6a5573e69b9f9adbdef67a20bc300a71de

SHA256
0f97649646655f8e57fab74f4543e3fa54755691748fc5731f5e75d05ed4430a

SHA512
22550853f5053c731d6603da05fd3ccf2d7aac002abead7b6ff4f6eeb945cbd9b2932a3b5fe71a298edf6fcbca23efdca0d09fc0e345b5f762055d7f609803c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD443.tmp

Filesize
1KB

MD5
f4d7063747a8e2c5ca6380e5bfdf73d3

SHA1
ba467fa5a0057591df393d984b74acd53de515e0

SHA256
c70ae53661ad9e6f6debb4a7bf8fdd7bd3049e5c29bb9558d18db63de374c651

SHA512
7ae8b71116f44d5868a5b2a5cde8765356273e2147bf4a17f8ebc30a4f4db0e371df435ad8be555e9d9cf5a2aacd574ce7028edc26d4d6d40443d273f8f0ffb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD666.tmp

Filesize
1KB

MD5
cd4cbfb4110961af4814b599fa1e776a

SHA1
c313cd44215097889baeab84651d9fb13a995e69

SHA256
b15442f23cb3aab2cc999bd9fa726c5f3058d3bf992e7590d4c4b3b110ad6d29

SHA512
4760ef3c1f09088ad6a665399ee61f57e4fa5e172ffe3d222aaabea6a25674ab13f6e5c7cd7d6f3dfd44ffb3080fce486fe46da67a0495ab6fbd7ca33b5380e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\alyd4smw\alyd4smw.dll

Filesize
368KB

MD5
e0dba199da5c20b64d33bbd44fa62f1b

SHA1
b838330ae79728fd2d793c34bd4f5e3820f330dd

SHA256
ae052f07cc3e91053097db80014fd6f1679dfeb4326d538e0b449d7eb67fc69b

SHA512
1ced51d06b9c5516cfe30da4d98bea430168cd5858746c7afa4e80312a95f35cd5c8e78c51abea3343b8e531ec0b03775b6399b7133a798286c124fbe2fa663e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cl0qppnt\cl0qppnt.dll

Filesize
368KB

MD5
a525916bb1c17fb67b81bae70b1de8d5

SHA1
5c452ae2cab8f1f72f8f58a0d81ca7311a6233c7

SHA256
c5e8a000b7bdbd389e803d21189347c55b8466f1752c3c5e8b831f140cd863ab

SHA512
3be2e7232b11fb1c3bd869e953a435415e8b127ad543878f87c7f10920d5c08e1d348f8818f260dbfff38c5e574350863d8e1f13388be536178f3b8458b99feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuoxbklo\iuoxbklo.dll

Filesize
368KB

MD5
139b015de54e0e07c26f1cc6dd8c99f1

SHA1
5294ae1e8b48ab053005775a78f4ba4798308bfa

SHA256
72a88beb4ece5c5504564eae936a9ef730ee6328db2ed095e1801da5476ef0d4

SHA512
e31470a76e1d547a541bad2f371ae070117c824d238304f8e70bcbc5031add1fa4771e8af5a6664cc66d779ea451412aa8683ad33d0e16fc771c8cd62fd124bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kws224g0\kws224g0.dll

Filesize
368KB

MD5
0ee97af9e297bd0c3438766c6ef329f7

SHA1
56037d464418627461afa1fa8734e660487cdd2a

SHA256
6f84c4d551ead3822219ab4dc783dd5223b42234d9097e99c86bb65db0b36331

SHA512
bd3432a271ae4bb7ad57c30ef84d67fb2d5a278ef4861fe97f622550e5325b034afaeab5aad5841d8a276fbf456697cdafbf63f09390f4579b98d27f7a5220a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lo5ed13v\lo5ed13v.dll

