Malware Analysis Report

2024-10-19 08:44

Sample ID 240727-zxcflasdpa
Target Client.exe
SHA256 cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42
Tags
guest revengerat discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

guest revengerat discovery persistence trojan

RevengeRAT

Revengerat family

Uses the VBS compiler for execution

Drops startup file

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 21:05

Signatures

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 21:05

Reported

2024-07-27 21:08

Platform

win7-20240705-en

Max time kernel

143s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Client.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2660 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2716 wrote to memory of 2056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2056 wrote to memory of 876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2056 wrote to memory of 876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2056 wrote to memory of 876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2056 wrote to memory of 876 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2716 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2936 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2936 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2936 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2936 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2716 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2800 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2800 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2800 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2800 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2716 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1628 wrote to memory of 1800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1628 wrote to memory of 1800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1628 wrote to memory of 1800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1628 wrote to memory of 1800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2716 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2344 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2344 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2344 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2344 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5z3rdjgd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8DDE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afxe9xzm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F06.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\37in9maw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES906E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc906D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8qhfn6si.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9232.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9231.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmv5sdgr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES932C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc932B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adkdf12j.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9454.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhdvnbaf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9609.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95F9.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eji4f_4f.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9760.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc975F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkuhkk-v.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98B7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v89bsdes.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A3D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-ctrdgls.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BC3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zl_6fcrp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D58.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yjneypjm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ED0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9ECF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w7js2-mz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FD8.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_jrawm-q.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA14F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA14E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twr3hdx8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA296.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6jtkvwxz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA41D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA41C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-itskbso.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA526.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA525.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u99bhkxz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA795.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oo9ekpnx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8AE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmw4nmgy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA989.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA988.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ic04u5t.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAB2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA91.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\noid8s_e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABC9.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tio8we8n.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD4F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhgl6pvk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE87.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nkoeq1ar.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB02E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB02D.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s9bmyvxp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3FDE.tmp"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dgf8hds9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4136.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4135.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6fjd7_so.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES425E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc425D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eytb3uxi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4319.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4318.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hr3ba3xv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44AE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\myx8xs-h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45E6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n_92kyl1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES476D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc476C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jcl9xzm6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4941.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4930.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m1zow24v.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A49.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yf5cs5f5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B72.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s3uxjngo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CD9.tmp"

C:\Windows\system32\taskeng.exe

taskeng.exe {54162E4D-6B1C-4004-96FE-8E34393FA2D4} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.124.142.205:8848 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:8848 0.tcp.eu.ngrok.io tcp

Files

memory/2716-17-0x0000000073F81000-0x0000000073F82000-memory.dmp

memory/2660-16-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

memory/2716-15-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2716-13-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2660-11-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

memory/2716-10-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2716-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2716-8-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2716-7-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2716-5-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2716-3-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2660-1-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

memory/2660-0-0x000007FEF557E000-0x000007FEF557F000-memory.dmp

memory/2716-18-0x0000000073F80000-0x000000007452B000-memory.dmp

memory/2716-19-0x0000000073F80000-0x000000007452B000-memory.dmp

memory/2792-20-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vwfRtNH.txt

MD5 bfbee1ccbe6981fafb1c7bff99680882
SHA1 3866c915b8a7e0592f8728c89faf6bb4d5ecf002
SHA256 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235
SHA512 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e

memory/2792-30-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2792-26-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2792-24-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2792-22-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2792-33-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2792-35-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2792-36-0x0000000073F80000-0x000000007452B000-memory.dmp

memory/2792-37-0x0000000073F80000-0x000000007452B000-memory.dmp

memory/2792-38-0x0000000073F80000-0x000000007452B000-memory.dmp

memory/2716-39-0x0000000073F80000-0x000000007452B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5z3rdjgd.cmdline

MD5 2537ab5c3fc3b2a0a042471d0680f9cf
SHA1 1a3ce843256277d082af5c7059492b204fd07cfa
SHA256 97899e859ab0018b3a38933675c5df69ef5571d31c06a4f5512ce6e078eb5f17
SHA512 f7b078b4ca0e043653701f36888a62bedc30368efa6d5551612caf405bf8b8d0f16a33e30a4125f98856ed5ef496328b26693211f1d0f5c0fc59b32baff3a907

