4003982ac9cf8975d45894e05d4a7a7ae17561b25ed5b547215649104f23cc5d

Analysis

max time kernel
20s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 07:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
Size

667KB
MD5

9e269fb49137b947208ecc6f15d24d80
SHA1

679a26fe625c911e3dc93dca6c5e93ee49935fec
SHA256

4003982ac9cf8975d45894e05d4a7a7ae17561b25ed5b547215649104f23cc5d
SHA512

4daa584d0f102979c19ad93c4c4194861304c3f8180748ebbed4e670fbf68ea2ad7020a8c51d4ef33507021bd38c471129c087adeca89a151ba100f6f134478e
SSDEEP

12288:dgpE2kX80amapNq/jMlTlIa2ajmHm8mK/Tgw/63AmapOyjg:+pE2kX80amapNq/jMlTlIa2ajmHm8mKc

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe

Drops file in Windows directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1404	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	85
PID 1508 wrote to memory of 1404	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	85
PID 1404 wrote to memory of 3784	1404	csc.exe	87
PID 1404 wrote to memory of 3784	1404	csc.exe	87
PID 1508 wrote to memory of 2176	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	88
PID 1508 wrote to memory of 2176	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	88
PID 2176 wrote to memory of 4068	2176	csc.exe	90
PID 2176 wrote to memory of 4068	2176	csc.exe	90
PID 1508 wrote to memory of 4560	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	91
PID 1508 wrote to memory of 4560	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	91
PID 4560 wrote to memory of 228	4560	csc.exe	93
PID 4560 wrote to memory of 228	4560	csc.exe	93
PID 1508 wrote to memory of 4596	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	94
PID 1508 wrote to memory of 4596	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	94
PID 4596 wrote to memory of 2920	4596	csc.exe	96
PID 4596 wrote to memory of 2920	4596	csc.exe	96
PID 1508 wrote to memory of 1520	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	97
PID 1508 wrote to memory of 1520	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	97
PID 1520 wrote to memory of 3672	1520	csc.exe	99
PID 1520 wrote to memory of 3672	1520	csc.exe	99
PID 1508 wrote to memory of 1616	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	100
PID 1508 wrote to memory of 1616	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	100
PID 1616 wrote to memory of 1740	1616	csc.exe	102
PID 1616 wrote to memory of 1740	1616	csc.exe	102
PID 1508 wrote to memory of 4600	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	103
PID 1508 wrote to memory of 4600	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	103
PID 4600 wrote to memory of 1780	4600	csc.exe	105
PID 4600 wrote to memory of 1780	4600	csc.exe	105
PID 1508 wrote to memory of 2672	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	106
PID 1508 wrote to memory of 2672	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	106
PID 2672 wrote to memory of 4748	2672	csc.exe	109
PID 2672 wrote to memory of 4748	2672	csc.exe	109
PID 1508 wrote to memory of 4520	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	110
PID 1508 wrote to memory of 4520	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	110
PID 4520 wrote to memory of 4236	4520	csc.exe	112
PID 4520 wrote to memory of 4236	4520	csc.exe	112
PID 1508 wrote to memory of 1632	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	113
PID 1508 wrote to memory of 1632	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	113
PID 1632 wrote to memory of 3628	1632	csc.exe	115
PID 1632 wrote to memory of 3628	1632	csc.exe	115
PID 1508 wrote to memory of 1428	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	116
PID 1508 wrote to memory of 1428	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	116
PID 1428 wrote to memory of 3100	1428	csc.exe	118
PID 1428 wrote to memory of 3100	1428	csc.exe	118
PID 1508 wrote to memory of 4076	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	119
PID 1508 wrote to memory of 4076	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	119
PID 4076 wrote to memory of 1828	4076	csc.exe	121
PID 4076 wrote to memory of 1828	4076	csc.exe	121
PID 1508 wrote to memory of 1968	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	122
PID 1508 wrote to memory of 1968	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	122
PID 1968 wrote to memory of 3648	1968	csc.exe	124
PID 1968 wrote to memory of 3648	1968	csc.exe	124
PID 1508 wrote to memory of 2600	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	125
PID 1508 wrote to memory of 2600	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	125
PID 2600 wrote to memory of 228	2600	csc.exe	127
PID 2600 wrote to memory of 228	2600	csc.exe	127
PID 1508 wrote to memory of 4668	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	128
PID 1508 wrote to memory of 4668	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	128
PID 4668 wrote to memory of 452	4668	csc.exe	130
PID 4668 wrote to memory of 452	4668	csc.exe	130
PID 1508 wrote to memory of 4784	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	131
PID 1508 wrote to memory of 4784	1508	9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe	131
PID 4784 wrote to memory of 3476	4784	csc.exe	133
PID 4784 wrote to memory of 3476	4784	csc.exe	133

