Malware Analysis Report

2024-11-30 04:44

Sample ID 240604-bplgjagh66
Target a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c
SHA256 a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c

Threat Level: Shows suspicious behavior

The file a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:19

Reported

2024-06-04 01:21

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\Narrator.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2588 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2588 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2588 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2732 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2768 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2768 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2768 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 840 wrote to memory of 3064 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 840 wrote to memory of 3064 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 840 wrote to memory of 3064 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2536 wrote to memory of 2992 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2536 wrote to memory of 2992 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2536 wrote to memory of 2992 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2676 wrote to memory of 1936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2676 wrote to memory of 1936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2676 wrote to memory of 1936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2660 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2660 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2660 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2824 wrote to memory of 268 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2824 wrote to memory of 268 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2824 wrote to memory of 268 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1152 wrote to memory of 1852 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1152 wrote to memory of 1852 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1152 wrote to memory of 1852 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1840 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1840 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1840 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1996 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2188 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe

"C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e1en5zkc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A1D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2A1C.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\92c7b3sb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D49.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2D48.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7rzhsaex.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3045.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3044.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sf-ftc1g.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES317D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC317C.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azkrqhjy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3209.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3208.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-g9g-iqv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3296.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3295.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vghv6blk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3341.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3331.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfzkg2m0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES340C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC340B.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oxzuxtch.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES346A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3469.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lxmfrqtv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34A8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC34A7.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2jamua-y.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3525.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3514.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zln05jij.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC362D.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezxqshkk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC36AA.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\akn-y48m.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3718.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3708.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ohxezc2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3812.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3811.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u-tsyfnx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES389E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC389D.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\du4w49ky.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvar4y2e.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES392B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC392A.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\504gvd--.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3979.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3978.tmp"

Network

Files

memory/1996-0-0x000007FEF59FE000-0x000007FEF59FF000-memory.dmp

memory/1996-1-0x0000000000650000-0x00000000006A6000-memory.dmp

memory/1996-14-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

memory/1996-15-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\e1en5zkc.cmdline

MD5 bae3542094c46e98a7f59e11076dfc96
SHA1 b44a46ec266657cfe88b0a1c3b2d0a7d29eb1419
SHA256 1e0c09db045444449636b50057a383574a3ca20b9e7466d42f05688e9e162178
SHA512 b481295d470737ce4ea617fe38163a250df46a0ef4acabd895fd0ccef30bc670200465b1ac82f22e55adafbbffcbc7b3ce25ff0f781297df3a5db841db536eb3

\??\c:\Users\Admin\AppData\Local\Temp\e1en5zkc.0.cs

MD5 437cd2d9e1d60e175f5f2e16abdd5734
SHA1 a16e3175c91d994b71fddd1e5c1729d3c8243c41
SHA256 c753ecb23daccefb214f681adc53ef15794b4fde4acbc912e68a839fbb95b3e3
SHA512 ee06de87ca504f6abdd7168a673d6d9e41decad1a8e6fcec34587cf944dbfe7f61cbdac9dccf3254b3239015c9bbab0e1c73bb6e0460f6f15f595a29e41e4705

\??\c:\Users\Admin\AppData\Local\Temp\CSC2A1C.tmp

MD5 a36576a83eadcec35e19c8032cbad671
SHA1 d0af584ff375e9b0c023e3545a032565b48dc62c
SHA256 ce030c9e85a6f58b53ce3bcfa3124d4834ee9bc44302d7d004dd0f45995f0247
SHA512 2cca25fe1c1e5a32e79c5f4f6cfffecc4c8be8d1af0c9ccde4f2fae4902ea34842692ae5009340a5e52396451555e8b5a532b3a133c978cbc561d1959a4d9d48

C:\Users\Admin\AppData\Local\Temp\RES2A1D.tmp

MD5 82c3fcf2a8c500a24a0e13364b4dc636
SHA1 3296dd2866030491c2fd6d25a4f22060d533a197
SHA256 e924f1a2c59f15cda4766f18f2277a0157de5fca306e70c55b6f7cb9fcfea059
SHA512 a76167892d2f080f68f89e161c7c60bbe812299e934d14ad6343481347d0aa8e5bf363d0433805a1af2fc08e4507337963a8ff185354bce107467a9f6da07836

C:\Users\Admin\AppData\Local\Temp\soymame1622.exe

MD5 24a77f1ded6d435dbc15cd8f06176f72
SHA1 581d5026232eaccff3272b2d2e119a4676ccc845
SHA256 7462881170d8379aa1d353d060098b579307fab6a725a2297a84309bcdaeabcb
SHA512 fe728f6e958563cbdfe994196d9b072297507ea35b8e9c82b74817ae395791ddeb0a32858d372b6095b41b74f590e648aaf258191ffd8847091258ac0e9e231b

memory/1996-26-0x0000000000360000-0x000000000036A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\92c7b3sb.cmdline

MD5 953c8eb2610c79a2bd4c4f510ef0a657
SHA1 aee623e135ce70912f679e805c3209906d45700a
SHA256 55872c892ff57c62c6229d1bf3a459813ed4a6df6813eab2be6a137173c71ef3
SHA512 db1d36951df73d5a03f8dff4920f848bbff95385f2525fea23e19de5ff2e787018bf843a986cbd6a2071d9fc273bcae021c59da0e1293f842139c11a59e9b19f

\??\c:\Users\Admin\AppData\Local\Temp\92c7b3sb.0.cs

MD5 686133a6a3368621fbdff6f28ce89c1a
SHA1 9836efd8e1a5e3339fef0137f50a3c6ce39b961e
SHA256 36a86af11f953c6d40ab22c44ac1e70677bedc4479a1a1159e82dae5242f75d7
SHA512 69e2e00030c21bf3f768082273f9b34449194342b4f9ceb71720d93af3535e53e8185ee1b82884643bcbc05758845c684d767c69b1e984fba430bf33b73cfe60

\??\c:\Users\Admin\AppData\Local\Temp\CSC2D48.tmp

MD5 e9e94fd44cec49fa3fa357e52fb109cc
SHA1 29abe7c8a3d9bbdeb573bcd6693563da77e128b1
SHA256 2942322b0b04e3aa87f1898cb63a92d58118cb98ba994301fa77a747765fcd71
SHA512 6eeddbbc566e230c7946b85cdd88965cde03a5f9e464e27fe01d66c12bc68af8c4040edb35197bf52e8b2811b7df975d91ddf059430d5dad170822747fe4a8c5

C:\Users\Admin\AppData\Local\Temp\eexrrzq475.exe

MD5 2911e183e8e181deb5c3e12f92d7116d
SHA1 823cd006a932cbc569898c0dfab01a8656287be6
SHA256 4d8677f173bb25513767c7485cb199565b91fe7e28aff3d70de9eb6b94ccb832
SHA512 9ae8f37801ecff81d9997c23303d526c1393660c66989b4f63ebc00a64b5fa1f6b62b7ea770c6bfe186b43603d022aa98c78a035a610a84c0d365b176ea2d98b

C:\Users\Admin\AppData\Local\Temp\RES2D49.tmp

MD5 e3a3bc1634bfa3cf30b8b871959f184a
SHA1 d9ade22d00853554f23d1e68a167a8dea58c9cfb
SHA256 3c4779add0d2ed037743c92753f84b24ba78d14f28f0c9759f79ac5c6e31f25a
SHA512 c44ae71a16d4909710d671778f3f189199221f1b2b39bc158d8a72eee293949b4e75b2d8383f4e4b93a8937ca110b2c77cedd52e82fdf3933cebf4c6abffe357

\??\c:\Users\Admin\AppData\Local\Temp\7rzhsaex.cmdline

MD5 9a392aa11d4e91a46607fe39eeffd47a
SHA1 4fd3f3b9ab8e4d27dc137aef2c32b5598b5e920e
SHA256 d3179acc2f4038b7dba34895b58a0d2fe192299198f4472b097aecc081afb523
SHA512 595b090181a2a742a0ad1b7745ae49fb6c2d1bfa4c9abf10429575bf8cc0c98125136d19916d489edca61fd5efe455ce9f85470e1ba4fff5f7ceaff504f95e0f

\??\c:\Users\Admin\AppData\Local\Temp\7rzhsaex.0.cs

MD5 572d3b7014235fce53ae8af16cd43159
SHA1 87520ecbdd0c1c39db3032edb9fbcaaef4c776d1
SHA256 6ef06ebb960b5ab1ac721291379c79598b2623345c945b2ea14a77e899c3dd4e
SHA512 e9bd4d03521f8d1f24fc7cb4709858526619b518e8e21971ef54af2c424ea277ae3b536e9fd18553c8ace3a3f67f0fd7b3f5af47cbe75361ed91da6b60b4a8f5

\??\c:\Users\Admin\AppData\Local\Temp\CSC3044.tmp

MD5 940e8a15c8fd7fe3b5e56e8e1f54835f
SHA1 95fa6da674380d072ac36ba3ff8bfa40da6f014c
SHA256 d443f001eb9cbc31f934ef8140d73ac983dff6db0693634e8e20b85ea97c7307
SHA512 38523d36ba221e3de73078a91411cd86d256b6da57489431d28917f4d7bb010687b3ef995bf9c4e700bb352bb755eda24e02d4d63f151de606b94a1498043c1f

C:\Users\Admin\AppData\Local\Temp\cyuniwh142.exe

MD5 cadf81e5a5c16c665c4fb3f0413b1a14
SHA1 96fde5703b5f10b2e2f9a82aaf4e2b27b28211fe
SHA256 2bf31ae6810cda912d228b74888c6cde90faae44c4a232a6eee3c1f1da8c7ed1
SHA512 40b8aaae7c4f01f59854f2640e91e1a2fc2d631f681bd419688b8348acd9d40f0d89dabcc6a659f2644f2cb62719852c95cdaf9f141a54405b02d0c4db7867d8

C:\Users\Admin\AppData\Local\Temp\RES3045.tmp

MD5 5f7651e71ac52278739b034974bb56a7
SHA1 b9ef8825a41c0fc9bb53dd42f8c29ad2c0288f9f
SHA256 5726e4bafc4a22d0889547c14141163064a9fe3f9b074dbcebfa00462a549422
SHA512 df0ad2d2cbbb1cff19c56ff9de4beb49dff08b3895aa2a92a002ca83d1d4430dcef8e8d6223a6b2282a59917b202451a0be1aa761c3825370def5db40e38f51f

memory/1996-55-0x0000000000610000-0x0000000000636000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\sf-ftc1g.cmdline