Filesize
368KB

MD5
f06abebb5a957c8628e1bc0aadefbfbe

SHA1
f06ae8e7134c568065ff0d47a62cfbb14624254d

SHA256
8d25d67aecd65188f4a62131a400f0f3ae9bf5b250bc7c16699be86c9d1b9f41

SHA512
e6e9ae69605c0d8a2656e7b6b1a765a4cebf400f0d80a9b9c2d62e87f7ec3cf1bff118b6c284db54a4d9bd696cd668c0662dd86c9ed87c3dd1a849526128c9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyzjlaz4\lyzjlaz4.dll

Filesize
368KB

MD5
ac875d981d62ae2e4983045819122e84

SHA1
f1c29163df26ff0f8de7f994c61e2f04eed76807

SHA256
f8249a764974c225cffb499fa6b549a7114893c8fa42b9faa27b8f765d6218eb

SHA512
bea325b0fa4eefaecac3d01a1a4e503c378d45426c116d5e2995f270ce5cc11dad9e4804b14d2e6733bbeb67f8cf77afa0c99a767d3750efad86f601e422196b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5wushw\mj5wushw.dll

Filesize
368KB

MD5
74a4c333b986d82086e62cce4df72345

SHA1
fc23d8a688249a51d673eb2dceb799bab91dec60

SHA256
b3a8aee4ac083440300bdc303882b1f8efd7af2d35e0bde1956f2bef309b9ad9

SHA512
035ec3889a545b3eeb8b74a1c8126d9af890d37e55b462062d74b123489f47f22d4cd58dbc86c4e4fa08d1594cf3f7924785beef94c35ab688c560e91b5f9fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svlhwebf\svlhwebf.dll

Filesize
368KB

MD5
b8711e90e7da9fd85b47140d01a2af4c

SHA1
654b51a809666c2fa6901acf041608f8d52c1383

SHA256
01d059632b8184cf06b09a9d6f4678b5c7d85eb7797ec1ed602a106e92873610

SHA512
3dc71811d1afd332a39d7a3d47fc259d816cc9b9563aa4147a9e854273bd4786f4854bbd8d347006dc8b5a911b91f086072462989d0c683ddee22ab6c58c0b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymu43boy\ymu43boy.dll

Filesize
368KB

MD5
7c9790e2af2fca32bb6871f5d318a9b0

SHA1
50bbf1490967187e639f57337671962132e0484e

SHA256
f7bc0a9c2920eefa2e0b8b5e616be18473ba877561a0cbf817992f5067a17853

SHA512
dba4e145f4ab03f437db6ec49371c5c9f3424850ed97e3d2f336a1e9b9bdb5fc94abdf55e831b4440f8084029747e7791e3b4345d1dc7653be10ff96b98a0a6a

Download Submit
C:\Users\Admin\AppData\Roaming\D0D4D9\928C68.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\D0D4D9\928C68.hdb

Filesize
4B

MD5
7b6821c03d45d0f441e8a4f8a5acdf1d

SHA1
e8bdbaa8bc2c0597ff9dc1031b9a01cc22371905

SHA256
a1083c91f85a7980b062fd204f2a435ea40575f4933c4950ade6f68c134c4388

SHA512
35fc3b3ace64ea80b93d4f37318bb73b7e7d6949d573a68e737def5f12b8dcc3a8f74afe12169f65b020f549d24727f64636aa966c2f059708133e87d3420811

Download Submit
C:\Users\Admin\AppData\Roaming\D0D4D9\928C68.lck

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1bzibzkh\1bzibzkh.0.cs

Filesize
548KB

MD5
e58500c185aa3db747092f20e836c157

SHA1
dccc26b1bc025eee0000a735f971ac3aba8d063b

SHA256
90d35cc16bb2207477339b07702bea2817978321538dbdd6cf066aa6d628690b

SHA512
1dbdbf25f960395b95c8061c587856a09ed40307971a5b98c0fada88103ef6740f768862160457d21c8666dd0995b6e37dbb5e95d873f78f1419f3ca6744a4a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1bzibzkh\1bzibzkh.cmdline

Filesize
302B

MD5
c494bf7019a6e7619b9edee2f57576e7

SHA1
f50de0fe51da8c7839d0202013e872826a6a5846

SHA256
425670b9bda3fc9bdfd28bdaaaf8eebf92bd4b36b1fb34f09379e79eb322bc29

SHA512
2df489980c11cc99ea8704a119cc0c82e8540427288b16fe61389b5ecd172aff521c1e40c892bc42260c25bab07ab270b297ad8fb5ec411cf5e022247e47e807