C:\Users\Admin\AppData\Local\Temp\9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e269fb49137b947208ecc6f15d24d80_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\21-mrovx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BD8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7BD7.tmp"
    3⤵
    PID:3784
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nm6rxeow.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C65.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C64.tmp"
    3⤵
    PID:4068
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dfmvnnj1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES856D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC856C.tmp"
    3⤵
    PID:228
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tebwhhfn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8619.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8608.tmp"
    3⤵
    PID:2920
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvlp2qtp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8703.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8702.tmp"
    3⤵
    PID:3672
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wclrywha.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8780.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC877F.tmp"
    3⤵
    PID:1740
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vprk3pnv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES889A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8899.tmp"
    3⤵
    PID:1780
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsf2ian4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8917.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8906.tmp"
    3⤵
    PID:4748
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ypm-3vnm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89B3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC89B2.tmp"
    3⤵
    PID:4236
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h8yewkl2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A30.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A2F.tmp"
    3⤵
    PID:3628
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wzggro3i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B49.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8B48.tmp"
    3⤵
    PID:3100
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\97nginuh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BD6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8BD5.tmp"
    3⤵
    PID:1828
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ds6wbssj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C91.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8C90.tmp"
    3⤵
    PID:3648
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ubvo70hd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CEF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8CEE.tmp"
    3⤵
    PID:228
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\my7rladk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DF9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8DF8.tmp"
    3⤵
    PID:452
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgaeei-v.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E56.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8E55.tmp"
    3⤵
    PID:3476
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cj2tgfrm.cmdline"
  2⤵
  PID:2008
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92AC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC92AB.tmp"
    3⤵
    PID:4272
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ipivk4u6.cmdline"
  2⤵
  PID:4064
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9319.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9318.tmp"
    3⤵
    PID:1812
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jjo8mbep.cmdline"
  2⤵
  PID:3216
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC93A5.tmp"
    3⤵
    PID:4748
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2aj7gsp.cmdline"
  2⤵
  PID:4628
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC93E3.tmp"
    3⤵
    PID:5024
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjvizhi0.cmdline"
  2⤵
  PID:3388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9471.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9470.tmp"
    3⤵
    PID:1504
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e6hqzi39.cmdline"
  2⤵
  PID:4976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC94CE.tmp"
    3⤵
    PID:4592
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5kqhanlk.cmdline"
  2⤵
  PID:3100
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES954C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC954B.tmp"
    3⤵
    PID:3700
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yb79twp6.cmdline"
  2⤵
  PID:1428
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95A9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC95A8.tmp"
    3⤵
    PID:4152
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3gfq_if.cmdline"
  2⤵
  PID:1996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9626.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9625.tmp"
    3⤵
    PID:4944
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4hzrcq6p.cmdline"
  2⤵
  PID:3908
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9684.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9683.tmp"
    3⤵
    PID:3872
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qp-hja-u.cmdline"
  2⤵
  PID:3068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9701.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9700.tmp"
    3⤵
    PID:4648
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\strndmvs.cmdline"
  2⤵
  PID:2976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES975F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC975E.tmp"
    3⤵
    PID:3520
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dh4mmdcs.cmdline"
  2⤵
  PID:3972
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97EB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC97EA.tmp"
    3⤵
    PID:4840
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ok3komo.cmdline"
  2⤵
  PID:2376
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9849.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9848.tmp"
    3⤵
    PID:2440
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-hfme9-x.cmdline"
  2⤵
  PID:4492
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC98C5.tmp"
    3⤵
    PID:4556
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ib5tvgfg.cmdline"
  2⤵
  PID:540
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9924.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9923.tmp"
    3⤵
    PID:4904
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vee7z2oz.cmdline"
  2⤵
  PID:2396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC99A0.tmp"
    3⤵
    PID:3104
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jiwkwusm.cmdline"
  2⤵
  PID:4440
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99FF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC99FE.tmp"
    3⤵
    PID:4744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\enplprl2.cmdline"
  2⤵
  PID:1004
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A8B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9A7B.tmp"
    3⤵
    PID:5088
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dl0o6sxu.cmdline"
  2⤵
  PID:2084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AD9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9AD8.tmp"
    3⤵
    PID:3480
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b0p8ccpk.cmdline"
  2⤵
  PID:3692
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B76.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B65.tmp"
    3⤵
    PID:4012
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3jb8sjjz.cmdline"
  2⤵
  PID:4100
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BC4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9BC3.tmp"
    3⤵
    PID:3964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rwqn1-gr.cmdline"
  2⤵
  PID:1932
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C60.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9C5F.tmp"
    3⤵
    PID:3656
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tcxqqd1i.cmdline"
  2⤵
  PID:1092
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CCD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9CCC.tmp"
    3⤵
    PID:1704
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q6ukata4.cmdline"
  2⤵
  PID:1996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D3B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9D3A.tmp"
    3⤵
    PID:3908
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p0_v9wke.cmdline"
  2⤵
  PID:3096
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DA8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9DA7.tmp"
    3⤵
    PID:528
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcgo601c.cmdline"
  2⤵
  PID:2716
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E54.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E43.tmp"
    3⤵
    PID:1608
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t_siui3m.cmdline"
  2⤵
  PID:3252
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EC1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9EC0.tmp"
    3⤵
    PID:3732
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rpaqs4dj.cmdline"
  2⤵
  PID:3228
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F4E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F4D.tmp"
    3⤵
    PID:4144
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqae_9ps.cmdline"
  2⤵
  PID:1520
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FAC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9FAB.tmp"
    3⤵
    PID:3240
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\veidm3ad.cmdline"
  2⤵
  PID:4276
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA038.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA037.tmp"
    3⤵
    PID:3608
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlzfm5jb.cmdline"
  2⤵
  PID:4016
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA0A5.tmp"
    3⤵
    PID:4744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\biuyswre.cmdline"
  2⤵
  PID:4240
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA132.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA131.tmp"
    3⤵
    PID:4340
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\foomogvo.cmdline"
  2⤵
  PID:1144
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1A0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA19F.tmp"
    3⤵
    PID:1880
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3avzzvee.cmdline"
  2⤵
  PID:2160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA22C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA22B.tmp"
    3⤵
    PID:804
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ngtgqjfj.cmdline"
  2⤵
  PID:536
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA29A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA289.tmp"
    3⤵
    PID:1116
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uazfwvty.cmdline"
  2⤵
  PID:3588
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA336.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA335.tmp"
    3⤵
    PID:4916
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ypmixduz.cmdline"
  2⤵
  PID:3816
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3A2.tmp"
    3⤵
    PID:3260
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\omluggtd.cmdline"
  2⤵
  PID:620
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA430.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA42F.tmp"
    3⤵
    PID:4636
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytc5h1fd.cmdline"
  2⤵
  PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA48E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA48D.tmp"
    3⤵
    PID:1784
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irblwa6k.cmdline"
  2⤵
  PID:3616
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA578.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA519.tmp"
    3⤵
    PID:3704
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ogsotsmi.cmdline"
  2⤵
  PID:3088
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA5F4.tmp"
    3⤵
    PID:4784
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-itjq70f.cmdline"
  2⤵
  PID:4656
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA682.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA671.tmp"
    3⤵
    PID:3012
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xi6jfi1a.cmdline"
  2⤵
  PID:2224
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA6DF.tmp"
    3⤵
    PID:1072
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2uwnvct.cmdline"
  2⤵
  PID:1416
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA7C9.tmp"
    3⤵
    PID:3608
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ctjom9il.cmdline"
  2⤵
  PID:4188
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA837.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA836.tmp"
    3⤵
    PID:3420
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\urlbulbq.cmdline"
  2⤵
  PID:4948
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8C4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA8C3.tmp"
    3⤵
    PID:3876
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mhzysh59.cmdline"
  2⤵
  PID:1844
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA922.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA921.tmp"
    3⤵
    PID:4572
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i92awpkr.cmdline"
  2⤵
  PID:1880
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9AE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA99E.tmp"
    3⤵
    PID:912
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0seivtm.cmdline"
  2⤵
  PID:4012
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA1C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAA1B.tmp"
    3⤵
    PID:5044
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tazmo64b.cmdline"
  2⤵
  PID:3964
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAA8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAAA7.tmp"
    3⤵
    PID:932
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\piyii2ui.cmdline"
  2⤵
  PID:776
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAB15.tmp"
    3⤵
    PID:4068
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymdnm7qb.cmdline"
  2⤵
  PID:436
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABA2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAB92.tmp"
    3⤵
    PID:3816
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hdevazhq.cmdline"
  2⤵
  PID:3908
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABF0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCABEF.tmp"
    3⤵
    PID:3848
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tscutwm1.cmdline"
  2⤵
  PID:620
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAC6C.tmp"
    3⤵
    PID:3304
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oziel_oq.cmdline"
  2⤵
  PID:2920
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACDB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCACCA.tmp"
    3⤵
    PID:464
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ppac4hyg.cmdline"
  2⤵
  PID:3980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD67.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD66.tmp"
    3⤵
    PID:3472
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dn2blw_n.cmdline"
  2⤵
  PID:1832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADD5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCADD4.tmp"
    3⤵
    PID:2272
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ifluilos.cmdline"
  2⤵
  PID:4656
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE42.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE41.tmp"
    3⤵
    PID:2224
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyaxaqzg.cmdline"
  2⤵
  PID:3240
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEA0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE9F.tmp"
    3⤵
    PID:4388
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fdric3jx.cmdline"
  2⤵
  PID:1780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF3C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAF3B.tmp"
    3⤵
    PID:1728
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7fkbnuih.cmdline"
  2⤵
  PID:2344
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF9A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAF99.tmp"
    3⤵
    PID:3324
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\li5lioee.cmdline"
  2⤵
  PID:1952
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB027.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB026.tmp"
    3⤵
    PID:1004
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nfdsqp_b.cmdline"
  2⤵
  PID:4340
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB084.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB083.tmp"
    3⤵
    PID:2084
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fmb0f4nw.cmdline"
  2⤵
  PID:4352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB101.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB100.tmp"
    3⤵
    PID:2936
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ruxuodea.cmdline"
  2⤵
  PID:1404
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB17E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB17D.tmp"
    3⤵
    PID:3236
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\li3elbzp.cmdline"
  2⤵
  PID:536
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB22A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB229.tmp"
    3⤵
    PID:3548
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6pl4tblx.cmdline"
  2⤵
  PID:2176
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB298.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB297.tmp"
    3⤵
    PID:1092
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sadur7b4.cmdline"
  2⤵
  PID:3188
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB334.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB333.tmp"
    3⤵
    PID:1572
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mphpt-4m.cmdline"
  2⤵
  PID:3724
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB3A0.tmp"
    3⤵
    PID:2192
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0fqvphbh.cmdline"
  2⤵
  PID:3068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB42E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB42D.tmp"
    3⤵
    PID:620
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umbuypl8.cmdline"
  2⤵
  PID:3672
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB4AA.tmp"
    3⤵
    PID:3728
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwtlxw9c.cmdline"
  2⤵
  PID:4044
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB557.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB556.tmp"
    3⤵
    PID:4928
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ixhgzbvi.cmdline"
  2⤵
  PID:1604
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5B4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB5B3.tmp"
    3⤵
    PID:2448
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\esn7y0m7.cmdline"
  2⤵
  PID:4556
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB651.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB650.tmp"
    3⤵
    PID:3608
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\esek4hkj.cmdline"
  2⤵
  PID:1616
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6CE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB6BD.tmp"
    3⤵
    PID:4552
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\axb9ejwo.cmdline"
  2⤵
  PID:2336
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB74B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB74A.tmp"
    3⤵
    PID:5024
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbe-sbvj.cmdline"
  2⤵
  PID:2344
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7D7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB7C7.tmp"
    3⤵
    PID:5004
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n-vaeni_.cmdline"
  2⤵
  PID:2500
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB864.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB853.tmp"
    3⤵
    PID:912
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jolynfey.cmdline"
  2⤵
  PID:1420
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8C2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB8C1.tmp"
    3⤵
    PID:5052
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gw8k9oqx.cmdline"
  2⤵
  PID:4056
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB94E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB94D.tmp"
    3⤵
    PID:5012
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bemelrui.cmdline"
  2⤵
  PID:3008
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9BC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB9BB.tmp"
    3⤵
    PID:2892
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ljdc5bur.cmdline"
  2⤵
  PID:588
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA48.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA47.tmp"
    3⤵
    PID:1912
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q7nkxset.cmdline"
  2⤵
  PID:2584
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAD5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAC4.tmp"
    3⤵
    PID:3312
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mvh6ulw8.cmdline"
  2⤵
  PID:4484
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBA0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBB9F.tmp"
    3⤵
    PID:4584
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykucyfu8.cmdline"
  2⤵
  PID:216
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC0D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBBFD.tmp"
    3⤵
    PID:4324
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zaphujjt.cmdline"
  2⤵
  PID:2976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC7B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC7A.tmp"
    3⤵
    PID:3732
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vjh12bn2.cmdline"
  2⤵
  PID:3084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCE8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBCD8.tmp"
    3⤵
    PID:3980
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o7ajcc2g.cmdline"
  2⤵
  PID:3012
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD56.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBD55.tmp"
    3⤵
    PID:3060
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pyxeng_g.cmdline"
  2⤵
  PID:4408
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDC3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBDC2.tmp"
    3⤵
    PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7BD8.tmp