MD5 e6f80cf7a08a752a13d5c044c660dc78
SHA1 30975c5eb8030af3d450c50508a1e93ad0212d91
SHA256 6ccfa79d394fac366992e3af5f56244e948416ec7cd4d349a8280be7abe0564d
SHA512 513588f5f0957f134c6d32d98c2dbf0c7f2486287e3769db8e8f8eef0d0b97663cce9da9276881c32a7dc3e653c435fb939bc197de847df306d15ec7c397c8ba

\??\c:\Users\Admin\AppData\Local\Temp\sf-ftc1g.0.cs

MD5 b493f1c82b0d32e0ac03bf272f312681
SHA1 91d215782437dfa1d2e84af568e258c1cf7eeaa7
SHA256 28af466eabedab19e4b84e79cdf4f90614ad1177ef7c5f76adb53d476cb102d0
SHA512 90acdadbb84be8ba1ddbfcccba4838e55024eeb6d9ab9494dd5aed87d1b786ca51c32d808b67e107404c33b717ee362ede0eeca7775caea820ae71fb9280f940

C:\Users\Admin\AppData\Local\Temp\ruiyjzm905.exe

MD5 56ca31aee45cfb562e75a9afb14ed6a0
SHA1 2e5c804db254b2f88224fe81d7986fdd3d05fe4d
SHA256 fc1b6737deeb0e32a3a8965a9442ef46eaf482e4bf8ba15e39928a5fbc20bf65
SHA512 dc1b24fa4c00f0e85e4479cfeb59606010b2bace4a8c139afdcf3979a4bd08c4d29497979e642b1c64db88e4f04534beb3c067f9da581c9385141c7fcedcd2cf

C:\Users\Admin\AppData\Local\Temp\RES317D.tmp

MD5 f86b8e77a23ed5dc53182fc68357b310
SHA1 1015798e05d4baf43f5b457855892776281865a5
SHA256 95963980ec02886137c1c207a6be5e31239841d8ca7f58bcf15471605d9f2983
SHA512 ab068f630a00c0754419984721506920a2ef341d22453e3caec6142e9692e0cff6b374b5237e372a441a1e7fa666c8dc7dbd8b17eb5ed07cf933fd0ead510fbb

\??\c:\Users\Admin\AppData\Local\Temp\CSC317C.tmp

MD5 7a9bd4c6b99501ed5187ee123c8d4e9d
SHA1 d1e4c630b2d0f9ea69444dc73693e072ada5e700
SHA256 2d3db7abb795d39d632fada5bb2dd994f8e60f69e8476dda598b958b92d39643
SHA512 7a13849046e4e9df571ccfbc852c6f4fdc8772946726e24a784d63ff9986bead56239eb37840ce0b4fc912a4ac5f7791d1beb31b478911fde01283b181591412

memory/1996-69-0x00000000003B0000-0x00000000003C8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\azkrqhjy.cmdline

MD5 1d7a9c7312b879412d4108bb8a9c1879
SHA1 88bd32d13f4c77fb87bdece4846c1d77adc87a40
SHA256 280cc44087bc4195bfc8197043ada0b82473cbb74b9dbc8fe86a92a14c4c18a6
SHA512 24ae26930b51fccd764ed8ef3db327357cd106622e4f2963f7fd8509d2344eda9b97f6b8442cbc9bd067c685f54d504efcd3d57384ad14e1d8e28e0fb3621965

\??\c:\Users\Admin\AppData\Local\Temp\azkrqhjy.0.cs

MD5 28d569e3681db2d83220702cb1917383
SHA1 87541688344fb72bba2e163f85081e5f8e1eaf85
SHA256 867c0986b313539f471478dc347e73d1345be219dc4fc86de97f6b06c38b9ff5
SHA512 a2ddf1b34aae732f676f2e530437526ac93a74ce62b22e3387fd560a7e86c8343629d6c4d81534397b16c3d6ed611361ee61fcfe4fb2a1faf18a72dd355ca8bf

\??\c:\Users\Admin\AppData\Local\Temp\CSC3208.tmp

MD5 3c13923cb9d2496a868247a21906b02f
SHA1 9778be9482a65f963da94d76893ed1c78135991e
SHA256 797e6181599c744d60edd5a771476652abe241ea5532959bc005d984fef58d37
SHA512 729caeedbfc4e5d6d988a4fd8a1e1198516a135a55c8986d59a778824b48de73615eaa16b82cef64804a1d92e0925b893e781c37140050db46356415bce5ee62

C:\Users\Admin\AppData\Local\Temp\RES3209.tmp

MD5 486202328978c4a9d71d5f5a515b92d2
SHA1 eeaf4081550951c1d6b8342876891a66b5d5deac
SHA256 4673b7f77b8ce7c766482bce48d56f9aeddd5443d87ab1f2d9d4a4f055cc20eb
SHA512 2358e01ab7fd9a1a646454f3518eea004b49da978efd968d1e16110703039953d6fb502d7698b2ea0def1daf1586fc97c0764f8f4693bea95085b52f064bd39f

C:\Users\Admin\AppData\Local\Temp\okkocaz1648.exe

MD5 fc4565548977b11fb6ccb7c447bc6faa
SHA1 f524489e7613cf494dd16e15fe01684345015133
SHA256 915617f40fc2ab26819637725fc27d34fec03dc6f181b9e92bc082c59ec007eb
SHA512 b819a1b4c80587076af7fa7b8ed6f35893084fa624de35de7ca56c235cfad977084b4300747ac714e7ea23165571071f6823ba6a9654eea6e8f6b6995df5a83f

memory/1996-83-0x00000000003B0000-0x00000000003EB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\-g9g-iqv.cmdline

MD5 57aa7a696cc63b5a7b95b6f7c9ac66c4
SHA1 2c7eef3013351d10709c672af7d4dc4aec8435d1
SHA256 9e51a037c35f3004e4adf7013aa5566215cdba4984aaf34d0a9c1c895d3db51e
SHA512 a3cb09a13b032209c09c84cb30b049aed2b5ab84e1371505b0b2d29b820f7db241eaa928b9ddf5c7cb1c22b8684d2523d1bbd27b49d35f92e72c2c677280577e

\??\c:\Users\Admin\AppData\Local\Temp\-g9g-iqv.0.cs

MD5 f80e98edc386427e4177b473f04796ba
SHA1 a45508ecc249b1d0f44d7589c5e782ac67687935
SHA256 7f0581a96d0da99068d49d5f9f1d9adcdda0fc72eeb5f39f495a7e42a026d211
SHA512 95c8404318812d2e964662fd8f00fad8134336f3f3560338f27cb2704b6828a052d51a4badc01d075bfec6953d93c8056bb9ff360ba8e39ee67f266a6d1a21c3

C:\Users\Admin\AppData\Local\Temp\jxakybf1895.exe

MD5 93a1f8ec9e8fd4f93c6aec42f7ab115a
SHA1 9d17d82d120935bfe5bb16e1339ad0031eca21fb
SHA256 036d4f43714b951b193732f7c25ebe16b551e20b5932349a5d2962b3ca039449
SHA512 60204fb93b3e89f301509bce11a683835f5b35296dd6e4fe4a24c888ba6214a6ed36c69219a900f6665031723b444d02714eb986f1e9df7c6f4b5ac735a39e0d

C:\Users\Admin\AppData\Local\Temp\RES3296.tmp

MD5 3e8a412a5e6fcf56535ae277c243c4e5
SHA1 c4736da17855b09fb74c886a072762c90c33f5ef
SHA256 b77eba4c0c5d0a08601c8658f34a4d7cdf50fa2103b769a7f4774c1cd1df4770
SHA512 77b6e56b7d2f2810fdf1dc7348efb604b01f0f40d7d73bc3d0190cec762669e0af3e94b713857b0f7951c68ab2cc009440893152644ac84bce53f69e7cf587b2

\??\c:\Users\Admin\AppData\Local\Temp\CSC3295.tmp

MD5 efe2e2d839965a55b435885489f631b2
SHA1 ebb155245ee7bcd14d8d63a97266b5963774fcc6
SHA256 750d3dc05ac620a1fba1eadf84e0a2533df501b1cb251f852644a1d7d821cbe3
SHA512 4dbdaad253dfebeff67856143554f835676f22229410bb2a234c81de26ee1bd79e254bb38df39a67e51eb1a0daa2b2b285895a8c23e4c23aeee0f68426dcdede

memory/1996-97-0x00000000003B0000-0x00000000003C6000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vghv6blk.cmdline

MD5 8e7a6e6996aea2aba1e7c97a9d570ebd
SHA1 10d1406b42587a64d751620dc5d9802aff56639f
SHA256 f6d76c6d08515cfc72277cda481ce12e44c66bd05b53c265b18e077ceb3db85d
SHA512 1bd63a2192c7ec3f9011c6cb8ededa7d7211be0af4f64a7482914fe51101756c2031066c8b5140e2675733b808ff0c2e56deb4f618f682e64be338c49f71ae24

\??\c:\Users\Admin\AppData\Local\Temp\vghv6blk.0.cs

MD5 a27153164c39342b7d2b78ffdae3ccde
SHA1 79a45b1f3192be5c4c41320152fca837ade53380
SHA256 c7262f2e4e10a11b9564e74c3040a60aa1dee4fc243f5dfbbd0cd02b6ec78884
SHA512 52a368b8cb5c42ff3cf4bb15bd12958a04eac41d66d5a7812a9c5ba2ab83dbfcecaf546722650c944b1bd068dfc7126b278561b686cb345fd95a7ae1809e16d4

\??\c:\Users\Admin\AppData\Local\Temp\CSC3331.tmp

MD5 c5067e574a3abea925770e21d2d083d4
SHA1 7d8d1320ae35bbac5f88c7a988f8f68059148458
SHA256 3a92f255800d5892ee8eba800a283b0b1ffcd43b75ac649cb913cffd9911610f
SHA512 09fa48425fb47b190fdd56d199ca3792d3f59cd27c5b1c7503212f4ef95930ddd23e938fa0d3ae76f04f944cd82c90090f19ddefbc62b2e9a8c6092b1d04aa41

C:\Users\Admin\AppData\Local\Temp\RES3341.tmp

MD5 9cee3e7e551514c9f0aa8d0900599818
SHA1 9498940f7992bacacfdf0f116917d276fbed9461
SHA256 b7b513de4208c0b17d538b04a5c153e5afe815a82ba8c731dbd7f9234b5f81b2
SHA512 f919b45671507e42c3f1d70f27eeed8ad57bba9f5a319f1cbff2ed55b93057b5220e3f2a134d9c7e45d98545af9bfe79b72d841071a8069e866887e3547d46a4