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1bzibzkh\CSC973B2D94DBBA47F6861374A7FA1564DB.TMP

Filesize
652B

MD5
f21ef3f683c50bcb89e1e93471604aee

SHA1
a5ede5d798a4da0008e82333164d6baacc982cd6

SHA256
6d8e6791c0e2f4a2ad01310e5ba0939afc00b64ea95eebc43612caa93d61bb89

SHA512
2ed3996e9ee97e8b7893eab67c66b783f3b37519d80a9fa0c7bfea7250a76cc4f227bb77d785c95d378a65a688d46b4342f2b06bc27255c2c16cf34fd7187c51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2dmj5fsl\2dmj5fsl.cmdline

Filesize
302B

MD5
6495d2b56c1fb0a6c86d68dfd1709590

SHA1
3bdc29e8e8d722fd29add2850ede37e33c0034e6

SHA256
835318649b93bf306e77b848247c636939285627e1beae7894fa696f0b1f01fe

SHA512
88bf3ee92c697cf29294cf2c0f90875a895918e654af3d47ac7f9bc7bac85e0baef50a2d4f74c9c2191f597a789f41245b0f57eb433c0a2848bd84712f2a60a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2dmj5fsl\CSCD24FB9F2967489B9853FDD194A5AFDD.TMP

Filesize
652B

MD5
17a2b3774ca980662cd6635992d6aef7

SHA1
8ac2deaa81f0bd07f8124d909b791c496c6f176f

SHA256
49f118278b7f14b4a8cb0e6791cf66afc532a91b6c15c34c8f54d3ee70cb0987

SHA512
b596ede0e6c67a4da8f4e4bfbde3d25fc3f11f8d5956952d85b763ace39cd9aefc872d81e2879f795e835a4ff0ea3718654b6f48ea8ee9ecbc4ab049b912fcf1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2j2kgklr\2j2kgklr.cmdline

Filesize
302B

MD5
f942b5c12cd3c2bc80aabc819f1bc259

SHA1
7d6c71ca0796c728575f28022f670fff63d6e7b6

SHA256
d79bff997461f2f3a6a8ed4ec2c203e02740fd813ca39867108f97a1a1fefd52

SHA512
b772fb3c630e1c9cb6483055f29ab3063efcf7d3c7c32414aa4a77b2e088e66646aac8100d25b42cac465a7ef4ec5c88e59c74c99a3a7303ba2f4660355a3c84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2j2kgklr\CSC7D085C47AA384B00B6AF81C9C0E07D9A.TMP

Filesize
652B

MD5
5175dc188e4130cc5d10adac5b36a83b

SHA1
930821a98c30ebab18b73c4ffde8cae4ab07734b

SHA256
c11caf59324b820047639d08a141a340a1e8ae47d29e562699339b7c2665b7aa

SHA512
f9654378bb3e13fe6f58b2f653b44b3cd9201373ebee3f7d7ae687b4203bc626d0a5c011b5007e4b36892e654f02e81bc0b7bc698e63b775b86c2adde91fd704

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\alyd4smw\CSCF01E64E8E079451894E6BD8D6BDDEEBF.TMP

Filesize
652B

MD5
b072ad17b32e5f064a5f761cdb7b42b2

SHA1
bb03ce62c22d55fc3a13613fc99eb468cd71ae35

SHA256
a6d3bc3b8380c07e19aad9517c1819873060f0ed2f526ba45d1ce3e7ddb9885f

SHA512
51e569d12767ec769ae11ea3288ff55015fed1c15c751c20f6071b4e434cb09dcc824d2e8fb15159e909716a2597924c3a38269646400b0a7728997de248ffd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\alyd4smw\alyd4smw.cmdline