C:\Users\Admin\AppData\Local\Temp\5z3rdjgd.0.vb

MD5 3c88d0389da097789f854d19e5a6851c
SHA1 9e0f6bb3a576bb0eaf7fa1384018e57b50401adf
SHA256 b0c7beac256055e2a91713ef20ab4bc9eb5785e2a7cd30f64ab95fe37ff4d60c
SHA512 92799b8e42dd602cb9686820bc75136e26f2f356a731c23e3a3c5d9f65ff0b2325666aebd1f34f4ebf240eb047a11e9a37751f3fa3e30264738e6c113f8d9ead

C:\ProgramData\Index\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8DDE.tmp

MD5 6cefaf397ee40eb5c3df27193a26e399
SHA1 ab6097301a83d831b6b63acbaaec0285126f4ae5
SHA256 43a6fa373945bde88b7cc7a083aa81c18e959815f79c4b304afcded5230789df
SHA512 30f4fadab57fbcd25e58c842a98583dc607c52c6a21ef346f63d4035c2d34243a11ce572cd401e6958262509bf91b71e02f56236c69f3c1f606f5720210cb9de

C:\Users\Admin\AppData\Local\Temp\RES8DDF.tmp

MD5 3139e880d751e2a754aa4ec1bb03ee29
SHA1 0dbdca3922864f78b303fc55bcb1b318524c6796
SHA256 1abe82a42fd53f24e79945aedb88442f7d6b7ad9f618dddc4747cbbbcf9c824c
SHA512 c594084b812c719a78e2eb21c7638e84d8546874ebced3dc0d6c088d759be28c730f7b8813a938920385aed8adcff7d756f108be810dbb8776bbb488e64affd7

C:\Users\Admin\AppData\Local\Temp\afxe9xzm.cmdline

MD5 ce20329fe82bfc804042850316a5a2c2
SHA1 d749110d35278752a0a96d76de025e9db331b01c
SHA256 6e11355a2021c8445f0deae783bdc6ff30c3c90f50683aa310e56a80fb50d28b
SHA512 ce16eecfde2316850029df40d5867c3e15a1956ea4a055c10f3eb409a36ab311e28e92db95116e17822ffdd62c008a9f763cc3002e6ecab12763fd8a7cb8924b

C:\Users\Admin\AppData\Local\Temp\afxe9xzm.0.vb

MD5 3fa7c020766873f8b58d109177c7d7a1
SHA1 716be689ba29ba1493a617920c24fa6ef036ed5d
SHA256 dfcfb090d3b80c08c34aa55028773778a8a745c2eef48d8c572b043fb421e3e7
SHA512 1657d79d5bd7768984df780f71e9609c69fa58c7370eb5ee8122c97daf1a2c47fb0217f3f69e07f8fd0c51c8f8e078a00f8275eed3bbb02ec23ba092c47ec196

C:\ProgramData\Index\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc8F06.tmp

MD5 1925b323c24d5e44f273b65bdf58f85e
SHA1 704e92b27adad5266b25a84b66491065e6a8e077
SHA256 f1109f98dcf21ba90f165c3062b89f8f730850c75cbb1ced23b75c7ea1443f63
SHA512 c3c03be1d12b8c3dd33fa234d60d0328bfc0ea2bfad160d825d5ebf8ef1511f66cd85c9b0d419e83b2ced52fe99ef0df992fea35b2cb912b60ef5635ac25e969

C:\Users\Admin\AppData\Local\Temp\RES8F07.tmp

MD5 88ef457da2f098863cff35438d31a832
SHA1 cc3459dcf80faf62ebc66b5218d82382a22bd0c2
SHA256 6874d1dc42ecd72d0b65235d7d0084132fa71c73756a6a3444355441cecf19d2
SHA512 9cfb5f71c7ca74d87afe5dfd8d764601063d881353132309a29bf61c055754fa8c75e613c7ce101ad92c5b2069ef49648add686fe90763149a672812d4dafdda

C:\Users\Admin\AppData\Local\Temp\37in9maw.cmdline

MD5 c51481ac8066a7aa5f7df30be9f00314
SHA1 3f0e07afa5d29af7f7555c571805210dcbcc9671
SHA256 32d4abbf18b32b343151c5ce6ec4cfa699188ee5c8660ef85287342ac342def0
SHA512 9069b132bcf59b2ba47503a123f65990336bb3d7b9c40ae084e7f4ed1446f57605cd345223f0cd7c695ae7235cd914546aae88cd2b50ef351063c5e27e28783a