C:\Users\Admin\AppData\Local\Temp\dbdghwa1018.exe

MD5 bf99de3981fe796323b9603910426872
SHA1 03c5c0b0b5695db7e5fe5d1d6e358e1d20057364
SHA256 3f02a77e5b0e2003df4096b1ff59d3a511bd7014d1d3dab8e578b88421cebbb8
SHA512 460dd43ffdbdb8f8a64d7f53b7d3ff36f16c0043dfada5cef540f9132c1cbaa45d98bf3b09f8e3b44deb0d5504975969dad59fe73cebbc6eaf7f5186eae60e4e

memory/1996-111-0x0000000000610000-0x000000000063A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mfzkg2m0.cmdline

MD5 033086d98f01ca00fb4b0aad15350442
SHA1 9d583318c3bdc5961c10bf10dea0339e3874385d
SHA256 0587f1ea4646c9ec39a3439461e16644978b4260d69f29b34dd84c30b880bbef
SHA512 f3e1f656a3bbab3a1de6bf1847da963c82675f07a29d143d277fcec684a3f49fb2d9c32efdcb30f1ca7ebe85162f6f40c931385e051fa464709c49bc1c87220a

\??\c:\Users\Admin\AppData\Local\Temp\mfzkg2m0.0.cs

MD5 0baa915fe08e920aa54833baef776ed2
SHA1 1f2ead4134fe8da29dfc64b2a0917ad340174ccc
SHA256 0d7f75d97ce2ec2540a2986b846403068a3711532aaa16c4d2d975314517da10
SHA512 521dde49aa2531b77ebd57bec5fecc82761a7a9a91d78633a3aefa7271c36d1376d58df5a460113af4a176ac437f6aa512dd81da2a764a9201b57e528f2a102d

\??\c:\Users\Admin\AppData\Local\Temp\CSC340B.tmp

MD5 1567f20958b2c70d40e0fff6a4a58c0f
SHA1 5bfccac4df7a71e6b178fef288df64d2cd9a80f6
SHA256 c44ccb7e4dbfddb777a57b9e31efbfe4ff44aeb36130e19d947201257687e7b7
SHA512 f4671a897d51d01f9c89cdc8194b5f8ecbb741a687755728195ee2f4a378a37ce5dd569cafafeca900f3159182dc3030b634cced36f6209eeb2517cb6846eb23

C:\Users\Admin\AppData\Local\Temp\RES340C.tmp

MD5 76321a699b86dce9fc31dc2a78782c1e
SHA1 30a4e3d695e1f9cbde7cd0f7cd661bf8edeadb47
SHA256 3f4bc830f226bebf43d7873a19b5104730568e533b1a8c78cf8451c231bd53fb
SHA512 052aef16fdeec1a2032f97087220ccb5bf68c226949d7b728cac16295d997eb2fd0e068352e272007ca09e08f0c378fada50607f5278bbde24df21a3fbab2c03

C:\Users\Admin\AppData\Local\Temp\mxldlpk352.exe

MD5 6fafb486a0ae96c7acbf736cc0e26087
SHA1 9ad19434d45d67dd7e563f2324fca6ba61678501
SHA256 a8534fbcf30eec10238ed1a66cb13272309c46248d87207cb394f510871d1fb3
SHA512 8ac760365d1319503c0e288bd2e070ce6a33fcb453d71e7edcbadc067e422c7e46ec7cf8b576b0b9e0f7d8d74ba32e87a4dae20733b185f323e555438ed77cb5

memory/1996-125-0x0000000000360000-0x0000000000368000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\oxzuxtch.cmdline

MD5 f491a0fd20d24faa35209829820e6811
SHA1 f83a8126239a5c1b031278b5fc26371ee1ac47d4
SHA256 461e20ffdd9a58306f7a9f32cfdf727b4f9e3e3a224a61aac0edee1d35b5383f
SHA512 532e89a7d575dc1c7d6b3d7b21442182b4d96233342318c308f79cb15b57197a72ef554ca666a307d1280ab5a2ad38ec7eebbddb8b04fde645c60f11d6b7e78b

\??\c:\Users\Admin\AppData\Local\Temp\oxzuxtch.0.cs

MD5 3e5b87984124fc03daaca9326ddcc12d
SHA1 f246f38447bcc0324bfbe58c24cd1ad240334116
SHA256 13b9bbb1a3dd8504c40694b9ad21703957346843100ec6469d33112f6e075751
SHA512 81e7522a27a5cd9d1b4a99735dacdd6513578f6b2c3f8419f9ac80f9dfef7a27f7943abf40cd2b2c121181077606296abf757d3c396b024d110f6ae724db8ce1

\??\c:\Users\Admin\AppData\Local\Temp\CSC3469.tmp

MD5 05b67a6ada9985ee04cf7fd7da81dd4b
SHA1 16cda6385d5c343b3446ca1536329bf54ebce0a8
SHA256 e4cab1e0c805ba2bf48d4582a9b8c26ecdf4f18267a51effd6e599073f957f37
SHA512 18f451000b4955d01ac42b0552c802dde7fca4c4e8ca54ab8604c44c3a8cd1d2205e1fe8bc3686ae63f7ba494f1be7ac72a8312d72f9c4a3f93adaaa43824266

C:\Users\Admin\AppData\Local\Temp\RES346A.tmp

MD5 98eafbd4f765c5d94cf8519e1ebb1e12
SHA1 324376c79e7811340d44b6904aaa19f58c0ac5e5
SHA256 d68ee87045bc562882bc12890c5063dc177cea5b2223f896d090dc3237c7bf5d
SHA512 b96749b0447a92b3470f972649dc6bc21101b7208fa249cf9234880d0339f79d2ca7e4209fc884882490da445e4bdecb6628414a1496fd38bb29cdf0357e0ff1

C:\Users\Admin\AppData\Local\Temp\yfgyhxa934.exe

MD5 830042debf8f6eabc76dd7eb32fc0668
SHA1 5bf292dce67fb4b4bc90554c5ddb65e87ad079e6
SHA256 394d579ff963ef4a7a4d2fc70560689f3876b0acf476817de37a1e403809e926
SHA512 71cbaa3962a4f4f50b6a8f13f88291f2db9747d0ff7b0fa52171c99ead95b231c41e50ff05dd5719c89512c1ce361770edbd81630ee605863ec5e15d5511870a

memory/1996-139-0x0000000000610000-0x0000000000636000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\lxmfrqtv.cmdline

MD5 c1f3f9a7bd94a34939d48b1f6aef100e
SHA1 67155277058b11dfb0a5bc581a832e4d3ea38231
SHA256 0e25a234d4af5764cf5cb8816388c71d9d1c2c6d914028c949ea8aaa7fd08bdd
SHA512 6c8af6823ad987bb9ab6c8504047d6101948bf935c2b50e532153364cbeb3181168c5a7a617a98876f7321f2e78e2a2d3cba46a00fb6ed435bfbe723f43581ce

\??\c:\Users\Admin\AppData\Local\Temp\lxmfrqtv.0.cs

MD5 cbe21a47a5e28ff1c9a9b4efdb6e3099
SHA1 202bfbbaaa4df87f21ec228a0e30923de57dfa59
SHA256 202fadc38d5c6d3ad2779a95107cf426e96356fa2a752acdf3ecb5422a3164cc
SHA512 e8d00adc96f0f65d7e9b4369ec35e64eb7ab9f0996af48d4f2a586bff67048361bceac71564b223f8e5ca0ca419bdbd6111633bc85c8d9b44d23a6486f992697

\??\c:\Users\Admin\AppData\Local\Temp\CSC34A7.tmp

MD5 9b390721f7593eda13efdc8d1564d7f3
SHA1 74314585fffafc2c0f27d53ecc35c62dd7d735d0
SHA256 5d7b8ec20857692c715ba3c48285d57e709559bc1883bff88cec674d46183122
SHA512 c242adcab0a26fd2f528cc0dd859e920a2e70c7db30b081ed43cf3a14572f2f197c50662a70bc8d4dc1d7b24f3c940475ba3ca7068f6c531e9b6467263c80920

C:\Users\Admin\AppData\Local\Temp\RES34A8.tmp

MD5 36abdf82482fe43a9088fe460293391d
SHA1 79c0f87207f10854a72a01d7b403c88a32a63a9c
SHA256 e2f008fec2177321018bc1cec0850456e394c48f56aa5ce9195e2d97d478a482
SHA512 138327c6792bedafc824124caa21ba9cdfa3a79675cbb4a238859e8ec4593e8992547663948e09f0e525c606087face05b3bb22801f00c63786f8a960da52747

C:\Users\Admin\AppData\Local\Temp\mnjaqcm1598.exe

MD5 d35892eab1fabcec478654545ae3d4c2
SHA1 d5cde93f124bab00785030f570e54b9ad31e8e66
SHA256 3b4132082b9552e12d244efcf1f6b51c2c24d2dc560ea2090e68c7e1e151e3bf
SHA512 6785a9aa723190c5e66acffea64b6fa397e65ad1963b3c9af31379f4c2e71cfa154b019a15e280ab226de7ffe495caa4755c12a26328966c24e4ada9a3f90227

memory/1996-153-0x00000000003B0000-0x00000000003CC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2jamua-y.cmdline

MD5 b5cea5f0d28c133120b2a4c77c28ceb7
SHA1 6e8af667f3280b0e830cac5bef449565276019a9
SHA256 9974b97f0ae349b8a95e74a99112dc234ecdcb056d9432ebbd16c729676b253d
SHA512 2922be92e03c96835a980b230314f7872f79cca88210ec495a1cf37e66f5f5bf3a1a51a23a86d6b19ddd6fde25fbd42540ace511bc1a0b15180177b907fae5b9

\??\c:\Users\Admin\AppData\Local\Temp\2jamua-y.0.cs

MD5 e83b063d2cc0e101c46b5e47ded0bbd5
SHA1 a685900a87a95e21305a9625fbdb3b0e1c3c9514
SHA256 391f35eabe979548893af99fc9645fbba611e4dc9c46ca50525e5a183f925df7
SHA512 f5d08e21b8cc7c0e7d74c0f7056780e05cda6f6ef0c621e35e0289f40acd31cc32fba1e0d1150c26257be52132b1bf1971476ba0aad64f050a52b044848496af