Filesize
1KB

MD5
973a507be783d7dfa191efcf280fc9e8

SHA1
e4b2e7b29427afcd5230a045a29749e9bf4fe66a

SHA256
f90c2c5adfba3de22250ed05594f9b8a1320efb5a82c9360796e07efe89859a3

SHA512
4667935f36b5162e235d7a32055930c12ed3230e0a652fe0b797d450216e204406311dfa2e0f208457816a07bca0493ceb64a2c6675e0fa690dd23b584a8d664

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C65.tmp

Filesize
1KB

MD5
691298db6ca0820146bd6c8f5174d354

SHA1
289c0d976f588d98754d1bc88335857817c7cc06

SHA256
f3ab7b0d96972968f086a6e50727b446ab9ac8b6f03f9723d32349ffb61cab48

SHA512
8d4846a1a0bb2482c59c88611bf4520053420789a881af7138e19ec9fda5a07030f494c27030ec0f4b02b153be1f5dce94a6da106cafb824f5ccbccaf0eb76ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES856D.tmp

Filesize
1KB

MD5
9389a3202f8e2d7d323a03671569a077

SHA1
1ac53c2d3c862d91af40ec0c0ba7c06fe8c48b99

SHA256
e704cb27d677d4935ffc79624255da33a66d1baaf1c15b88300cd388344ede62

SHA512
3b97fdf5ceac1c6a0bcb106083a0bb9180e0c03b1e8ba9634b31b573cc7adb453bb199974368abe1daaaeff03f5f0535826b8803c2dc3987a249097e8aa97e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8619.tmp

Filesize
1KB

MD5
81059076295886602647dc5891bf5606

SHA1
9dfd154f059db98de0d25e4968eb183f5862c6d4

SHA256
466652db55806979f54e48897dce9c44736d677e45465dffa4a3b3f2757e8f88

SHA512
02f7a0829ab0e672bbfe4a38f1023eb01e891eeaee53dde0e7716d12583d31cf2248e0f2668ba740d30925fd621c7978751edcfbb951cb49c92a603eec60f57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8703.tmp

Filesize
1KB

MD5
ae7ed3e2f303febdfd73d87e40557267

SHA1
cee746f991c9ac6a3bf525b877e89e438131e7d4

SHA256
ff80035e092888f9b170e8ee8d45766ef4375dd2cfa92c5ba0ce7c7f97e47100

SHA512
dd705f4c06b41997c9d6c54d75e284f0f22c8137b6b9ee151383db92647f0d7c49f587032695641439ab6fb0d623f8950aaf5578c949a4a67186aff554fc632f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8780.tmp