C:\Users\Admin\AppData\Local\Temp\37in9maw.0.vb

MD5 a44396dac48f30ef8c8608531567fb83
SHA1 905391559e0577fbc6cefd0d13eb10f9dbcd63c3
SHA256 1ba098682cded71da604d1c99018e43622cf0bd8a609c0c6e2752e9ff1944b4f
SHA512 168ef2aa0bcc07f4e1a1f6652c8d459cd6c3c31ee579702e06977733da856419c9ebd1f2da06fdd185655dc464cd40183ddb32cfe0e960bc6104c64fdc9976fc

C:\Users\Admin\AppData\Local\Temp\vbc906D.tmp

MD5 2aa7b07c157877ad67f7d79b15da9ff6
SHA1 451dad641b7b329378d0238e1d0c9a27d47a3f40
SHA256 9f5688e5525be99764b3e610afa58af84e43191d524c99a196ffca8118e4f950
SHA512 5a358cd9b6003a867c5c94e3ee0ec49a8cf04c313995fb3999f7cd5fbfc6dc2fdf52da181054aeeb6b05025e603110bda1f2440bbeb2c848698da412c7a695d3

C:\Users\Admin\AppData\Local\Temp\RES906E.tmp

MD5 5e2b59906751ab63bed438f754815d79
SHA1 cfd3ca4f200339a11395d02d8dcadbe364e789fc
SHA256 bc598cf4acfcac85488c49ac7c0892891f002808587158d4072ef97fd5768eb5
SHA512 8804f75ee7febd323b6782909e1b6090ed944110bbde1cade622b472bbaebf7752a900233fa04a78537e1a2f5a47a905d4271ebf338b060130cbc8b6b0cee805

C:\Users\Admin\AppData\Local\Temp\8qhfn6si.cmdline

MD5 cd8d1876e38bebddd1ed55a9b6a5bdee
SHA1 df96835219a79b5406a9529e4a4b54da03f226d7
SHA256 6c6016ceddb2a3d3b4717a70af3d659b4c2e0b3e40dd112c13a87d596d6cbc65
SHA512 88550f508b28a23ac4304da2c92ac4b0e8c4a071dbe9ff1cdc9487127807cfded41dd7ec102eb0647a1d465bfce415ddaa41473b2f945a3daad891ba91f7bd5d

C:\Users\Admin\AppData\Local\Temp\8qhfn6si.0.vb

MD5 55baa1a9cc195fdeb239fd42886466ed
SHA1 21d56bd00b7bdefb6fd1f2735f2249cde0812132
SHA256 483fae1036126f05605dff2447307d8e840ff775f5cf7574fb5b0256beb95766
SHA512 8dc014a020e6ecda766b1f58928b1d10a20c5ea2e3973e94d8c339ea772044e3898004b753b9ff4020b436c543206f4ab46468b789d08466136baf0812e81daf

C:\Users\Admin\AppData\Local\Temp\vbc9231.tmp

MD5 552cdad34f767fe9ceba407cfeaaa5f2
SHA1 95291c8d45589e53428a2895b17c8c0f9d398eb4
SHA256 69d9a6c71053bfda400ee50b358b31346621457181ba94ec8645f4df87f82f49
SHA512 b5e66fc5e7c782da773228e79872590354d39baadb57ae32b25d816d612d580056c8cb9b7a5dd07c0a82230e69f5672dd3329b04028ffec3e5a7c2a5ebea0ad0

C:\Users\Admin\AppData\Local\Temp\RES9232.tmp

MD5 44c4f56d63806a203d3b11c4b06b4dc1
SHA1 c88927a8f371dcd75e3e91becb5b0b26f7ac81de
SHA256 3710833f0433a3dafd6b771f4ac50f82a4a0cdf8871ec38834ea7e21ebad5e80
SHA512 744f7ff496a15dbcc6f6711afec6e5a281a3a9b05ad3e43d84a0796478b706982665a2becfcbe99930f9c4881a0e2d0808084a3cfe72643f2ee2c20fbc641ec9

C:\Users\Admin\AppData\Local\Temp\bmv5sdgr.cmdline

MD5 db6a7a9ef7d6ab5d78512eacc0501d15
SHA1 82a87e89997aa33cb3c11d2a6a844551d01e4e2f
SHA256 7babcd725b9b33ac4aa1b311df2838ef2dceb0cf4bdc8e099bd81b652a23eb9a
SHA512 15436ace78f1f60b12ad2cfde53ca9fb3151fc7814411dded5969b54a0d05066bcb537e0db38bc9b27d41fc26d324c04dc6f92472a71ef8d8a269f53f1938538