\??\c:\Users\Admin\AppData\Local\Temp\CSC3514.tmp

MD5 784045c3843b13db7ea264bf70154f94
SHA1 a300640b2dbe2f7f7ad2e193c5f5be8f4b886f0f
SHA256 fa2c166249a1964f91e9b1c7079dcaec36f51b316b1166289710bcad8933d239
SHA512 6b36a9e152a6a1aaa5c24d3b5917b0f39f61bd7c09af6c9cfadf729b364760c14dfc95e5b6f78c9ec8c3ac36bb8767141d57badae1bf9a0998218eaab8094d5f

C:\Users\Admin\AppData\Local\Temp\RES3525.tmp

MD5 285314e5e517fa467b03d7a76ae8f9d9
SHA1 6ff18274057d3c189c50af18144073cb9333897c
SHA256 8b53c765a28ccaa78f5f4c09a0f7590da10f086a68b4af612d9136e1a7d8657e
SHA512 2e6d8d3862d12b5a2cd7a60571211708c9a5c30bb6738a2b1c1ffb34a461727a65c27f644ed1594781494068e5b327a73213ac1fcedf51340d1758f7e318d401

C:\Users\Admin\AppData\Local\Temp\krtnbkk67.exe

MD5 94689be646d5e3aa21c09b3d1d2d4bd2
SHA1 579eb0809ad4a1e4ceef7bf912c88cc39dc926b9
SHA256 9398573d9d74bff570441aa024ea894670c5f06b7f767af076edd80e80d24d60
SHA512 89bbd4011fcec1d9991afb5e82c1147fd09160dd4628e3c4edeb8bb9340048e60b80f6da9a4e0b30e260386e9747e66673fb4bb3d0aa050bfd7455946f094569

memory/1996-167-0x000000001BF00000-0x000000001C00A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zln05jij.cmdline

MD5 5cbf68c59408b8d4db1a230606b22b0c
SHA1 48216b22f948b20dfe560b8c527396e1eb1bc342
SHA256 855e50c669ab3c9a4c95df32d278d8250c7875afdb91d159c108a8d6341c3dc3
SHA512 a03e53e573ed783ed23a989b9bf5a217c43f444c85a17c0c9e9dc1a2596ab3fd08ab6ad05526ebf574a102fed7ee4d74347859cb38135a643e10caa525472610

\??\c:\Users\Admin\AppData\Local\Temp\zln05jij.0.cs

MD5 7075206dd60b21611ceb1a3eed0213d1
SHA1 0ce44b0de20058f7e23a42ae9038f2b7dd207c35
SHA256 f53876b3127c2abb90662741f9859dffa9768e4db669e4cc9ca7e1248c4abd71
SHA512 fc80bfae0e51354b1d5854034787a006a34d6d69b07ec80ce34c0fb833d8e31cf6b22b7a2111abaf7692e83616e96e4060b2385f34321e720e6a2c3d8f575028

\??\c:\Users\Admin\AppData\Local\Temp\CSC362D.tmp

MD5 9bde53c16bddcb059086a896d33244f1
SHA1 52cab7cfbb00ec56dfcbfd51abf952621071b498
SHA256 a8add0d5b27a2f02b13c0c1168561c2f9fc0709bdbd6d444aa54674bcf65e62c
SHA512 895a46f79ab7b5d14efe3b7eec9946c8acf8cfe0ada03dc75d0e5e51ca616edaf628825d93923ce75536d924a5c1c177e354b73bc1d121a573a5c56857328189

C:\Users\Admin\AppData\Local\Temp\RES362E.tmp

MD5 7190e2f5fa49a05409ccb446c12c3dc8
SHA1 604c67db7d370d1248d646c507f482770b6cae1a
SHA256 4196f87f520c7adee8a107e383230bf0db4c4c05da044622710a851d849911d9
SHA512 aab6bbd92c9b08dca5c2eeccc49dce5d811fddf3aaf43c9a398690dbabb10ae679784f27c5122f14521f5d934c97f47e294fe5f5251ab36a52e49169ce94dbf2

C:\Users\Admin\AppData\Local\Temp\dfnygwu1893.exe

MD5 957181a115c79f32d8b27aefd9807e41
SHA1 ed12ade0f4eb3637c2d5f2d6a462c716295a3dac
SHA256 1bbd8c0627f5e2c5cdf3da0c3180453a10b5008aa81e9f0fb6e5136dd55f6140
SHA512 7f15b31940784195bad1d8a2c5bad2ef52daa57ee1cd051f9dd681e79b29e681e0796ba84da60ea21cd23497c9a0b461b12d548cae70bd404344788229530f35

memory/1996-181-0x0000000000360000-0x000000000036C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ezxqshkk.cmdline

MD5 0930ce11d262956ac37931779b872905
SHA1 0051a2574e5c76a805693c46a4f90c0e1d765040
SHA256 1241a04fd2ece150426821585eaf6d8034fb5735551ad9d64a5d1a0819c0f13c
SHA512 36b27a9ba5c8158c10862401d5b657c177ba1621d0d0579d6e10fb927b682e0cd6e061491e5c4d2a8923dc6dcebf866ebf7bbaa5392fdef5729216268152af51

\??\c:\Users\Admin\AppData\Local\Temp\ezxqshkk.0.cs

MD5 5cc58c4897f1845f11bdd55e162e48ed
SHA1 64953ed5d4ad82c4c1c1b01c26d1e83f3a1dacc2
SHA256 0ba07edf4c798f00012b3cce42a57e9443cbc565b539a99acab36d0d5317e01d
SHA512 c475d9ae086a794b4ba012ceca6a3fc3cbd2f27da0e67019fe5bc6a4b7a1301b639eb5a1afdd2cb839544087b1acc644a470b3e52f1b0bb0cf7e4b665d4d10c5

\??\c:\Users\Admin\AppData\Local\Temp\CSC36AA.tmp

MD5 482c1557fa9f5dbd4ea440bd3d4c2210
SHA1 8f19039549d528f77f5c404c39da38adbe114bc3
SHA256 92fb3b6e914975be21e759fda872f2edf14b5574da9b75a5e661d63d1fdb8f70
SHA512 3cec326f8ac15570fdedc7a45086325a98441cb23a11fbfd9f22891c054f4e0c644819257ff4705036575613c206b522e1a90cf1cab562253064a6e3f4103192

C:\Users\Admin\AppData\Local\Temp\RES36AB.tmp

MD5 9590fdfde65340f8e28c253cc18b5328
SHA1 d18fea1b38f4b1b85d610062f61fa564e4cb9eba
SHA256 5ec6892115501bc9f9bd67ad5a90b2c25daab91f4399e8c870cd3163aefd5e24
SHA512 afe60e9a5feb0e2d5ec7bc5ea261080a21a2cb7f44ef9e57d1680e89c05bb4aebdfadf5efde23018e138c9867d11b6bc896668bd5b495a725d91d7d98d57a16e

memory/1996-194-0x00000000003B0000-0x00000000003D0000-memory.dmp

memory/1996-203-0x0000000000610000-0x0000000000636000-memory.dmp

memory/1996-256-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:19

Reported

2024-06-04 01:20

Platform

win10v2004-20240508-en

Max time kernel

25s

Max time network

14s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\TsWpfWrp.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.19041.1_none_e51212a36c631d23\CasPol.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_10.0.19041.1_none_c9157ddc38b83b1b\aspnet_regsql.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_installutil_b03f5f7f11d50a3a_10.0.19041.1_none_f4b2fffd9da4c90a\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.19041.1_none_82a36c559596820a\aspnet_regbrowsers.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4068 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4068 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3208 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3208 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 980 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 980 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1588 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1588 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4592 wrote to memory of 3832 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4592 wrote to memory of 3832 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 8 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 8 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1724 wrote to memory of 4524 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1724 wrote to memory of 4524 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 552 wrote to memory of 3976 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 552 wrote to memory of 3976 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2916 wrote to memory of 412 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2916 wrote to memory of 412 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3372 wrote to memory of 2588 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3372 wrote to memory of 2588 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3204 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3204 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1004 wrote to memory of 4304 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1004 wrote to memory of 4304 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3820 wrote to memory of 1728 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3820 wrote to memory of 1728 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1516 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1516 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4448 wrote to memory of 3616 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4448 wrote to memory of 3616 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3540 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3540 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4592 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4592 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe

"C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\waoym8kk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B14.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4B13.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\adcbo3wx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES598B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC598A.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t5ivymwt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B9E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5B9D.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gdbipprv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C2B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C2A.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mwoioxsy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D53.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D52.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mywd4znw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DE0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5DDF.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxkuj9c5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EEA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5EE9.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8qx5j6y6.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F96.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F95.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uqq4pdhu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC60EC.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3hvr0mwu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6543.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6542.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ac5qvxzh.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65FE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC65FD.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3rj1bhvi.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6699.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ieqpti1q.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6727.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6726.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t-ijqja5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67A4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC67A3.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gh4dth5d.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6811.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6801.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k_6hgsuu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES687F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC687E.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mi-02bep.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68FC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC68FB.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qavsqdfh.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6988.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6978.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e36gkuj5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A15.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6A04.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcff1kyi.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AA2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6AA1.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eng-mf_w.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B4E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B4D.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9vqnlvb0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BEA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6BE9.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\feylwdkt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CA5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CA4.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-oio7htn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DCE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6DCD.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\525n0sx9.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E99.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6E89.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wzwibvb5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6F15.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9jm1wx6h.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FB3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6FB2.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mf-0po08.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES705E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC705D.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ktgadvcd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC70FA.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jd3le7hh.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC71A6.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kufe6obn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7233.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7232.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvxa8nap.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES732D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC732C.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a48qamdw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73BA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC73B9.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vojdmg9c.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7427.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7426.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q9tlnxwg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7495.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7494.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psyqxk5r.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7550.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC754F.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fgfhirz7.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75CD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC75CC.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\woxuafhi.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7669.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7659.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w6mublk2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76E6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC76D6.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtpmhjlc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7754.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7743.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bmfftmbv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77C1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC77C0.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w6qcgsax.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES783E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC783D.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y6tsmuaq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78F9.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utaqvkg1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7996.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7995.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cii7hfhh.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A32.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7A31.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bckp_a_d.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ACE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7ACD.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\czyjbqye.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B6B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7B6A.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\htx6olgg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C15.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v3xigfws.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CB3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7CB2.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aoohl6eq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D4F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7D4E.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\crsonvqn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E0A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7E09.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddeuy3tl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EB6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7EB5.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13ozdw3k.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F62.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F61.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trfgf1ke.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FD0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FCF.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lrb_dt4l.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC86E3.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7s39k6xm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D3D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D3C.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcancsmq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A5C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9A5B.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\loi_diak.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AF9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9AF8.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7geyg5xu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B76.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B75.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qsphs0h.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BF3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9BF2.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ieuk8sy7.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C7F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9C7E.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vryoxgzm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA29A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA299.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp

Files

memory/3540-0-0x00007FFBFBF25000-0x00007FFBFBF26000-memory.dmp

memory/3540-1-0x00007FFBFBC70000-0x00007FFBFC611000-memory.dmp

memory/3540-2-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

memory/3540-3-0x00007FFBFBC70000-0x00007FFBFC611000-memory.dmp

memory/3540-4-0x000000001B9D0000-0x000000001BA54000-memory.dmp

memory/3540-5-0x000000001B9E0000-0x000000001B9E8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\waoym8kk.cmdline

MD5 12e4889ce00f8e897765df0c55a5f1a3
SHA1 831612a45621ef32177169c13ae745b1a1ad3476
SHA256 ab3e6c3dbc9a13c3ddea247340f67e65bd13b17531dc0cd7f04bf70710900303
SHA512 00273f59ed4838430a01f4b31ef00f9efb96be07f7ff6b12884ec9b0b218c75acd15672e55e0411e900b2d0e91b01feee5e6ce264d3f7ec2c2f7cde80bcf24bd

\??\c:\Users\Admin\AppData\Local\Temp\waoym8kk.0.cs

MD5 507a819d828b45004fa00e04602a4dd7
SHA1 15b17c20d4b42b6173fa4fef8516f3c4c05d94e5
SHA256 4e5a5652de65a92c4378c161d6b8298b7b1de1c21d137b951f4d4fb4947c31f7
SHA512 68e884924760cdd3b4257ea6486f4045704747b7d05e2d6d543e7e704af902b74e7a7e424c3817794c79ff07f88fe7c65e905fcb070cb6fd26304ab63ca9cd51

\??\c:\Users\Admin\AppData\Local\Temp\CSC4B13.tmp

MD5 2f1f4e603ef1416dffa4033cd880ba7d
SHA1 f6e39900feddc79b142313779a385de7a4e7d295
SHA256 369d39df8bb6d1994359ee2cdee9a4462e2a59b9c2db3cd0ab6bd64e4f09e89a
SHA512 3c39a554d53d76fbb0d3f4596f4bdc32b87369ab073e7b8963ee76d3c335b7ca8d829ea31a46fbd1f59edd9229ac157975d8fe00102e3d3db8e5c4712be85b17

C:\Users\Admin\AppData\Local\Temp\RES4B14.tmp

MD5 30b76e1f5f4f9886a92a17d20696d583
SHA1 516736ceaa52d60ac270f5bcd51a0aa7a8b744f4
SHA256 1dcce59f72a313cc623ff1e69185802505bb4a3a1f398b5a1bd2eece5f3c37fb
SHA512 b1a4aadf51e270d327dbefdaafbeec6cf8a1e11729a4cff8d12d766a199159805b6b35e2b8c03736dc9f39d4a39e898cf02398dfd0f0417b5bd5fd6b5a3b3b54

C:\Users\Admin\AppData\Local\Temp\aqodjcq254.exe

MD5 eaa52cd5d145f4ea6129e812093106d9
SHA1 5365f08e67d4ee16f5c6e3143c5ceb9e97330b2d
SHA256 35d1c8be53775565815a7fe00496e61bec382844c9bb5f7175c194001a97210e
SHA512 ffb3f3bf80d29977ded1b5b560a1f49fd0138baa26dc66bb04fea5c6748ded73cef917aca2020678d20f31ee0509650a166d8c1948de76a52d6d92689dee9daf

memory/3540-21-0x00000000012D0000-0x00000000012D8000-memory.dmp

memory/3540-22-0x00000000012D0000-0x00000000012D8000-memory.dmp

memory/3540-23-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-24-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-25-0x000000001BA30000-0x000000001BA60000-memory.dmp

memory/3540-26-0x000000001BFF0000-0x000000001C064000-memory.dmp

memory/3540-27-0x00000000012D0000-0x00000000012F0000-memory.dmp

memory/3540-28-0x00000000012C0000-0x00000000012CE000-memory.dmp

memory/3540-29-0x000000001C010000-0x000000001C0A4000-memory.dmp

memory/3540-30-0x0000000140000000-0x0000000140031000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\adcbo3wx.cmdline

MD5 507aa9f7166c5934fe1da798cdb2c730
SHA1 1348b0930fec93ca04fe09c16d36694ca75f273b
SHA256 f8d9d8a6769c829a5649dc92b92fd6b28afa63c5d23f138ee4cd028563b3cb7a
SHA512 a3123c370a85e0fdb41f993d10249e564ea3799e127cb2bfbc974334b1372f542d21ee178eacd56abda9a2c9a190292bf19602fb1c31d9d9fd972e6c0598620d

\??\c:\Users\Admin\AppData\Local\Temp\adcbo3wx.0.cs

MD5 a7ad4bb27a490aa326581ca593260768
SHA1 f7de8419b7ed166ec502bf7fb5322899f4871902
SHA256 4547fa567ef27ffe967f20230fe22076e42b1e578a19ff6398fe11874327f1ca
SHA512 e9a39b5acbf54fe33212d22b1e82fc86e5362f0ee1934b92db354d5bd33b103aa2e3246254fb78e7ada0ad9fb7c07e991115a274fbb1f5a88677958af545f479

\??\c:\Users\Admin\AppData\Local\Temp\CSC598A.tmp

MD5 045a1a58c7ed1b6cf3c57e2779fad063
SHA1 51dc1527c882f7a2a99e1894ac2157a1725c5d43
SHA256 ce5fb78ee5f147334fcc1dee3fff51df498e35bd631b1ba840d90ecf9106aaa1
SHA512 8e5af146009fa4ecb69f4bac76ac582f151321c9d463f492af5e3100631b16207c9d95d372df6c40d4f80118caa7edb20098b78a045e7d9ad721cf188a983fba

C:\Users\Admin\AppData\Local\Temp\RES598B.tmp

MD5 1bcd4e2c19f2d07b705481a14a1e09ee
SHA1 c9720cec4f85ed22867dd1fa0dac7cb737de66ff
SHA256 b45e3bfb7f4b517bb06b06041eb2985a3637c6a69fdff198e5f3bd0db13bb647
SHA512 13d2aa3f60b74ab322735fba2a79a3325202008e0e0f84a56b0c99a75c1fa5cb232490c129ee96a38e712bb9b52325e25b14437a172a461a53d591dd26840ee1

C:\Users\Admin\AppData\Local\Temp\jcewynx1507.exe

MD5 5a288ab8cccfeaf9c942e3f5d5ffdba1
SHA1 ffeed6d2dfaa6e7b5380e38131709cffc055a4cb
SHA256 7d0b2e86bf788c8a3550c2de6ba516e9b2dd7ce2792dcb39dbc8e238613b811f
SHA512 3df4545d135659b669bff67cc6a7668eda5a5f92956c409222e616040e651777bf0051c758264de4472655594d44e66ade382f01dce4a45280ee31c860ae9252

memory/3540-49-0x00000000012D0000-0x00000000012E8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\t5ivymwt.cmdline

MD5 8c3ccd1531d5004ef05cd314fc1d51e9
SHA1 a759427d485666d835313e49976386057ccb0020
SHA256 7d2e8b170164a7b72e836970e92c6bf20c44c4dfb153fa68dec46f6ded23bb72
SHA512 301a48459389c08d0225f2f081ae7141e3fc929eb686d79591fbd82a3006f3a251227cb66f7037ce24e294305476cec5c6e6ee1fc327a99546cc9431219c1f35

\??\c:\Users\Admin\AppData\Local\Temp\t5ivymwt.0.cs

MD5 cfa27504f82e6cae31621c52632755ac
SHA1 dc67841e2d2b73d0c45b38e2fa78eeecae102819
SHA256 792dc724da8ae3356108b9ca6f46f372f4492fe546a23f8005c7e08814f818c8
SHA512 ef6daf411324841d822de6bc7997a7c33f18c807b4d9338117fc4a9be23f737fc8102f36db917764de43db8ec93a135269ead1b02880fcfa8f86ca0896c6252e

\??\c:\Users\Admin\AppData\Local\Temp\CSC5B9D.tmp

MD5 964f768baf738f831a2a085e49e7b3ad
SHA1 5f7a9458c64f3c49391694860768a7cd19af0ec4
SHA256 bf0b3529f6b56944b143da856094037626466fb1446b5672eb717aa80bfc0d13
SHA512 7dff18f58975ee773c758daed37ff53230fb011db37501c69f796e0968afd4a2f39a20ab7958801a7cde81593c7a4b5bc9f6282d0195e93193e4332ec659e256

C:\Users\Admin\AppData\Local\Temp\RES5B9E.tmp

MD5 408188f5cbd746b31a06b81c517bc337
SHA1 1211d7b09a3dbf87694bf2eea77983b29f583dae
SHA256 3d37380c1d1c03874db091f79c7428df51dd8aa84112008928f12dc9806dd38f
SHA512 c92f0883dc7c41926a306e9f7916e23d7f92c413e44ecd10d17f69019dd2d306ebe70a58b7e3c35bf00ea58feba663e0cea0d58d35de53ce9572a010972008af

C:\Users\Admin\AppData\Local\Temp\rnyhsqv1246.exe

MD5 18c80f5147350af6c675f462f6abfd49
SHA1 546fdf0b33af5dce1207d15cf297c53978de6605
SHA256 d3856fe70d049739a22c9fe5b905798f09375413743e375ab3497dffb5e0d238
SHA512 2fb78ea4d39172a7974777eeedbde34781a9b5984064ee2a169a0d3d3464dc311c7fde80b6297e11d472e8721e5929261814e0258998c52c01e131ccea37baca

\??\c:\Users\Admin\AppData\Local\Temp\gdbipprv.0.cs

MD5 1d88f2ae5d88ff04b6fc245422fbea17
SHA1 c5414cc8e1c42ddf47a78e790fa30ea500401c11
SHA256 5e9848ee4f6bf0ec4246be42fc59d615199d7b13897de86bb795b6c78d2f77c9
SHA512 1a75cbbe9f65067daa10a990e54bca250ee983008d7a44c0d513b209641f4ed30b0fded31aaadcc5360220e966647c2a47a2a572d6e08127251dbc6ebbe0eb65