Filesize
302B

MD5
46dba8e99af711e04173d064607137c6

SHA1
ee97adc2f4aa44c7dc1749e67f659874fa6c2f01

SHA256
9adbea4ac6e8033893dac7e0776e1e0263919e875b45650bb804bf5345c07c7d

SHA512
60d602214c2efa61cd9073e305616a661e08d5819abc33822682b5f8773f2cbe01874413d7bfff74c901010e63f018f89e599798d2d4589478602ffda7fd28c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cl0qppnt\CSC2C4EA8583B24F6F889087B112AAE883.TMP

Filesize
652B

MD5
bca9ab72ae7871fc42a7f82a4fe04375

SHA1
fefee111614b59e0fef967f2d3a1f52d18ad869b

SHA256
cf7725bbee87eaabdd0845ead5467c1a659d2feb2e0078dc2e25774c7d250c45

SHA512
8e9d1147dc0c3f6c106f8b35cd60c876f685f31a22690791f9a5e3521d34f1cf351ecde64c3f7a2b48acc563f95f551fbaf1ab8cad37026765f14b9375d2acc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cl0qppnt\cl0qppnt.cmdline

Filesize
302B

MD5
2dabb5980483a7694f32ee17c67d8656

SHA1
2450bba8b27b6e748681211f985ad2acfc81f35a

SHA256
83138202d2e02a9b711e0d48e87d7407730f86da5bf8705596ee9c0ce53fb04c

SHA512
84fe63e1be9d60c3532f258a03d00f857d2f6316710220b25159809b54dc0f2c82f8ad6643655e818e0099dba3acc58a88d551917ad6f983071ef15bd6d9a99f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iuoxbklo\CSCDAF957E75FF7469C95FB51D98A2E53D.TMP

Filesize
652B

MD5
1d78805a915ffaef4670cc8b79949b5f

SHA1
6c6ed71fc79533a47f2f583ceb35f2efc514802f

SHA256
7854f2ea8e7770dbd3f19abcb1dafe59c30b55b5951adaf3b6635d822abc0fe1

SHA512
2d3ec2ad89709185de0b29baa8e40d78ad3474389da71530cb7c3c0f7840c3c1a25af791581dde96c0cb3aa977ee67798babbad6303bb2d2f6c20fb24cc4be67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iuoxbklo\iuoxbklo.cmdline

Filesize
302B

MD5
090ea99b61e1c1dc6995d9e8f0dd89ef

SHA1
d9e292928ee94563a2dcafb244e27ef26902c44d

SHA256
3bd6fde60e8b6b77a2818ea6a36fe8d5617da707f7957e7a457ffca6a6a998ea

SHA512
516abb7ede11d529c55341e9840fad4a4a2bf357c451ba7e3765b27affb83866ce46dfbb3533901e57514f109b49e45d1a7f6a4b4b9d87d11421b2eaa59d5213

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kws224g0\CSC4DAA6AAE1CA74E189A8DBB62EB2D597.TMP

Filesize
652B

MD5
af733b5e2d0cf2ae6a8c5ad7663aff0c

SHA1
8d120189c401d4c2dca69992dce3305d781611c5

SHA256
58a5414f99809a37b6647bd4bb14d58eece3bda708a3945d881c662ce7430682

SHA512
c2d29ca73041bb9b12e444195f9f236cb4cb22538b197b7590be50e6ed8e8e0d427f3184eb8e4691ed8e1cf9b0f1d52dac98d5a443aa6cd13db8312a646d4e43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kws224g0\kws224g0.cmdline

Filesize
302B

MD5
2398723e4b2061b6fba2d05cb5cd526f

SHA1
f5f752b7db5f777bbfb0272f5c0659d230587358

SHA256
e2a175fce89caa44291b05730f4774a11abc5a77fe699c43a0df59b0cbe22ae0

SHA512
98df09ef2adcdfe7725fe6d439194d6790e3dafe67e561dddb73773dec689b78800a67aae11aad744bda7861d59c8a4c450631e35fd3b57561e45f2b003881a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lo5ed13v\CSC74FAF0247CA44640A27D20F039C0A54F.TMP