C:\Users\Admin\AppData\Local\Temp\bmv5sdgr.0.vb

MD5 78fa359ee91a0ac0453b7fa92df75649
SHA1 bab1cff88be95b883b900d06be9242e93fd25f94
SHA256 37d2c292818dbc06626bd9fd12eb14a33ef65f82356cc9345ee449ba62fd4a52
SHA512 d6c2fa6abadd2588355225403713905d02ff19365bbf1e415df1bdd4aceeab35ba29767d09b072c513bb23a10779a5198cd6550ff9ab3e0e58bfccc9b2c5726e

C:\Users\Admin\AppData\Local\Temp\vbc932B.tmp

MD5 088c37d81dc5ad27664ac1097307b614
SHA1 b29acd60e4297267b798b78357fd6be2105fd395
SHA256 ba5b85970b94de08b3cf0d511d4e0df19b2452323a2402b2e103c7f619675b77
SHA512 454a72332f3cc8e2aff4a2257101006f5d5d40eb9441f83b944542dcc98b1e41120609d75f53fa3a269b92797cf2f607961dcf517d3b4a5290025ea8a0657715

C:\Users\Admin\AppData\Local\Temp\RES932C.tmp

MD5 5d7869b16b908bc6eaaafe9a7642951d
SHA1 a115a952baf506b5545e02fde9084d6b4b89b569
SHA256 6cc11fef09d5a79b803fd2240ee951f5536c206d4a344bd639bac93dda4e6056
SHA512 d093db8e9166834b39e679848c68a925c265a9ad8e7d05fb2465a5a46acf3386f9f1a99fbf69959465cb80d868531b0ee2eea7b1696ad00346be1cf75c352b09

C:\Users\Admin\AppData\Local\Temp\adkdf12j.cmdline

MD5 c846d6918d57b2f4a85d01449256a1b2
SHA1 03a8ed60423ea2ea7623ec65f66e6e692f2bf4b9
SHA256 0948f1b32e5eb3c51f36e04d56a9ed2338d8b687908831e2a296d1092a016651
SHA512 9f3720fd63c697289b02d284cf755f6f7296d328ef2e9d171a43f6a13967631b6f823f8d8e1750d9b8500acc5c4cc4269662e3e55e6d2e987a20f80a12369504

C:\Users\Admin\AppData\Local\Temp\adkdf12j.0.vb

MD5 4a447b73c91023eb6c863a34742dbfdd
SHA1 68fbb85cab50aaeaa9abedff254efba01892310a
SHA256 b9d69dba98cd1d12c4a0ed06def7734936270924cb3847807f6f04f3d0fac242
SHA512 dfc531d34abadc872b5db88a087784181970d8cb5b958fe979e431dd2bd135c6699c738a61e26e7fd9674af90449fbcbf810b42e765b0add5d9d66ad6e83299d

C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp

MD5 3ccbd45c6b0f194811118d4b7323362a
SHA1 4e1376f6cf4d183f7b29496e1419f9fbb3f9786a
SHA256 77d234f1c365f565425c5af9873bdc915bd6a81d69fee1fad8ddf01217bb32ee
SHA512 ae3dbeea13020c3a68c53b0818a84973dea9d33e787675d0e2a42aa3988fe54e893a6eb113fe4bf7349ed7a9d2315adef1412d2f31f483df1dba65f1b5685968

C:\Users\Admin\AppData\Local\Temp\RES9454.tmp

MD5 9f6c0ea244d11de0991d09f9fcee777c
SHA1 637bacd450ed8f94589fee65ed2a2da958bc5cec
SHA256 89603381509be84a3e3d9585543f73c98b70d1527b93cf8f06109cd077c34573
SHA512 d28af3be34e2aeff7a9d5631800fcb4c29cff1ee9e429fab9f7b7634677de122501dfdafd913e16468bc8517b8111dc2cbd8d948486c896711af2777a7ba52ab

C:\Users\Admin\AppData\Local\Temp\xhdvnbaf.cmdline

MD5 34aa2b1a2fb0965959b620d7b8c6b0b9
SHA1 7f4e9b2f4713e4254f1181d2de31ecea761432a7
SHA256 abc1692fe522f238ff68df85d94392b60473e3aab9e5551db7ce10e88683b64b
SHA512 bf1a67ab55a961571568c6f1bf03906f64d6e4c2c586efee0d5d823c5578729b6efc485e15cd62692dad630ec64c4fb9baed9d06787248189f672ef93be19dc4