C:\Users\Admin\AppData\Local\Temp\RES5C2B.tmp

MD5 99eaa30cf0e7cc661d8dc2a8ec59ca24
SHA1 e0ee933420d69e6206fb9bb44990859a8b527c2d
SHA256 00b8d218306be2c296826d1f3796726320a59bd56f26249d99a16f720ac2daec
SHA512 f2cb7491e19c9878b1c0b7161ee974caa9118acb762531eb55c8c373ec9cac6c2e0ae2a0690b6d00a8738a8255257437a1cb6291001d96556cb3bcc5cd79e1a0

\??\c:\Users\Admin\AppData\Local\Temp\CSC5C2A.tmp

MD5 d371d7bebcdfeb89b7bbfc09b3c03648
SHA1 2bb06559bf69c1373bf5d1c99f37a2c11368e032
SHA256 2f72b332d9ec221c2203ae97881944860dc2f75eda673e5ceb08630e4cc707a2
SHA512 aadee5362f087d5713f0af1e7205a35fd5816cb4d5404f9ae2a572656e477ef2bb7e5916f91e2a466d90ad26cf08af28e87d7cee3a1b6b46fa5abe6f93040c63

\??\c:\Users\Admin\AppData\Local\Temp\gdbipprv.cmdline

MD5 fa73101e0cdd3eda247c509b638be4e4
SHA1 9f2ef9c6e6f889723d1bfe0f8d5acd5527792b71
SHA256 4d04361ab8fb9d2541b90fe7985276c59decce36f4f557ba8125f586eedc3cfa
SHA512 8973f526d0d732ba7b16d8a4b222e1a250635e8140a367578a5cb42a54f13ecd3c3c7f652908afa86ecd4f76c77e76b22f68d7f7f0360ad4333d20f85bcfdd97

memory/3540-63-0x00000000012D0000-0x00000000012E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hahmmez147.exe

MD5 0cdb85403bcde849d8a178d922e50892
SHA1 3c72cc02899fc5a40abe17499d0ba643da1fa1e2
SHA256 e8643fcd117fd5d950600f3ec28c2fdc8364461c060a08b674060874c94b6d38
SHA512 62a13bef6a4b4bd31561229e15e8fb15a8d6bf06c644d8d1c59ad3bbf8ed0e62cceaed6b68fd5188d596019f6e889dda836bb4fecd3004f86165410ad1c4c806

memory/3540-77-0x000000001BA30000-0x000000001BA5A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mwoioxsy.cmdline

MD5 1299c0a3b5a40abd1ad8858f8681ad4c
SHA1 5ce3e8562746a0e292a3ff12749c1dbbe13681b2
SHA256 ab2da89fc70e869efda2fd061452cfbd93034894bdb18ac1797230eb86f2267b
SHA512 9b32488d28261f2a445c84b9da0f3320b1f17e85adfb9b16f9f06605e5eb9b304d0e316ef2e93f42c0bde87e844ecf8a764c3a817411a3201924dcfcf4b46196

\??\c:\Users\Admin\AppData\Local\Temp\mwoioxsy.0.cs

MD5 be328d36479e75c7a642aa83fd74d1ca
SHA1 e52b5acb04fb873f08851cb030cf636d6964ce3a
SHA256 24a522a3fd21be7da207b04a6751a309a91111a1d218cdd4137000db9c65512b
SHA512 f22ad4d4781fe50fe1818a8dd2bbae8abdf22db4f7e44a3c4fbfded73f27eb0162cd17e7cf0e8c795d421477b7f2736459c577c5091893514b0bce5cf8ec5bdf

\??\c:\Users\Admin\AppData\Local\Temp\CSC5D52.tmp

MD5 f0c969a36498e125b5166e34b799f77e
SHA1 7f0544c1c3bade15932f4ee39b37e6caaaacaa76
SHA256 411cd9403b3c115a116fb831646895774d7e148c21e2b0b486198be5317ed5be
SHA512 df9b942f75e78e00f0608a44d4242cd45327428aa4b49250d52fc9b829a40720f8bb40a06793a9c45b72a638350913d01fd13ebe752c186ba6beb5477d6c7e14

C:\Users\Admin\AppData\Local\Temp\RES5D53.tmp

MD5 d379a9471d27a87cb43db0cd665039c2
SHA1 fecad0287228afcc4e21deb4f035541ddfaf703e
SHA256 081868a8d928d0205f6c513267a8b0291b26d1981f0de41f5996fb63aaa962ac
SHA512 1715b7ae6c04aa7c61b45441e04a196f0bccda9b447c012f4857d0d2a509e6a3f2a9bbfd25a1bd83b0cebac5efb77e7931e146f97cd81e021828cee5a80532bf

C:\Users\Admin\AppData\Local\Temp\rxqxcak1051.exe

MD5 a5ef7606670541dc1be53ebfd04ef6b1
SHA1 049c445e21005a839ea172c71d44bd38bd427be5
SHA256 714ff0a6363de9da720c1ed677521be87eefcf853ffc4303a2fcde586f4d89fd
SHA512 6d9e2caedb58b73fc0b3d92a5d730acd7693c6c04dbfc116ae738d096041dbab686ee2c7a11875bd5c5792e74e696f188a046029bc3804ee79f6dbb7605cd438

memory/3540-91-0x00000000012C0000-0x00000000012C8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mywd4znw.cmdline

MD5 c6617374b500f4895293becccf6b30f6
SHA1 6732cfe41b4b609ebbc49be3ca6296ddf1120a4b
SHA256 d34f34dfb57b712ac8e60ba6060417af7fae98705253d079b5c99827673b279c
SHA512 6823859e9b431e5a4fbb020555d0ecaeee7fe0f86b26beb7dedb2f4dd4887f00354aff8ad8b518800b59cfe90ec370486d992800dc7a1e502c281c23d24116b3

\??\c:\Users\Admin\AppData\Local\Temp\mywd4znw.0.cs

MD5 268de2682201b8b213b38bcc2ea035b7
SHA1 4604e71fa54fcee58b971f05c0d490e38bb5c84d
SHA256 f9e1b4f3703c08aa53e019116012e4ef01317bdc8b66f4ef6e284cb5e653fb2a
SHA512 dc96a969a035f3eeef26356b5da00219afd0d4df9197ddec8e36da8bafe27be3be9558e86311057ff35f2ab8ce233157ebce927dfd7e71f422fda31ca8fb2ccf

\??\c:\Users\Admin\AppData\Local\Temp\CSC5DDF.tmp

MD5 777aebcba6320f29342f58238dda9946
SHA1 e0a9f569d1c95673731f1f465ba7f574b662bac6
SHA256 756e24c55f973c63a907a701f4859c78b7639892d855ac3951805e81ece48852
SHA512 7933c1359d313dba96345bf9a7a1611f9a45b88a9bf3b073b6e0ae9253ddc452237bbb69a18c967142eb2841b4243e584883fb82fdd3e4e8110df89fb3a0ba74

C:\Users\Admin\AppData\Local\Temp\RES5DE0.tmp

MD5 2400ebe930136febad39d472af3c6477
SHA1 abff619c5f5813d795d6bd3e1b78e06f3fefcba8
SHA256 dede81540056e0a99db0005e6fd6330386efa4e524be5c6e8e77c6747f949c0a
SHA512 566c0b60771d9773fd5b9045dd6f1cb6f4f3902ac99954dfdbf217ffe069879889d40ee208ddf5a0c9a07d10acce88d73aac8cffd94c82b6e69dc5f5ad71cb20

C:\Users\Admin\AppData\Local\Temp\klvkizd456.exe

MD5 c3dc7bbfe22957c2e0f613c935d2b0a3
SHA1 3296593230fa805d8d106bf7e0661952598a7e5e
SHA256 88054406478d88b3bd9371af1820f2d70dec1a5b99a37cc0edc8a36101f4fa93
SHA512 985b70ce5302386d8c11d19320546aadfe6ffc7c562688c2af98d8029a7eb9dcb9e57e913e8b721031b842344e45dfd207f473ad3bc11c5009d8fa3e8b2469a7

memory/3540-105-0x00000000012C0000-0x00000000012CC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uxkuj9c5.cmdline

MD5 6c362ec514d44345d4bdf3df0d84493d
SHA1 22a54f8323955c356dd8084dabdaeaa51c4f99f4
SHA256 4d0f0bc5b57d8ec3e1e0e3cff324d6e9440703d1f684cd3290a6cfa7099214ed
SHA512 35ebea066c88aa0962a4497efe7b5f6a555aee758028758e56f7567953da6e9900d791232f641efa07ca636ae232e0ca2dfeac1d1bd0e0791c6636721a0f5c66

\??\c:\Users\Admin\AppData\Local\Temp\uxkuj9c5.0.cs

MD5 422941fb7652c5909267ac5db3b060ac
SHA1 ade3117201ec480e4693a17cb3237caf84ec7e9c
SHA256 b4a7ec9d9c5d422d1b3a7444ce30d71ee6c7349b82d616d00f22331654bf040e
SHA512 5ed471c853feb583c4caf1e780ab4664f4fcd1aacad492c547e1cb0db01e44d8cfb746532b3d044f314a29f0165ebdd77bd58042bf85379514f85fbc650b18e1

\??\c:\Users\Admin\AppData\Local\Temp\CSC5EE9.tmp

MD5 40e82d8d27662157cd57ad9410ad628a
SHA1 b5818c443ca0b8307102d2788bff6f6687f8a083
SHA256 eaf9a651741fb7a0e05c345b576533b714c23d48320a2b0d18494e7363f7d1d2
SHA512 84da7c948cd3704c38f2c1db12ad68ca261c6f328ed52500ac12a1ef304d61353083243f3f937f9c2708cb96564cf4b8e43c75b8aafdc1959b2fee06f5cb3a4c

C:\Users\Admin\AppData\Local\Temp\RES5EEA.tmp

MD5 59f98f3ba6a62145f290f0a5e4760d17
SHA1 c3ba6245421fcf708616f01f6eab0106f70ec77a
SHA256 cd25c93371e974315a7897209bdec444e1ffbeae03a22a46c27a42b23a129a28
SHA512 af257a03f2d6871e28796927d5478f45b4f1db83c5f8a300f460b42995edd22f38fee2e75a5545fd518363d3624884c78f73584f15796fb6bc931665ef48b564

C:\Users\Admin\AppData\Local\Temp\bjwslgx1632.exe

MD5 e1275b4b2d1addfd42fae17a5452c863
SHA1 a395582bec748d8eceaed253332297751a696293
SHA256 98b39dd16be10d1205d106d8985ba9ba242599666796bd978d9234e8caa4b57d
SHA512 8cc4b4313307f432badde708c8b3d814ce224b9789b522de9f89eb1e68c529176385e46fb0ad0a906006cd8d4dd1af7454f48ab65d8fedba24d17894e97b0a0c

memory/3540-119-0x00000000012D0000-0x00000000012F0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\8qx5j6y6.cmdline