Filesize
1KB

MD5
98703626fa62c9b63909768addc323a4

SHA1
9c8f050f620d56b890944b6d1394fe22e56b6355

SHA256
e1a3af6a6d36a662ed91ecfca0f7fb7f916c439345b282d4bece97d2a6b0feae

SHA512
3f8e2a2bf5aff4f8b0e24cd20b4a9a2c675b13959918c8719a802585e77d9577e8a0f54caae24c757d4556e6eb1b85e3cf207560f694580ca8f5ed54ab1f978b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES889A.tmp

Filesize
1KB

MD5
d911a4f7d9e421d96c6a00142febbcdc

SHA1
cd2f34e40846ca11df2a44a325d8709d86b71ffa

SHA256
e9071c3a1b4f926d74258741c5e898230975e028079500b067f0028d625fd959

SHA512
f38f0a5d56cbf2c12a5e6664a9b9aca8ea5e87cf0e4f17ac979df888b96b9b5f1ce9165764f971d25980555a1054be115a3253f95dfbbb077a97116468b449e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8917.tmp

Filesize
1KB

MD5
509f43a01501ea95b116c2264e922b78

SHA1
7f5589ce1a0e21e1dcec9ade53756894ea23fa10

SHA256
e0aa54959b96842f7a477be74afebd8a42363070aa5bfa28a4d3e2549ee64902

SHA512
f166b8c188180af2fe5a3261ba0ee4cbf7e6dbd44e60c333fa9be252d109708fd829d5216dc1fe14a9aec644aae17fd7ca21970d911cb102517c4c685c5e8f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES89B3.tmp

Filesize
1KB

MD5
293505bd468134c04472c9fb132cbafd

SHA1
fa69db4d73c7fafa69ef154020e25357e354ce11

SHA256
cc9103a5088ae1fa25cda7cd70a6022cd7595a387b0c046e391c857e94ac060f

SHA512
b5550b61ea4e297009d7f020d278b704f5e88cf0178935d36931642d23af8ef2d6690b597fbff967555a9d04543d54261e4647fbc50c7153362f23839b744d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A30.tmp

Filesize
1KB

MD5
651798ccb7a232b41ac16ad7a4f4776e

SHA1
5ab972de048d407d28b088da8de4519d72259cc0

SHA256
bfc0c93a5abc693a0016ff1ef101b77649a051029a0d9f0ac6f9a5ade8993a49

SHA512
a2d82ab25be4b302481f500b83e4678c31110e94dea2d541ffa206bb1d28bac49d8faefe210696ab6008550fec267fdcc3488a6007329681d6cf036149fa8347

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B49.tmp

Filesize
1KB

MD5
9e462216f7a381eddc97965631487d18

SHA1
066a59cb0b4ae3e453a11c375fc59e8005c7227d

SHA256
50544a3b4f2d0a130ba0be040ac17773795211e3a5899253e84c816cf78b8900

SHA512
9c65b258d08d19cff0bdb01b584e84bb7751e33eb6507f2c84faf0287c49ea7488e42b70e2366905098935a376883059ce191ccafc220b5877d0028ac7f82c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8BD6.tmp

Filesize
1KB

MD5
8039431db01377699c4d8fe64a468cca

SHA1
b573762105378bc2f3c59a4ea3ee86affa3a2679

SHA256
518080c2e3a2e95bfbe4e4f3a79ca94dd3b4c96c6bed1bf4a9af3780d079f90d

SHA512
c578708288f1e62333cb326a180b51b9f9a3efff58f4f45c9136b423275480efc973e0d8a1d8a3b6bad56d13c36738dd9ade4495d396e7159ac872b355eba104

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C91.tmp

Filesize
1KB

MD5
e8d0056e8a993d9e4f85966a3f5a71a8

SHA1
e6bb9d5b839a9feb34b89a18d5d57a84c9f3547d

SHA256
596c630cfa7a060dc5264f854810f28ba62049c135f36b07ca5d4fd861317d87

SHA512
dcac65b5a4e7d909f6ed153b39cd5c84a2404b1e8a4258056cb24af9349363f371f11be6ba4f16adfc5719451e8e10714542e95a19d29e50dfe548be3cf98c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1338y.exe

Filesize
640KB

MD5
e8f738d18ab03d78a768526d6f86967b

SHA1
8eabaaf775fa1c014b939aef4bf819eb7970a0f5

SHA256
be2bd7f736bbf7dd9c50a2e03a9c164fc5657c117739bad3ded2475b260d7253

SHA512
a09e2376ec4355a0ce4657d9f2cde52f4260cffad998ac460cd6b93e20a34d4568dbff6808959c2396c2072600d8b1c9e271c036d4525094fa816530853f52b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1338y.exe

Filesize
640KB

MD5
223e78b2cce882248d941e8dc6646ab6

SHA1
41eefdc72289da776848ea884485628b0b0a794d

SHA256
9272586990c105dee6062660f6850f4d7d50183313896f871d28c401f968184d

SHA512
e3981b21e0372945134d22a6125b994302a85e183c0a92d9efd73fe6a07c973b2861c017040a33d60d42f8dddee00357b964a74e6f27d297a8e365066f703b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1916y.exe

Filesize
648KB

MD5
0403057358bc5cafcd919b275784bf58

SHA1
c75d6f780c2a49111901a233e64c3bd2cb2b926c

SHA256
77659ad8e5ed9b3c146ed903dc8b8ff43dbaacca4c134c6afe98190b74a07ef5

SHA512
20deecb8d27c02d03c609a392c787de3a207617c4f338a24830d303a3e46f2cd91db37ad94fe49112309dd6699422e32e62ee075b269a68ae8651310d2200fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1916y.exe

Filesize
648KB

MD5
85763af873df22bbe10a9d6e114da66f

SHA1
9bd96d482b5712335480c2d31ddc5424337d3844

SHA256
2b8a52a77f6222cacbf57683c602632cbd3bfe32af7cee0a1848cba9e91bfac5

SHA512
39c6de79c347104c52b32f0e6fea7e59f7acd2bf7aecd5e4aaa6b176e53ac7cd5d1ffd15ea8980e195075351c9fbf2579846dfe92fe9e55c38c84d427ba624e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1942y.exe

Filesize
648KB

MD5
e60ec18a857248d8e5f7856867f3c264

SHA1
e8d694eee39516b2a7ae882229a9ffe264e7e488

SHA256
80f3f2ce501db295c8625badc38e497ec6f6751bd4c8effdfe7f786a45bfaf88

SHA512
db14052785ee509cfeefd2cff5ab517278bee23cea5fa8a3122fb0ddacbcf891c4a0942ebeb00a2aa319a360941cf968a78d1a419447a3dca2bd58b74d4dd56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1942y.exe