Filesize
652B

MD5
194ec26a994ccb5a77176b6fd49b7a2f

SHA1
4749bdfddb35d728734ca03140f71284824a264a

SHA256
b09a999e2b8ad8bc4238810625109f982db22da70a82d98fdbe892eb00167f96

SHA512
60dd96d804a39104d33a9bff43d42d727b4127fe893c57eacfbedb2e0fe1606053bf19a21e190339b3044df0325438a9201f6065f12213ba58764f375580be03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lo5ed13v\lo5ed13v.cmdline

Filesize
302B

MD5
e04f982bcc9b710ba00573e1ca76ab6e

SHA1
ad6b2c7b387ff8d10f5836139483e4450d5e9151

SHA256
df5034089bd9ced45dbeb85a12bd18ac5e4ab8127fc3bd3df01eb9bf5a273104

SHA512
e34fefa4b08607efc6b5a0fe4f9b8f30659e7ace7a8702cfebbfb5f4baa878466d1bf27b88046c4614315ca49642ed46af3e4b44a2092374f9c6b421c59fbc3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lyzjlaz4\CSC3A07B748C0DC44DE8C406857B98544D7.TMP

Filesize
652B

MD5
99c531000b52b6960080071eb83e7e70

SHA1
73e160c981d81ad2f028d3359cdbe44ca0b38afd

SHA256
c6e8f6a9f58124f7f2a5377247789901c0622b494577de67f69b6c4a87de065e

SHA512
25348697f68fa218f42668577de05ae4d6be303db5f6e29edf47399c68faa0dafeca6931fd0e351fa81bea75773011a13b3d84158c9543740649f36e76aa632a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lyzjlaz4\lyzjlaz4.cmdline

Filesize
302B

MD5
ae96ebaaf0f005defd449a4efeba680c

SHA1
0fc4271bcf52dedc0ad23519009181e5ef4b79a5

SHA256
e4387b97191190585a77e0e397da8ab9d97750dd6dcd4bf9f196bc1e1d6e0102

SHA512
e857cbddf9723c208ba7ca1a8aec5d0cc91dcfaf8ec7e469fc81cf60146d6363464a78357c271890374ab619dc4404f03fa6902eff6fd949d4fbdbdf8bc76820

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mj5wushw\CSCAAB7BDBDFC44CA7A881961C5BB590B6.TMP

Filesize
652B

MD5
623eed0279ee8cb4831171ae72622338

SHA1
260f1fa55732deefb3f0c7f13c1f1ec91c7e4497

SHA256
17895d30fe29263353186a429fa7791b4a460095c3029b566b49147ddf0c424e

SHA512
888e9eefc64584738bb6d77b88e23a9e7bc99a110e3648fb2678c6a6a972f1095cf6b59bf17b243231c7458f6b132dd31211db2231dc0f66544b98f92e446e23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mj5wushw\mj5wushw.cmdline

Filesize
302B

MD5
0237326f31eef292a562b8fddbb03d5b

SHA1
fe79988f8545c9e983e9b65863e442ad622612dd

SHA256
35dab163cee02dd527636c2fa1843b3d0a5d2f12b9e4c58bb07e37dfbf882b67

SHA512
6e85bd6184f4663dcdb4f25b444e9ce5fe95b4efe5281ce2bf2aa5c9563e69f1f0d0e852e1c67b36a7e9f615a001e49138780200f974d0568ec270d834784ae1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svlhwebf\CSCC325C869B284B4C8E81BD435533878.TMP

Filesize
652B

MD5
fe452a1f51d6b7382ca598c0454bfd93

SHA1
4983071bd8ca46f46b6b806c7884fca2ddabcb42

SHA256
aefef3410d51410b7639f7ebd320600cc3b90aeab899e10ab894828ca8f4bcba

SHA512
81743a446c51e132d768d3820f0339e34494906a71366d07067a3976bf4a3492c1262e43879e1fd869435c0c47d8323abbc347fb5de546b3e0476a6c82f5fae7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\svlhwebf\svlhwebf.cmdline