MD5 c7d0bbfad382f17b60e02799844bf40e
SHA1 d43fb1f2ebad603dc9845ca8e3d47af75c1cb582
SHA256 8cd676b1d761e4bdcf218a886da92f91c566c92785d58fea0e32cb534e7332b2
SHA512 ca900116f9ff850d08eccce0b921ec9cf2b96c2d3fdc12d9af18e94828148037c633b09f81ce85542b6ba5e9397bbd802409177a9f0094e6d009d91dd3b4711c

\??\c:\Users\Admin\AppData\Local\Temp\8qx5j6y6.0.cs

MD5 635ddc5e0b3b61e8b803d0b4f03a652f
SHA1 3e7948fe0af4a621ee291abf2349e3348988f7fa
SHA256 8c2d3336c28ed859abe8634be4e1ebcb9751eca33f82cc4db8cc40ad8aa4da3b
SHA512 30804e925e6844f928ccb60c485a3050f1d0f560c80fc74a84a0bc33149f547a61b561f8e7b75f71f75b2481873c7c3bae7e2aa685b120ff9e5ad81e2018cafc

\??\c:\Users\Admin\AppData\Local\Temp\CSC5F95.tmp

MD5 b526e1ceebc9b951e34a54fd5ce0d98f
SHA1 03fed033eef4ccfa1ce2a7a13b358edca1edbf67
SHA256 bdfbd340597565c34a643ce5364c3a67a752d0808ada1e877ff3e1cde3d01fdb
SHA512 22b38ad3d3560bb805c857f655952f8fe981710af56e0cabb2f9c07d24603782092badc5b385a609a37efc88aee51173f354ec306e1e11cb252ab408d08cea29

C:\Users\Admin\AppData\Local\Temp\RES5F96.tmp

MD5 8f5c28530cb4bfe31fcc49fc31a16730
SHA1 11461874514e74930e5e18e56ac0df3d200af08a
SHA256 a6591ad9cd59ebac7c06828abade5da4b6752d28947e2c786f34a5e587182730
SHA512 c3a595aab0766317b522979f9ff33d908eb616691ff769b587ac9807e6017e7469f72c94ceefd9e30dca292b3ea9a0f7a0c294172a110542e12c5e851c7c7343

C:\Users\Admin\AppData\Local\Temp\srkbfjp1222.exe

MD5 a2c3e6c1c6226e890c36880edc917c05
SHA1 efcff2674b1219458d3be1f576aa7d66bbfb0544
SHA256 cc06db2fefa6ba1127a5efb6d3b800e96a994dd8768000171b23b5c0dad63aa4
SHA512 32675bde2f881f62127ba2e55e0f2ea1b201e5915721276dc26d5c443c8482b42c2b75b36d9f9b24128327d011c4ced4dd5c309ab99e16ede0dd1742250063c9

memory/3540-133-0x000000001BA30000-0x000000001BA56000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uqq4pdhu.cmdline

MD5 d7ec4e39e8c28676ebf59119c13210b8
SHA1 d33d04dbc55de98858f768d5872b7b21cf151681
SHA256 0f69f662addc0e76c0baaedd3f627ab837ad2aa36fbd792d5f5f810902fa8fc2
SHA512 670998a3f498e29cdf0709372695b51e0bc5df6544c22bd39c16716e1425256635b62225ce4934b0cb0a096fac5ffa8481aab91c828e67f2de7a5653a8992895

\??\c:\Users\Admin\AppData\Local\Temp\uqq4pdhu.0.cs

MD5 30651e8983e01e780d963144a6ca4e17
SHA1 5813a71bd21ec77669f441fbb5643f6389c30ddc
SHA256 177b99ce4874984ce896d0e1899c2883ea76b08fb61b14c0373604ec2209e648
SHA512 83548d0f5ce202e407f5cf908fd46b953e9485741eef6903f6bcb0c3b4ddd8543349064834fc0df70ee84c003d0d28471fc451e60c3a8a10fed7a83c278be532

\??\c:\Users\Admin\AppData\Local\Temp\CSC60EC.tmp

MD5 831eb5906cfa025c6010bb8265783df0
SHA1 539a165d5af6014bf5f7cca8e9baddd37d21fabd
SHA256 2cf3b64b6d57774ed389524dd892118926a71607391acc2fc8b66047c55b77dd
SHA512 61bd308e16e7a17273a1ff68d5a89490e3df124ee6fed5aa4923258de30172c5c1ffe6379d5c45ca2d45abd5c01f5879687b8bec439eaf6a68f48062564aa553

C:\Users\Admin\AppData\Local\Temp\RES60ED.tmp

MD5 758c2d689ef834a8bee2525a0e16ae1e
SHA1 de8bd9dc3bf108a13064aaa1126ff0afc5bf2b7a
SHA256 96857533c634c4d792b96d91c457f5b4a0a37c93f0847927d6219f6bdaf2a655
SHA512 f3ae46ed8a17f584665cac3f6f8a986042ceaaba9478bf4bc8b128bd54f4b30e2f263bc6c096a6047bd98ac88fa879a46b1101939c7daac60fcba40be4a52277

C:\Users\Admin\AppData\Local\Temp\guvwsyg867.exe

MD5 b52b04ba31638c440addaae72c7883d1
SHA1 6b4beeb2732c8fdce56608c33a3431cb8df39128
SHA256 71428dbaed970d0142819ed89b5a232368165205183f1e61b2db08e5f5144e76
SHA512 12f6b2a8853354e734a24a3e8fe92627e399e348e1fc01b5ba691b2282e91fb534374f1f84ae499e0cb0b767f543b276355bd7bef142cc252a5ebb13e0968431

memory/3540-147-0x000000001C0B0000-0x000000001C0F0000-memory.dmp

memory/3540-148-0x000000001C0B0000-0x000000001C0EE000-memory.dmp

memory/3540-149-0x000000001BA30000-0x000000001BA5C000-memory.dmp

memory/3540-150-0x00000000012C0000-0x00000000012C8000-memory.dmp

memory/3540-151-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-152-0x000000001BA30000-0x000000001BA54000-memory.dmp

memory/3540-153-0x000000001BA30000-0x000000001BA58000-memory.dmp

memory/3540-154-0x00000000012C0000-0x00000000012CC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3hvr0mwu.cmdline

MD5 3691c68acfe40928e5c0c20e7fea202d
SHA1 a9eba9815550afaf43a73cda28b19b00df071f37
SHA256 a80d111b423b02d402525a1833f2496d65995f18a1be92a311df0ee6b67e5298
SHA512 f2858afaed50dc8ca445f8a23035006f1881df074ca6804cebfea8e3670ecc86bcb8b99069d3e2546f70563d64321b781ae57913cb1a41bef79ba2d4ee6d29f1

\??\c:\Users\Admin\AppData\Local\Temp\3hvr0mwu.0.cs

MD5 b3bdb678282b9e882e287e05d750b921
SHA1 ee3258a4fa3a80f486bd1e46f139a60438ab0a8e
SHA256 d8c50a50e2d8fa934420aa14bca017e9169023f77942582e48fed2f598d3ca80
SHA512 66f318a7843e8b1481c3211bf94e51ed6b0219031f1397868c9b9ec956769091fb536261f29540b2bcd6c4384d8a7f438ae7e299334af111a16b8929d1aeb1cd

\??\c:\Users\Admin\AppData\Local\Temp\CSC6542.tmp

MD5 8b45b3a9ba9845237db00ba833197a04
SHA1 0cca346d0736bf047e53361e5816067246b97835
SHA256 a00cce43cbfb24ee9907eb7f7378ce099d92f1ff5b243bd84a748827439ca651
SHA512 d1a9af06e22e6c6356a84752ea145fac39c7a01f59a5d4028d074a1bebadda53c978c0d4ade7231d9f2ee269c85aaec21c7171ee00b40b24948d3ccc5afe7119

C:\Users\Admin\AppData\Local\Temp\RES6543.tmp

MD5 0b1984643a00f5884f60d55bc4b54ec7
SHA1 f10fddff12fc59906ef161c3252f6b0620419c47
SHA256 5839cf6b5b760b8b86d220bb6fa6fe0eb9b7e485699fc13f91136c271af087e3
SHA512 074803e22c9096c5cb14008ab98f4f96d5940bedb54a4a90bb7f0b29c447d8e503e1d5c7d609c4a134bfaf7318d510afd8ca9bc0fd5f730b071a80c609afbd82

C:\Users\Admin\AppData\Local\Temp\jycxsbp1347.exe

MD5 dcca04149de612028b873ae7d9aa97b6
SHA1 9ae343dd6c1d785ecd77daff8e19611c68f3fd71
SHA256 60c74ae2fcb0b4350f03b09a13d13d9ddcae08074dd2e76282b443bdbeae8235
SHA512 6b9930f2f78db28ebc053a037fc053f31247be2f596684bced1f1e2244c6d1ff6d46e9ae9559b8c748fc4581eee315dc6721dc155845c93a5b2a065982b51b7a

memory/3540-168-0x00000000012C0000-0x00000000012CA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ac5qvxzh.cmdline

MD5 3246906fef056d154db88b738a1c7862
SHA1 d9a7745e104cc4b060962abc687baed9503b6ab5
SHA256 da9b63ebd282b34f7e3c80b8fa809fdad9b836cf75ae3e78fa6a9f76ded7c422
SHA512 4f02fab500ecbc5d1eb7e9e32ea6652fb8ca45b4f9461516b80a652c03d11ab7aafe57fee4f6a0f11f6a625bdb7fda60e6551c67af462f6669279393d21ca5ed

\??\c:\Users\Admin\AppData\Local\Temp\ac5qvxzh.0.cs

MD5 9f0a5f7a8d3632889cfc040618fc7968
SHA1 fe1bbb4dff1cd3bc8523fae73de26bd324194c4f
SHA256 b458fbeb96c04b80f6a2763d23baeb792930d5127bb64102694aba86d2a37c88
SHA512 ea2f188fdd5f7649e01239c623345842dd23af4420cfbf405f7087c91623ec00c7333f1f47f4df8657fe95d2d0c85c12cfd141522ecf2e590939ed7163d8ba96