Filesize
648KB

MD5
7409ca242d1e76e4f8de2141283f51c9

SHA1
b30dd5c63fff3b389215fd0c9886f4821b5bac4e

SHA256
829563c77ca63c507ec3855a17e93098b94159ba14a7afa437f51e5c0d21acb8

SHA512
4d17f82abe3b0c19c83bf1973686f5f3acf3febded3679b9a71726bb9fb304828db6b8a1900519ae6cdaa89aa3152a504f787f1e40365b15c45fa566daa74ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x599y.exe

Filesize
628KB

MD5
c5ddb2d188dd18cb57db5f6aae35c862

SHA1
a59958313b8cdec0c7e557600f3b9cbb65f34c45

SHA256
57b2d13934bdfb1189b69c40926daf2e50a1aa57da8371b72bcd6dfcf83c9fd1

SHA512
a0f4851e8d9c504691eca61349386fd9028642effe6910fecc1df10ef7900d9b762878fbbb23219c23a20760d5a6e87243a1174b054f0dd6701ecbf7c67c7bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\x599y.exe

Filesize
628KB

MD5
65d9ef82433f451be8cfabf8189479ac

SHA1
1b3d3789951ab979a3add6855d10249439dde85e

SHA256
9f723dd41a2fdf6a80684d83d30821953f886c2db60ee42ed0e5cd8f53bbc124

SHA512
fcc07984b5e3786b0eee01889b7fd7e3eabd68dceabb39e687b11422cd54554753c5a21297af282a96e7e33eb18ab02c1d15fd7aac48245e65f7a8e1475db7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\x802y.exe

Filesize
632KB

MD5
2ec0b1ec8651d2eb9bad720f2e94ac40

SHA1
010940a8cea3e77d565aef1dce7654597547b954

SHA256
4d86f39edb6f235a71522c825b1ce59a2266ce86f9566d40e0f0ec1068924c3b

SHA512
9018d29ed7b0c5bee4e8ce03f5623882375f20bd319fd6ae76f021a72319f82081ab87594bd4c9c6c13f813430111defad6b0a58c43035c09e7dc3d586e08b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x802y.exe

Filesize
632KB

MD5
39352add285056af28ff666f959fa09d

SHA1
219d2051bba17fdb95b49bbdee34c09f296f71ec

SHA256
bacdde33ae85bfe9f411eff7f2cfae89187a3190258c74263f38065ccb43a44b

SHA512
99264a3825024901ec347c7c05d31fa139841ea7ea14d5db1444c7330b66452eeda4b7beb002d9a23dfad5f2ee593b411b3c8c8df37322ca8d4a1128c3b451ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\x954y.exe

Filesize
644KB

MD5
f1e82b85d6060ca49d41c68c0aca80db

SHA1
b74bade6cb63de94a1b958f9a60e13297012803e

SHA256
df0ecd266b3bb7dd56d89bce5e13602d74430330327761aff0c467beafabc622

SHA512
233a6f289742badf625f83ce583ddd8198c8ad35d57e7dee1fbba6404a44970899666d66eb4b76d0b4fa555702c619bfab3eff4b55b673f969a3f5960d0e0614

Download Submit
C:\Users\Admin\AppData\Local\Temp\x954y.exe

Filesize
644KB

MD5
de3fe6d9e6984dd94ffede78499db0e3

SHA1
d1a7e29f877d0ee827f5d2599f362356f47fad93

SHA256
e84703f50d148e86f00f40f9699ea6f7910c2e20a8afd1574a7d995a6f0ebabc

SHA512
b1c10be671edb6f6d171d5bf62e616d68a946f643bffbc13b4097c2186060cd848bb8f5adb5d63bca7ecad4a9a39ffa2d8e36bd3186428f3441356cc61cd7e87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\21-mrovx.0.cs

Filesize
428KB

MD5
eec0eb5d1ad18239db3a60a24c34d8f1

SHA1
4f0c9f1634a8182f6ba781cd8758e9467531b3e0

SHA256
4ec9611ca84f53b2cacc0624a1a0d7301906465feadfe927cb8d94014f025dc3

SHA512
fc4d87857a5f0101a1d79c5da6da48e3b9b1e47f0c5f6b2e01de7994b3cf3b9638df1bf7c8bfa6141e4bd91c09a999c5448208439a4b32eb74284dc7b921f962

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\21-mrovx.cmdline

Filesize
140B

MD5
52c4eda624df4d5858aa35af93aeda44

SHA1
5edf2d97b4d711997fd564773665358afa0875aa

SHA256
7fe3127d4c5494514103205ad90f6c8563118e07108e9959f094395fdb146839

SHA512
5d0ee03c0362dad33d9108f1cf9cc336127b2b2f2de7c6aa5ae5a218763d4cf15bf8c40034c0da88689f890de8fbae8f0b72abaf53ae097aa9a9845d6e40591a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\97nginuh.0.cs

Filesize
423KB

MD5
9f9680658152bb3c3cd8ca1666e28e5c

SHA1
09976c4c03f01d235c81bd32795cbaa564867910

SHA256
763561553c306c861d0bc5df97ac92d9e4fecd0e24b646f682cdb30b20f3b3a7

SHA512
aa9a314e9246f2273f011d6d4adec1ccba7bb77fb9fa9ff5b1bf016217b9f3bfcf9660cf3448addfaebe44f36af75e4334ba6495699f470ba9d04cc49251cdd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\97nginuh.cmdline

Filesize
140B

MD5
9bd5e2fbe7ab1ca6121fe28282265732

SHA1
4187eabb96064d0d968839f0902cfe4ea6081f14

SHA256
18280634ba4209606d319a02f08964933ec2a7610bcc740296dc861285d8ad3a

SHA512
ee449196287a1a8a333577db3f79b7fda1e27b5331070deb739f81897de8d158507d8172124ba1466b71ce2021e52594db71437a2782ac822fc760573af883c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7BD7.tmp

Filesize
644B

MD5
8c79a75e1a0db81cae5b0fda30bb0cc2

SHA1
c530500baf80e2f05269ac84de7502ee6983f491

SHA256
7dee6db770735f03969c52a4ca7d461f199a90bc8a7476f72c9a41d981729dd4

SHA512
09483b1ebea6fac8dfad151fecf3554f51962abbd041a0511d54eefa0bbfee765a5bb2f3bae78a03d8cb62a6b222be072ce9b8fc596ef6acd87c1b37dc3bf2fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC856C.tmp

Filesize
636B

MD5
159de2e237fb10cd3378e4f29ec92959

SHA1
e2d80a06cb7b31e40a804cc73a2650279d0694d3

SHA256
209cb185ac0cea3d12627aeabea794bfd1b522b2ee64288ca967322588553517

SHA512
78f64e84e8363dd78257bf0bf942653aaf8cfd9e595204b30dd4da3d5de5ff10b4bb02dfcdac4d37cf2a23ad4089a9b55db237a062fe84b0255e99a495b33ec7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8702.tmp