C:\Users\Admin\AppData\Local\Temp\xhdvnbaf.0.vb

MD5 846365ec5052d6dabd406c35fb9393cd
SHA1 9abf408ca3938f0acbfc6eab9fccd33b4cfc43b0
SHA256 f1c039830bf9f701f465510cf16ae094214fcfc23a3c311adee9e6f4c18851b3
SHA512 cf3a29a98a1a53982bd6afbc8dc61b954c26138f9b85473b8a3297ca7ee3c3b782a3b6edde8b0dbbe406bd26e52d72c40a0c1d58dbdfb40c8f9e461bd6542b2d

C:\Users\Admin\AppData\Local\Temp\vbc95F9.tmp

MD5 4367a7371c6b4a0684704d101371b319
SHA1 017269e6b19d459626d4809ebd7f0679ea69b0ec
SHA256 8ca899b5a49a42920615d57d571ed2f74c7513175d5a5fd3de81cc13ab87b1b0
SHA512 ea0dc5cfe5deb08cb192eee62ea9855a76317169d0bd0238a8707748e8c942f2ab14b182f6b3b65d1ea5905e5f1e62bbf33aef02cdf4476a97e871b19c05f225

C:\Users\Admin\AppData\Local\Temp\RES9609.tmp

MD5 9bea4f999e5567bc447bca904c203066
SHA1 b164cac2a83b73220ad950e59547f626d4555066
SHA256 b43dcb0abb2306e568f012646114da1744b35831270b45738655b9748262521b
SHA512 0e880b0993a5112c6ea28dba0cc2c4139cddf9441b3be0dcfaa9cb7ff886fc54ed7f098a8ae3f984712243d85f6273033f19fff1abae3b273c3166a09e357eb0

C:\Users\Admin\AppData\Local\Temp\eji4f_4f.cmdline

MD5 364aaac89894814eab0adb034884361c
SHA1 79c9da7505fd15e520525d74f7554a9f2659d1bd
SHA256 9587c6d1b3ccf860ffcd8b1f8a81d1a13770f1cd5f9a9421c72e8bb6a751c327
SHA512 942faffc9f356e4d7bbe15eb76333e1e9a7145c26eb0d5b569e3e4a44b57ca4c5f9b991b13931a8c1f40f7a1047f73e08bf73fda27e5807e1202935a0ed2ce2f

C:\Users\Admin\AppData\Local\Temp\eji4f_4f.0.vb

MD5 df1975c930424e8628631c7d62ec352e
SHA1 4af9901ee310e4af180378c50eeb28d4c4e1f9a8
SHA256 0c4b24af1f47981d06c889d02d24f1047b9e8388945ad2a1b079166acbb40c2c
SHA512 d58bc77ed44d68f60b2b9f158c53b31cd47bdae16a555bea9a437bdec2bc3c7ec3b5a500eab7aa4c9a3eea546c93e99f3786f62dba37f86db0b8d20c67c083e9

C:\Users\Admin\AppData\Local\Temp\vbc975F.tmp

MD5 a6c43b263e6b425580e0e8e86dc235bd
SHA1 9e48907e177ec653a029dc2df455f1f042df7308
SHA256 050542468ce8ed1767cf42833f80e7d2eea0309c51be5cc331a1d6cd8f66d817
SHA512 6e152ee0d74de352ad9fc484eef32c50941cd9dc50ef41a8a379a36920d4d3f4933b4428849d764f66ec5924d211155d5a219f6aa57e229a4980cbef8fbafa40

C:\Users\Admin\AppData\Local\Temp\RES9760.tmp

MD5 dcb21afd2a5647036b8a50b1f2958f00
SHA1 251facfe9cd714fb0c1a1fcbc12bb21a4138d7b5
SHA256 a351b7776083dc746bc762be8cba8609f72a216cb9cdb53acbdb2092a6d5d7fa
SHA512 570352e351179c579d48414565f6c0121e42ddd2804c73e79280b550dc6154fc042db1202a39ed31cea8014700061fafdc4f0b9cb0c4f9c9266b812c59deecd9