\??\c:\Users\Admin\AppData\Local\Temp\CSC65FD.tmp

MD5 3766d6318b898cc3b79c859ad7d4cf39
SHA1 457721497b7ce1a835536340ffdb08f0f2749741
SHA256 075cc3dbaa46f183d5c116b6939581054b387b5f6ec5dff4c89809be3bdbadb1
SHA512 4f4e1eedd1ffa4de8dc38823295c10d54e6054f691e2497d694e498d87e43b52a576f4f798a966f71640bb602439bcd6273af56fa5b660b1e84ef8dfe410ced2

C:\Users\Admin\AppData\Local\Temp\RES65FE.tmp

MD5 86e6241b3f5f8c295e17e16192ec0b16
SHA1 3d7342ea54a2d619a0418c42e2ac8bee3390dd20
SHA256 2ba606b7bb4bea6ce578dd15d8ec87cef24679a9297287fe8b425732801c0b1f
SHA512 1f0806600f03dab2cd9df1237c43e32d40d3be35d95621b4d3d079cbb57f6d5041c1d2b9047b004cd9fff5a83399893db98f77502b774f4e9e9cb5f50683682d

C:\Users\Admin\AppData\Local\Temp\jswrxyc1905.exe

MD5 7b8b68a595be04c392cc30340a9c0212
SHA1 5f9efc81de7ae8fa000a547aa96335e18724b4fe
SHA256 12d047dd1420632022da4ea0dc3d92e9aab475a5fa63293cd67dac18416844ec
SHA512 a1ab2e2fb68d0a0d405a95ab99f4514d5317764b0fe04fce6b691cae966481d0e6ffab3e682a2589b04e8f0f10500a5ad840ff465c88c426145fd64ce57c0b04

memory/3540-182-0x00000000012D0000-0x00000000012EE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3rj1bhvi.cmdline

MD5 763e5b3ec0f9d1ed372e3ea68bcef98f
SHA1 c4ce449e7c2a7dda5cc16ccf044f408c6b3f690d
SHA256 5066c631c2ee368dcda2251c655613cfc79236710b96dc4cd06d3c4131127973
SHA512 98f4630c093d8d9d19c494f9abc09236e30de66f60147f4e61d2fafc0b4f45766a06f58f8146f063ee0a95a0458b1c30c39cdb02145a16e285f57e1ad835059c

\??\c:\Users\Admin\AppData\Local\Temp\3rj1bhvi.0.cs

MD5 01fa76eb413f7a0b400f1641442f3ab8
SHA1 c7b684f36313894377172c2b53629bf4006b8a21
SHA256 e9511387c7c9e48d75ed936b6401609d3c2897e290f230bc1cd4aeb76741e0d4
SHA512 c369bb60364998168a0613eac5efbb8b909dbbdb758279f6370ee3702e991f24ca62ede700384fe8c0f00f08337555527d641f70be5e15efe319e1aadb7be7ea

\??\c:\Users\Admin\AppData\Local\Temp\CSC6699.tmp

MD5 6bfb230a7c18cff8a42dc8925a7d9566
SHA1 f12f67bda95dfb34ee9f5ac6ea670ced5e3bc36c
SHA256 21e2a311da9efa3e9f99ccedb668d2e33993591fb3f8a4e9842c6ddd75d3199d
SHA512 96f6f4473d658c8d6e6bc8cf5cf8d04f6cf25f349c7f641bc95e33d73d487ab24bf83c58522536dc270da665f046124e4b528931997d2ea83f45d328d02f4ad7

C:\Users\Admin\AppData\Local\Temp\RES66AA.tmp

MD5 e9a057c60ebb821f6c3a2f05fe024ac0
SHA1 c387986dbf6568db6b05ccfec0ce10cba1476b55
SHA256 02be9208e8bac47736c6fb3ef762be7fc611eab86683f6234184c183517b591d
SHA512 67c93fc13bb64a91f1bda1ca47bcae0f9d09e8ee23d7233838dfdd161c74af3184ecc05efbce25a27f6ccf2fd482f24f3e069488fcd54af286fdeb3f1bc99e94

C:\Users\Admin\AppData\Local\Temp\aajzrbv1495.exe

MD5 eaa63083d1ca42acafc2d576dfbae922
SHA1 34a16ee47f87683124bf20076b8ad8351e354e91
SHA256 f4c37708b94eb282a1a5f42552b31e1016dcbcdb878921b10c34cfbb68cea6ab
SHA512 6d2e5036891476fcf500239e213cccea63496dc7f3dc8a91761ad42e57807e6a1bf94ca60d33d65219ba7d2994c43ceb5abb63de6fad569af38f8ccf143bc55b

memory/3540-196-0x00000000012D0000-0x00000000012EE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ieqpti1q.cmdline

MD5 583b9ddb4a5f4839312b9aaee32013d3
SHA1 b8517043bb7d60f15013ce465c8adaeda0d6628c
SHA256 f4a0c1a0266dba2882d6a168db9148162912280478fbbf6f04b6e44aa731a7c5
SHA512 cec4e99b07fbfe746b768f60d24cf81b50f5d84bfa589439b6d9921c4a535218af2d9f1da0c1f5f973c88ed7981fff0c7161fd58e9e2fa213cb7e4e5ba42d3ea

\??\c:\Users\Admin\AppData\Local\Temp\ieqpti1q.0.cs

MD5 cb7a62bfcd7fa1e43dae3fe6d4d2c77c
SHA1 c1291962d189fb9ce282310e6ffc826f0822010a
SHA256 a5201d0d08166402f77abaa9cdcc1efc3e689ddd4879780fc676dc6668f4b006
SHA512 e1a091a6b728f5c8154eb2fcf25761ffee68fc44de853fdf5e52327905607552f20a6660488cf44da91b9df73c5faeda4f2c15e22067f865fd1de2f25a725c77

\??\c:\Users\Admin\AppData\Local\Temp\CSC6726.tmp

MD5 af887718c10447e4654ec386bf48b1be
SHA1 17de598d53c3346b58c59b578d85429a2e51f8f1
SHA256 4430c6cdd6c0a7e494fbd4c4a868a0980301a1c5c745f1ad225a92a3ef3be25c
SHA512 4e6cb064708ff60f608d25b11ce78378362b187574a62a364c01f0db8f9f7427986ecae350a9748591e29bc03745f9dbd99b6ff9c73bc647b46fe8b31ac1df8a

C:\Users\Admin\AppData\Local\Temp\RES6727.tmp

MD5 c88c921de1b33481e79534f08a226bcc
SHA1 fd9fa190f187f85fbaf01cb88de741d47ad0cd99
SHA256 a8275f088d6e3e391280aa54a1ef0daf4541a69edfc0add58d4a09f06c6649ee
SHA512 6b21a845488bdcfd811dc93d259b1d64633adf70b5fe0cac48b921f2721b788f753c2ccede890442b0a6c8ec645b1a0763c8405985166cc70d254ad6530aec5e

memory/3540-217-0x00000000012C0000-0x00000000012C8000-memory.dmp

memory/3540-226-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-235-0x00000000012C0000-0x00000000012CE000-memory.dmp

memory/3540-244-0x00000000012D0000-0x00000000012E4000-memory.dmp

memory/3540-253-0x00000000012C0000-0x00000000012D0000-memory.dmp

memory/3540-262-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-279-0x000000001BA30000-0x000000001BA58000-memory.dmp

memory/3540-306-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-315-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-324-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-333-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-342-0x00000000012D0000-0x00000000012E4000-memory.dmp

memory/3540-351-0x00000000012D0000-0x00000000012E8000-memory.dmp

memory/3540-368-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-369-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-370-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-371-0x00000000012C0000-0x00000000012D0000-memory.dmp

memory/3540-372-0x00000000012C0000-0x00000000012CE000-memory.dmp

memory/3540-373-0x000000001BA30000-0x000000001BA52000-memory.dmp

memory/3540-374-0x00000000012D0000-0x00000000012EC000-memory.dmp

memory/3540-375-0x00000000012D0000-0x00000000012E4000-memory.dmp

memory/3540-376-0x00000000012D0000-0x00000000012EA000-memory.dmp

memory/3540-377-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-378-0x00000000012C0000-0x00000000012CE000-memory.dmp

memory/3540-379-0x00000000012D0000-0x00000000012E8000-memory.dmp

memory/3540-380-0x00000000012D0000-0x00000000012E2000-memory.dmp

memory/3540-381-0x00000000012C0000-0x00000000012CE000-memory.dmp

memory/3540-382-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-391-0x00000000012C0000-0x00000000012C8000-memory.dmp

memory/3540-400-0x00000000012D0000-0x00000000012EC000-memory.dmp

memory/3540-409-0x00000000012D0000-0x00000000012EC000-memory.dmp

memory/3540-418-0x00000000012C0000-0x00000000012C8000-memory.dmp

memory/3540-427-0x00000000012C0000-0x00000000012C8000-memory.dmp

memory/3540-436-0x00000000012C0000-0x00000000012C8000-memory.dmp

memory/3540-445-0x00000000012C0000-0x00000000012CE000-memory.dmp

memory/3540-454-0x00000000012D0000-0x00000000012E2000-memory.dmp

memory/3540-463-0x00000000012C0000-0x00000000012CE000-memory.dmp

memory/3540-472-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-481-0x000000001BA30000-0x000000001BA5A000-memory.dmp

memory/3540-490-0x000000001BA30000-0x000000001BA58000-memory.dmp

memory/3540-499-0x00000000012D0000-0x00000000012EE000-memory.dmp

memory/3540-508-0x000000001BA30000-0x000000001BA56000-memory.dmp

memory/3540-517-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-526-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-535-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-544-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-553-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-562-0x00000000012D0000-0x00000000012E4000-memory.dmp

memory/3540-571-0x00000000012D0000-0x00000000012E8000-memory.dmp

memory/3540-588-0x00000000012C0000-0x00000000012CE000-memory.dmp

memory/3540-589-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-590-0x00000000012D0000-0x00000000012F0000-memory.dmp

memory/3540-591-0x00000000012D0000-0x00000000012EA000-memory.dmp

memory/3540-592-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-593-0x00000000012D0000-0x00000000012E6000-memory.dmp

memory/3540-594-0x00000000012C0000-0x00000000012D0000-memory.dmp

memory/3540-595-0x00000000012C0000-0x00000000012CC000-memory.dmp

memory/3540-596-0x00000000012B0000-0x00000000012F3000-memory.dmp

memory/3540-597-0x00000000012D0000-0x00000000012EA000-memory.dmp

memory/3540-598-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-599-0x000000001BA30000-0x000000001BA52000-memory.dmp

memory/3540-600-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/3540-609-0x00000000012D0000-0x00000000012E6000-memory.dmp