Filesize
636B

MD5
0667d61e3a8bd0b947aae414a82058ba

SHA1
034fb2cf2be4386069fa63bd36613d59a8917c2b

SHA256
358f4ba5c9e8792e7ccc254cee4e78a330040e36f817a44eff304623732104a8

SHA512
69d25a753c1cbfb80bbed870ffaaec12f7dedbaf9aedf224310529761210eb7dde321538f288efb5e05e039497edbcc146324e6b5aa99867f04ea9b12100e461

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8899.tmp

Filesize
644B

MD5
4b4ae6a73b23af578ac42e1de42caaac

SHA1
5915fe5f37a372dbfa3fa45c3d90cc68a5868022

SHA256
dbb999f321d7c0a5bf5d177dec23760555d62463c6adfbe9148d61c8ac21b8c3

SHA512
853f966211bb694a766478fe7cfb4fcaa0e097f2f1cb3fe95c4fd9c0826e9fb2833079ab4f537a4658f05d49acaea63d7cb29286dc04f468ba7b4ed5210541dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC89B2.tmp

Filesize
636B

MD5
edc56f9a163cfbca6e7b246fbc2f5918

SHA1
69c10c587031fae1eac5e7338d1da02e8a407bb4

SHA256
5652c126799b615807501f359434b6bf0b04863385a6195e68c70565cdbef337

SHA512
8df70f90ef3defddc1c2e7c9fddb77142b3dd54798b59d085e033b15996827af09d8ba4e364a63eb5ce6cf6d618bc22d957897b21e13bfc808df6df09f303074

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8B48.tmp

Filesize
644B

MD5
26accf0287e14f876a7367c4472ee4b3

SHA1
02ae91dd94f525c729565dd8ec5c0d6c1d453f32

SHA256
9211758f92aa261b161344506bf343545737e021c4b511a992d0fb9f6cbe991f

SHA512
2ab68029ba1bbe869a5cd1dc3f2da8b54d562683f3a7dbc7f402304af0486c31068325fb7410c35095143f2f88c9cdef6749536fdb983c6fadda52a931932eaf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8C90.tmp

Filesize
636B

MD5
244747a7cd0f57e817ab38e8c269beee

SHA1
c21b74c8a834ad791cd28b3734e5ea7d681d1e0a

SHA256
940fb62ae8c9d70f22520ad49199f8d617da85e6d2464c4696b099ef5a08a7f4

SHA512
64aac03e1d413b916c5d9e83e5b2dd92b910713d22a9b74916d9c80a4e1dc420f58b929687febef4e1d9d63a2a360e20ba486f4e43c9923279f85e6ccf543ad1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dfmvnnj1.0.cs

Filesize
426KB

MD5
ccff8dfc9029b4fb785cbc0577f5e468

SHA1
218c3206591864c2e96fa11082861c3dfbb014de

SHA256
124c0603f75dd645a7b0fbce622e4c07ef3ba0f95282b4748cc6e57db9d9b63b

SHA512
954a9d7f6b1148f93f51b4f88cc77d0df8ab23cde6632099d344e06ef8c987ea7d1874c109776be38794c600fd2021d6dc1611d0a0e9a5927157ab93305b2233

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dfmvnnj1.cmdline

Filesize
139B

MD5
fcf65e390c521c64b497a2ca82fbb219

SHA1
4953ee173cddc0bcdd3e32b3b35155d22de3634f

SHA256
d95cbf4d9bb7d40b5b0611cbac0a8f07c13518f764284e4c43f4a814d3e06f08

SHA512
74ff48d8a45e4f7746f71f79607dfe0c393fe01340c2b76a263b478d8f7a3cc0181857098c6799facd9b43f4351b1cdf4a0ff87b8d1367fb23e67451d5e5332e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds6wbssj.0.cs

Filesize
265KB

MD5
cfa536fb32f92b7910a227f313970d4a

SHA1
08834900c8e75cfc8418431a117e6935f356f9a4

SHA256
4215580498434510d0496db0b602e9f4dac28d9a91fa357cb371fa4c6d7017fd

SHA512
5e70f54f5eecbcd5bdd73910ba5e36df9e638f7f9a9b7f594ad964ba160ce70000b1e0ea47c8492a35ba3521ec0b61977e406a872614c2897f01be82be61203f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ds6wbssj.cmdline

Filesize
138B

MD5
1d0e2a1118e0c5a99714b446f5b2d869

SHA1
2c812de33ab1e70033f49a58dabf8322170aa86f

SHA256
926bf1e98712d68298de5913af4d7bb77d2b1adc5c19820bfb76abf1fe77fc1e

SHA512
762a69cac8c4ee1a1777f4e2b3c2374b133d9ef0285b7b0cbc1a654b5b2dcfeef44763317401d2e24a9535edc3fb53d1ef9b43368b2c34482499591f7fd6ee41

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gsf2ian4.0.cs

Filesize
428KB

MD5
7490bdb92fc41d4ab46c972e3d1dda19

SHA1
3a4dd04cad7e6d408f84ebd4909df82d1682fddf

SHA256
9b33122e3799ab7c0617208c68dc4da722b480ed556a7762c0272cba8e017289

SHA512
ede105cae785e8522327f7786a0ddf2a1acfdda0738bce2b6401bba99714f81aeacae9f8a1f67daf9c113cadf581cf42ef92c65fe917d9839597ad99d710540b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gsf2ian4.cmdline

Filesize
140B

MD5
6888c1a98d8f6bfb54f24eca8e362c1d

SHA1
3c7bcc2eee40c1c371fe6d8855a96541a57c9dc0

SHA256
f4f8b6aaf33640ae4321fb38b0c1bf02b205450cb1719d9502a61e060f37c0b5

SHA512
a9c39c49cd9f6fd0860bd5773d41cdc33fd0a52d41d842775435e2173c3fe8d1a788e2783968c31abf10e723a4fbdb429b141d7b471bc31d86eefe1543e3c1e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h8yewkl2.0.cs

Filesize
418KB

MD5
5dfbce854bd33a7896cb1ebd1e88daf1

SHA1
81ca22fe9d8560df6bd3187fd49fefce37c7451b

SHA256
c044c90fab4683c63e6fbded5caabb36db0fcc04ec8099375eae99f6f1d4b417

SHA512
fbeb49c99af6c6129f4cd544961d5a3da999ca6982a49b9b88bc6557737561ed117c668061257d879fafa1af4f79dd9db3fe543157dcdebb9aa9b8380dd48f9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h8yewkl2.cmdline

Filesize
139B

MD5
d64570c84da7ea11957897fd19f4c1d9

SHA1
ee209055a1acaa4949d63be31a60345e37828814

SHA256
81be0d934cc3f9668506ad9cd862b2de7a3bc8a505b8953676f80aa514c08172

SHA512
b7f579d0113aacc4ec452902a7dcc3210cf1d0b5e80c436ee9c9edc338c8bd34926a6781abd575de7ee0b1e098b95851588df39fb1c6bcb601f61add00c0137e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nm6rxeow.0.cs