Filesize
302B

MD5
8079d3ffeb1efb34291919dd0e5a8913

SHA1
a6c4e37e8737e682203affb2a4f0a521884b3f3e

SHA256
de06d8a130c3e1b74377f32d94fe3b7c2341eba84079b22356efe45866ebf0da

SHA512
b87bd890f8f47e9d0ce0cb5eae4da2558c4d20fd0f3fe5e5ca0f0677dfa6170c424a51484af052491e7e74b65308d302707db598e52c91b73b42d74e80f8e3a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymu43boy\CSCD6A2CBE3AA9A448C983E56F8666FA48E.TMP

Filesize
652B

MD5
5828e82e1c47e85d331f66bd8811befa

SHA1
e99c9a3f19626160f95110c05e458e92a025f717

SHA256
1f49c11c3008e12888a1903c1dbbfa9d13297e4104000d35f9ce98f65c53a0e6

SHA512
364e570a653bfff76e6519f0235c6dac95b5090eb8ec44f0ba1e75f708e35212a88548e561966be59cfc95ae860c33cdbe89ee0a7e7dd3c5faa55120218f59d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymu43boy\ymu43boy.cmdline

Filesize
302B

MD5
50d45099092bff1ee7acd828305342cc

SHA1
b11b3e1c3a1ca1b5aeddfa095b63cc6e6218dfe5

SHA256
bdcf74a205024fb06d338662534d4b6dd3c26da3835b092c350e0a8abb5ef4db

SHA512
78ed09b5333cb1254e2252e99e20db6af8ac17979b8462adf7156af27f5eeb745030bf17d3691ea153aa8ed55513785462494bf8fe48f0f1de3a034480344219

Download Submit
memory/348-795-0x0000000000BA0000-0x0000000000C02000-memory.dmp

Filesize
392KB

Download
memory/348-818-0x00000000027F0000-0x0000000002852000-memory.dmp

Filesize
392KB

Download
memory/400-465-0x0000000004CD0000-0x0000000004D32000-memory.dmp

Filesize
392KB

Download
memory/400-644-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/400-441-0x0000000002720000-0x0000000002782000-memory.dmp

Filesize
392KB

Download
memory/568-288-0x0000000004D80000-0x0000000004DE2000-memory.dmp

Filesize
392KB

Download
memory/568-265-0x0000000002860000-0x00000000028C2000-memory.dmp

Filesize
392KB

Download
memory/652-29-0x0000000004E70000-0x0000000004ED2000-memory.dmp

Filesize
392KB

Download
memory/652-15-0x0000000004E10000-0x0000000004E72000-memory.dmp

Filesize
392KB

Download
memory/652-4-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/652-1-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/652-32-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/652-91-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/652-31-0x0000000004EE0000-0x0000000004F08000-memory.dmp

Filesize
160KB

Download
memory/652-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/652-33-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/652-34-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/864-704-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1056-890-0x0000000004A80000-0x0000000004AE2000-memory.dmp

Filesize
392KB

Download
memory/1056-899-0x0000000004AF0000-0x0000000004B52000-memory.dmp

Filesize
392KB

Download
memory/1072-190-0x0000000004D60000-0x0000000004DC2000-memory.dmp

Filesize
392KB

Download
memory/1072-212-0x0000000004E00000-0x0000000004E62000-memory.dmp

Filesize
392KB

Download
memory/1104-1173-0x0000000004990000-0x00000000049F2000-memory.dmp

Filesize
392KB

Download
memory/1104-1153-0x0000000004930000-0x0000000004992000-memory.dmp

Filesize
392KB

Download
memory/1176-722-0x0000000004A20000-0x0000000004A82000-memory.dmp

Filesize
392KB

Download
memory/1176-713-0x00000000049C0000-0x0000000004A22000-memory.dmp

Filesize
392KB

Download
memory/1344-340-0x0000000004870000-0x00000000048D2000-memory.dmp

Filesize
392KB

Download
memory/1344-323-0x00000000047B0000-0x0000000004812000-memory.dmp

Filesize
392KB

Download
memory/1408-460-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1444-138-0x0000000005280000-0x00000000052E2000-memory.dmp