Filesize
428KB

MD5
5f2be31d9efff31b3cc69e58a53ea0e1

SHA1
ed2d005c273ceac84446b58a605eef5f07eea12b

SHA256
bc38366e117373bf16bc56d3f72af7e6d914e4467637c387da177a33306237cb

SHA512
166ce94b266a6bb37a6f294e11a897c5ef59cbae7f6908f17c8bd20fb84610c5acbdb5f55acff0ed78a846dd7a6c96d2e3514f7e09e57c29400a414eaa452eb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nm6rxeow.cmdline

Filesize
140B

MD5
da65b71ec43bef17f5ae993c13f186ed

SHA1
c843fcb612a2535f71bcc2bf242dba5fcfed853c

SHA256
b4f44cbb7b779f5815d686558ed9f2d6691f5c6018ec71bd9553c5adaaaaf009

SHA512
60aed09f8566aebdd2134d24ddcdf9320f378670fa5832084319e2bf62ce107d9ee7d44fc58fae35fb567307c7e6088ddcecf5220b221fe7313323ebfbc1a2e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tebwhhfn.0.cs

Filesize
426KB

MD5
d3496065148b276afe014a866a0d7a44

SHA1
3b38948896f74a54fda654cb5e7adf7f55e6cba7

SHA256
9d0a32099952e1aaa8aeedfe58ce1035f1dfaa57dbbfd738d57f08637ee68f80

SHA512
2ef45b0164bffb1cf709665081ffcd3c5fb1c96aeca5374e842c4b3aa713fff39c6dd8dbb08ddf22e9defbd5b3c8d33766d1c35e8c0d6112eb53ef67328bfcdc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tebwhhfn.cmdline

Filesize
139B

MD5
ab14c225c37a97db84a6487aa279c7eb

SHA1
1eea359212f4b534a8c3a2bf356623b4041a267d

SHA256
a28d2f48b6dfa6b71166e240a5bdc3354377a21fa7df931f33b667857b0906af

SHA512
482ace46fb7f2031797c956dd155032e341e80df7c97146d54c24eb56f4402ec8eeb1aed263a3035896d37a3462dbceba2c70049c34a61e840cd1ec23b8099cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vprk3pnv.0.cs

Filesize
428KB

MD5
3280cec70aa1a438aa8fd7624b178ca0

SHA1
628df9fcabace8100a50e7540a96e91521ddaa48

SHA256
182cd7c87e67668e47b89b94562fc8e54abbafc7e294eeb4b7ee56766f407f4d

SHA512
9f12fd7586dc479c4823623cf191629a4206d7bc5c2d55f3bdd1993596bf700eb2bd6f49b9dbf876a1efa2f7b970ec14c0572c14f7c46141f1fcadfc1fcf01a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vprk3pnv.cmdline

Filesize
140B

MD5
396c1cc452b3b8e93b720951b62ea434

SHA1
d4180841e2e86a6285268e416eb7ed8510cd3c5a

SHA256
14f8585236061368b864be4062723cb43b0ea230ca9d8675c4dfb8dc1f2aca68

SHA512
70e71df15bdd1021cc6a08dc5059926f6b4eebe6ef6f3692589bc2a3d9d600dad411a8bbf5ccbef5e27eeb50aed0801629fa6f83d01400593f51154357e02d24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wclrywha.0.cs

Filesize
416KB

MD5
c90fe248868c02f30e90a9a823bbd398

SHA1
4a7d154ed55e0f8afa8feb7ade706b13ec2e6d71

SHA256
e7a2694b06b0f9d8f173242075fe508e3a9d49bceaa7f783994ef480da4c9f4a

SHA512
1c67974cd4a5d230da26d7c45041549d816224842d2366615e3e2c607b74638698e72027994ba59256fa32ef217d29d7a8ca4f784cc89c2dfeba800deb47a8df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wclrywha.cmdline

Filesize
139B

MD5
7cbf4f178b87e2fc8a1eb489653820cb

SHA1
fc9ce5ab17b67766d8dd6efced422380ff04f3c3

SHA256
4f4ec95b6ed2b36c0afc781c5446781a262b2d2d4a4c12235148417b67dbb69a

SHA512
3abc8f389d3153345fcdb76fa6696339d24383dee7338fb44fca565ae1d1d65fa743af144993fa404d78cafd0486b09d9ed4acece0d40a8a03422656fa2a15d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wzggro3i.0.cs

Filesize
423KB

MD5
3eb5d7b5fa8cd4788eb6faaaa9d31c8d

SHA1
3287b03918bc6fd00c62e6a5b579c0ab722aec50

SHA256
afc8577ab21e3c39851c70a6d611daa11227b4ddb7ca06a5c325ae668d7173d3

SHA512
3daf2dc71574fe793bea1f9ecd631b5f9a0423611ed3daf038b43a480a1cfdc62dbd090d7c2cf73d6a2577d67c4885509dcb89ca9f945ff9f6b9e2e09c4fd214

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wzggro3i.cmdline

Filesize
140B

MD5
93aa9c51ffc540177549de0754955390

SHA1
2048805a31e14da35a262f309c6929039d27003f

SHA256
33e23dcf2edc71bfb42f118e57ad963ab5430c8ebd279fa2c62dc42ec0b96ef8

SHA512
7775f65ce05d9a6a290938ad086a637fd7a4becbadecbe20697d8044341957a05e4204681530c517ffff5c87d908ef733e93789b84e2d369e6a90a7236ca4ca6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ypm-3vnm.0.cs

Filesize
418KB

MD5
2f0fc623eadb790b52effcdc59dfad70

SHA1
2db5a345226334d26ffb391725f97504efcdf9a8

SHA256
3bdb69468b392f9b38376922896f77ced2266e02d39996ca28ecfb37760649c8

SHA512
a35ee52fba55654cbe9ca15e09b35ee41eb16ece2fa4ad13fb55d41ff09517b83596713c22e8069533ccf69747c4e535e8a3eaeb7057af1a0613c510949a91d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ypm-3vnm.cmdline

Filesize
139B

MD5
344bd6b3082bcf4f256e9e4d29ef1930

SHA1
ad489340382ae1efbb5ce53f44323026e5c531cd

SHA256
2ca8960753c1abec5fa3264cda1ed29d2d2102a9b79034264ccc2726b49ff9fe

SHA512
fa921defde396fd9a6e420369bcf4e63b1441d6d55c71030047ee02f0670984437dfa96fbe0e4595ac0f4e635830fbd3afefc5909cf3b2164a6f905e1a47eee6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvlp2qtp.0.cs

Filesize
416KB

MD5
9c6b3072ab44dfe942de54590dde0cd2

SHA1
a0704d18ce7472a8bd947478520920be9212a891

SHA256
9ba62e2206e0765e57a694dcf46615c54e0d66018335dfe25284de650f659678

SHA512
a0f378eee68c5e2d91731c58adeaf2f2dd6b44078c00bc6b2b701fd49aef0d4570dfe883469dec61ce184fd6ec5b46ce54d3ae657555b0b94c5a8d76d07e87f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zvlp2qtp.cmdline