Filesize
392KB

Download
memory/1444-117-0x0000000005210000-0x0000000005272000-memory.dmp

Filesize
392KB

Download
memory/1612-654-0x0000000004A20000-0x0000000004A82000-memory.dmp

Filesize
392KB

Download
memory/1612-663-0x0000000004A80000-0x0000000004AE2000-memory.dmp

Filesize
392KB

Download
memory/1712-1114-0x0000000005390000-0x00000000053F2000-memory.dmp

Filesize
392KB

Download
memory/1712-1090-0x0000000002E00000-0x0000000002E62000-memory.dmp

Filesize
392KB

Download
memory/1744-1330-0x0000000005060000-0x00000000050C2000-memory.dmp

Filesize
392KB

Download
memory/1744-1314-0x0000000004FF0000-0x0000000005052000-memory.dmp

Filesize
392KB

Download
memory/1808-383-0x0000000005220000-0x0000000005282000-memory.dmp

Filesize
392KB

Download
memory/1808-405-0x0000000005280000-0x00000000052E2000-memory.dmp

Filesize
392KB

Download
memory/1920-500-0x00000000053F0000-0x0000000005452000-memory.dmp

Filesize
392KB

Download
memory/1920-517-0x0000000005490000-0x00000000054F2000-memory.dmp

Filesize
392KB

Download
memory/2008-427-0x0000000005460000-0x00000000054C2000-memory.dmp

Filesize
392KB

Download
memory/2008-418-0x00000000053F0000-0x0000000005452000-memory.dmp

Filesize
392KB

Download
memory/2016-1067-0x00000000056D0000-0x0000000005732000-memory.dmp

Filesize
392KB

Download
memory/2016-1076-0x0000000005780000-0x00000000057E2000-memory.dmp

Filesize
392KB

Download
memory/2252-781-0x00000000051D0000-0x0000000005232000-memory.dmp

Filesize
392KB

Download
memory/2252-772-0x0000000005170000-0x00000000051D2000-memory.dmp

Filesize
392KB

Download
memory/2344-840-0x0000000005780000-0x00000000057E2000-memory.dmp

Filesize
392KB

Download
memory/2344-831-0x0000000005720000-0x0000000005782000-memory.dmp

Filesize
392KB

Download
memory/2356-477-0x00000000028A0000-0x0000000002902000-memory.dmp

Filesize
392KB

Download
memory/2356-486-0x0000000004D60000-0x0000000004DC2000-memory.dmp

Filesize
392KB

Download
memory/2492-586-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2688-222-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2904-236-0x0000000005010000-0x0000000005072000-memory.dmp

Filesize
392KB

Download
memory/2904-250-0x0000000005070000-0x00000000050D2000-memory.dmp

Filesize
392KB

Download
memory/2908-1253-0x00000000053E0000-0x0000000005442000-memory.dmp

Filesize
392KB

Download
memory/2908-1244-0x0000000005380000-0x00000000053E2000-memory.dmp

Filesize
392KB

Download
memory/3156-350-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3272-854-0x00000000056D0000-0x0000000005732000-memory.dmp

Filesize
392KB

Download
memory/3272-877-0x00000000058B0000-0x0000000005912000-memory.dmp

Filesize
392KB

Download
memory/3292-958-0x0000000004A70000-0x0000000004AD2000-memory.dmp

Filesize
392KB

Download
memory/3292-949-0x00000000049F0000-0x0000000004A52000-memory.dmp

Filesize
392KB

Download
memory/3304-527-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3440-937-0x0000000004F20000-0x0000000004F82000-memory.dmp

Filesize
392KB

Download
memory/3440-913-0x0000000004EB0000-0x0000000004F12000-memory.dmp

Filesize
392KB

Download
memory/3536-996-0x0000000004D60000-0x0000000004DC2000-memory.dmp

Filesize
392KB

Download
memory/3536-977-0x0000000004CC0000-0x0000000004D22000-memory.dmp

Filesize
392KB

Download
memory/3836-1017-0x0000000004AA0000-0x0000000004B02000-memory.dmp

Filesize
392KB

Download
memory/3836-1008-0x00000000049E0000-0x0000000004A42000-memory.dmp

Filesize
392KB

Download
memory/3896-1126-0x0000000004CA0000-0x0000000004D02000-memory.dmp

Filesize
392KB

Download
memory/3896-1135-0x0000000004D00000-0x0000000004D62000-memory.dmp

Filesize
392KB

Download
memory/3920-407-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3956-604-0x0000000004C50000-0x0000000004CB2000-memory.dmp