Filesize
139B

MD5
80c7341cd9568224d818e59b385fc67a

SHA1
09c80351a3cdabb70f81dc0d948f474cb2fd846d

SHA256
a6de69eb1eb7cecdffa4a7c0d9f03edc176b062ae3afb93f45f889fbc286c458

SHA512
1cfec4a50821d4f81ae45ad59403f03267e417e4460fe5e901a816445a86a01b138ce1fe8d87727f912b13858edadbaba0f0c5d8457e5b9c3690ccaa3454edc1

Download Submit
memory/1508-382-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/1508-618-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-40-0x000000001BE10000-0x000000001BE84000-memory.dmp

Filesize
464KB

Download
memory/1508-42-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/1508-131-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1508-39-0x000000001B910000-0x000000001B940000-memory.dmp

Filesize
192KB

Download
memory/1508-38-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-158-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-43-0x000000001BE10000-0x000000001BEA4000-memory.dmp

Filesize
592KB

Download
memory/1508-44-0x0000000140000000-0x0000000140031000-memory.dmp

Filesize
196KB

Download
memory/1508-37-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-36-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

Filesize
32KB

Download
memory/1508-35-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

Filesize
32KB

Download
memory/1508-50-0x000000001B380000-0x000000001B398000-memory.dmp

Filesize
96KB

Download
memory/1508-104-0x000000001B910000-0x000000001B93A000-memory.dmp

Filesize
168KB

Download
memory/1508-5-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

Filesize
32KB

Download
memory/1508-4-0x000000001B490000-0x000000001B514000-memory.dmp

Filesize
528KB

Download
memory/1508-185-0x000000001B380000-0x000000001B3A0000-memory.dmp

Filesize
128KB

Download
memory/1508-0-0x00007FFA71965000-0x00007FFA71966000-memory.dmp

Filesize
4KB

Download
memory/1508-3-0x00007FFA716B0000-0x00007FFA72051000-memory.dmp

Filesize
9.6MB

Download
memory/1508-2-0x000000001B4A0000-0x000000001B4AE000-memory.dmp

Filesize
56KB

Download
memory/1508-1-0x00007FFA716B0000-0x00007FFA72051000-memory.dmp

Filesize
9.6MB

Download
memory/1508-206-0x000000001B910000-0x000000001B936000-memory.dmp

Filesize
152KB

Download
memory/1508-223-0x000000001B950000-0x000000001B990000-memory.dmp

Filesize
256KB

Download
memory/1508-224-0x000000001B950000-0x000000001B98E000-memory.dmp

Filesize
248KB

Download
memory/1508-225-0x000000001B910000-0x000000001B93C000-memory.dmp

Filesize
176KB

Download
memory/1508-226-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1508-227-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-228-0x000000001B910000-0x000000001B934000-memory.dmp

Filesize
144KB

Download
memory/1508-229-0x000000001B910000-0x000000001B938000-memory.dmp

Filesize
160KB

Download
memory/1508-230-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-247-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-264-0x000000001B380000-0x000000001B39E000-memory.dmp

Filesize
120KB

Download
memory/1508-281-0x000000001B380000-0x000000001B39E000-memory.dmp

Filesize
120KB

Download
memory/1508-314-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1508-331-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-348-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/1508-365-0x000000001B380000-0x000000001B394000-memory.dmp

Filesize
80KB

Download
memory/1508-77-0x000000001B380000-0x000000001B396000-memory.dmp

Filesize
88KB

Download
memory/1508-399-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-432-0x000000001B910000-0x000000001B938000-memory.dmp

Filesize
160KB

Download
memory/1508-500-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-517-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-534-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-551-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-568-0x000000001B380000-0x000000001B394000-memory.dmp

Filesize
80KB

Download
memory/1508-585-0x000000001B380000-0x000000001B398000-memory.dmp

Filesize
96KB

Download
memory/1508-41-0x000000001B380000-0x000000001B3A0000-memory.dmp

Filesize
128KB

Download
memory/1508-619-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-620-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-621-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/1508-622-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/1508-623-0x000000001B910000-0x000000001B932000-memory.dmp

Filesize
136KB

Download
memory/1508-624-0x000000001B380000-0x000000001B39C000-memory.dmp

Filesize
112KB

Download
memory/1508-625-0x000000001B380000-0x000000001B394000-memory.dmp

Filesize
80KB

Download
memory/1508-626-0x000000001B380000-0x000000001B39A000-memory.dmp

Filesize
104KB

Download
memory/1508-627-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-628-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/1508-629-0x000000001B380000-0x000000001B398000-memory.dmp

Filesize
96KB

Download
memory/1508-630-0x000000001B380000-0x000000001B392000-memory.dmp

Filesize
72KB

Download
memory/1508-631-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/1508-632-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-649-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1508-666-0x000000001B380000-0x000000001B39C000-memory.dmp

Filesize
112KB

Download
memory/1508-683-0x000000001B380000-0x000000001B39C000-memory.dmp

Filesize
112KB

Download
memory/1508-700-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1508-717-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1508-734-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1508-751-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/1508-768-0x000000001B380000-0x000000001B392000-memory.dmp

Filesize
72KB

Download
memory/1508-785-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/1508-802-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-819-0x000000001B910000-0x000000001B93A000-memory.dmp

Filesize
168KB

Download
memory/1508-836-0x000000001B910000-0x000000001B938000-memory.dmp

Filesize
160KB

Download
memory/1508-853-0x000000001B380000-0x000000001B39E000-memory.dmp

Filesize
120KB

Download
memory/1508-870-0x000000001B910000-0x000000001B936000-memory.dmp

Filesize
152KB

Download
memory/1508-887-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-904-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-921-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-938-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-955-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-972-0x000000001B380000-0x000000001B394000-memory.dmp

Filesize
80KB

Download
memory/1508-989-0x000000001B380000-0x000000001B398000-memory.dmp

Filesize
96KB

Download
memory/1508-1022-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/1508-1023-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-1024-0x000000001B380000-0x000000001B3A0000-memory.dmp

Filesize
128KB

Download
memory/1508-1025-0x000000001B380000-0x000000001B39A000-memory.dmp

Filesize
104KB

Download
memory/1508-1026-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-1027-0x000000001B380000-0x000000001B396000-memory.dmp

Filesize
88KB

Download
memory/1508-1028-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/1508-1029-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1508-1030-0x000000001B910000-0x000000001B953000-memory.dmp

Filesize
268KB

Download
memory/1508-1031-0x000000001B380000-0x000000001B39A000-memory.dmp

Filesize
104KB

Download
memory/1508-1032-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/1508-1052-0x00007FFA716B0000-0x00007FFA72051000-memory.dmp

Filesize
9.6MB

Download
memory/1508-1053-0x000000001B910000-0x000000001B932000-memory.dmp

Filesize
136KB

Download