Filesize
392KB

Download
memory/3956-595-0x0000000002710000-0x0000000002772000-memory.dmp

Filesize
392KB

Download
memory/4064-1282-0x0000000002D00000-0x0000000002D62000-memory.dmp

Filesize
392KB

Download
memory/4064-300-0x0000000004950000-0x00000000049B2000-memory.dmp

Filesize
392KB

Download
memory/4064-309-0x00000000049C0000-0x0000000004A22000-memory.dmp

Filesize
392KB

Download
memory/4064-1292-0x0000000005210000-0x0000000005272000-memory.dmp

Filesize
392KB

Download
memory/4132-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4140-1351-0x0000000004AA0000-0x0000000004B02000-memory.dmp

Filesize
392KB

Download
memory/4140-1342-0x0000000004A40000-0x0000000004AA2000-memory.dmp

Filesize
392KB

Download
memory/4232-556-0x0000000004DF0000-0x0000000004E52000-memory.dmp

Filesize
392KB

Download
memory/4232-576-0x0000000004E50000-0x0000000004EB2000-memory.dmp

Filesize
392KB

Download
memory/4248-87-0x0000000005380000-0x00000000053E2000-memory.dmp

Filesize
392KB

Download
memory/4248-73-0x0000000005320000-0x0000000005382000-memory.dmp

Filesize
392KB

Download
memory/4276-618-0x00000000055E0000-0x0000000005642000-memory.dmp

Filesize
392KB

Download
memory/4276-641-0x0000000005650000-0x00000000056B2000-memory.dmp

Filesize
392KB

Download
memory/4296-287-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4312-156-0x0000000002E80000-0x0000000002EE2000-memory.dmp

Filesize
392KB

Download
memory/4312-170-0x0000000005340000-0x00000000053A2000-memory.dmp

Filesize
392KB

Download
memory/4320-359-0x0000000002F10000-0x0000000002F72000-memory.dmp

Filesize
392KB

Download
memory/4320-368-0x0000000005460000-0x00000000054C2000-memory.dmp

Filesize
392KB

Download
memory/4340-536-0x0000000002BB0000-0x0000000002C12000-memory.dmp

Filesize
392KB

Download
memory/4340-545-0x0000000005070000-0x00000000050D2000-memory.dmp

Filesize
392KB

Download
memory/4364-677-0x00000000051D0000-0x0000000005232000-memory.dmp

Filesize
392KB

Download
memory/4364-694-0x0000000005240000-0x00000000052A2000-memory.dmp

Filesize
392KB

Download
memory/4412-737-0x0000000004EC0000-0x0000000004F22000-memory.dmp

Filesize
392KB

Download
memory/4412-760-0x0000000004F20000-0x0000000004F82000-memory.dmp

Filesize
392KB

Download
memory/4412-1366-0x0000000004850000-0x00000000048B2000-memory.dmp

Filesize
392KB

Download
memory/4592-1055-0x00000000053A0000-0x0000000005402000-memory.dmp

Filesize
392KB

Download
memory/4592-1032-0x0000000005340000-0x00000000053A2000-memory.dmp

Filesize
392KB

Download
memory/4608-59-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4608-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4608-37-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4608-35-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4896-1194-0x0000000002A30000-0x0000000002A92000-memory.dmp

Filesize
392KB

Download
memory/4896-1185-0x00000000029C0000-0x0000000002A22000-memory.dmp

Filesize
392KB

Download
memory/5052-1213-0x00000000056F0000-0x0000000005752000-memory.dmp

Filesize
392KB

Download
memory/5052-1232-0x00000000057B0000-0x0000000005812000-memory.dmp

Filesize
392KB

Download