C:\Users\Admin\AppData\Local\Temp\kkuhkk-v.cmdline

MD5 6ccbd71df86a8313694d61e220a71378
SHA1 e319f37215b497926df3927433442c8f671f0e18
SHA256 1b3cca5f1f4d7312ab2ed0b94aafd2a34a214a4820dafe339001dbfba6b851aa
SHA512 adaa42e3453aab5724714a94c525c6d5f7013308f4d1a947e86f031a10124c6482ec4b9a46934efe54c0de8e4996c402cf928c8322af91e06a11827b7fc00eb7

C:\Users\Admin\AppData\Local\Temp\kkuhkk-v.0.vb

MD5 847182193015fc5d88f0c98c81c630ee
SHA1 7811018c8b8e5d6d01fb62972a426541635f7cf4
SHA256 08ebdceaef531c894727e6332a804ff5bead32831c6744ea1b52b22d420060a2
SHA512 1de1f111195e1f8d492c8ecd884d04fbb3b39f4781849c2d4d56085555844f34c2b6f6af15ea7a234fb6ed3b21f08deb19fc0238fd57f58df2b0cf1c59d0047c

C:\Users\Admin\AppData\Local\Temp\vbc98B7.tmp

MD5 3843a53d7e2dbfa4c232bdeadd21c357
SHA1 3940e541bde859a4f090303c16731a24dca505fc
SHA256 0bb59ed84a49d712878598b06ad05f0c26f5f7a155509554ccf96c14ab6e29f9
SHA512 1d9ae65cd4f765e04c5ec1d717c15df13d4c92b32624e7a5772b4068ae3c74e8159e32552bbaa18cf34b656b788971e21b1d37801d3accc567bd7e2dfddaa111

C:\Users\Admin\AppData\Local\Temp\RES98B8.tmp

MD5 3b65a6b47a1e8c87be3a7419d8884bcf
SHA1 53780de1db837839decf4c40c3bc1944a46a1521
SHA256 f5dac1fcb189f114c7d3c3a17edc205425500a5aad7e0f1ce8b1b79519086a22
SHA512 86811d4a14e32abbe00d0c2e434cb82450490537084502e35219fdbe3e4302c89a9ea442850201d5a27e01d3c888646eaade8a90fba2ac447370b62d25756f7a

C:\Users\Admin\AppData\Local\Temp\v89bsdes.cmdline

MD5 5a0e5d523b9a6288c96cdc4b1570f4db
SHA1 1e8a972441e98fa5d32dd21bdcbd3048451eab78
SHA256 d606e640b7b8cc63d0484057bf094df0abc9c249f1ae594a05421c84111173f9
SHA512 5521bd0b646a0bee04f94bb3acf553fae47db84049ea5289a8131b05af54cb742da5f1e01cdccf001d920817c9912939d3a4c303a7ce0630b4ce6bf6ebee9c7c

C:\Users\Admin\AppData\Local\Temp\v89bsdes.0.vb

MD5 556472f96ba0a829d9cd7592411c2347
SHA1 a2fae1bb654469d975926c75b9635a169a80c76b
SHA256 6589cfed04466d3dc448361f54572309a731aa8d54aacf50aade28c0f9225679
SHA512 a938b6b875dd8be3e942cb4c9939f7718ef930d1feddba516070fc5a308065e8c7ebe7ebd606e3fcf61d25a06d9197b3285043f85dd7c69b072cd9daf90f414a

C:\Users\Admin\AppData\Local\Temp\vbc9A3D.tmp

MD5 3ea71f08d9ecaad5d91ef675c333e68d
SHA1 fc7b47ccdee042f88ce0b83188a65dbfe14403b5
SHA256 19b095eec85ee85b484bee4630f38f2a0966e289761fe2773be9f24ec67dd5cb
SHA512 99111f95e59e03cf379f49e63035b81f0402ad080c1a7ff21f4fff4aa3e1b8102a623e8ce02c75e8ac9c9884c558ce3ac9174e6fa680c57f92d47de3f143f4ec

C:\Users\Admin\AppData\Local\Temp\RES9A6C.tmp

MD5 02720e8fb0a123a23f436911402a7d0c
SHA1 b16be9e0282ca0f4e4b2c5090fbb3c9eb318f86b
SHA256 696547891270c53126ff3968169d60dfb0044734af72cdb4ba38eb6e79b04cf3
SHA512 63a6f127023c22bbe35eaeeea9a95a38c9be4cd0d853b54643f9b5a8a8a682aea642646303f0ae7b1ce0316a3fb4cb27d158c883bb4a2e0d82cbc5f43b98c790

C:\Users\Admin\AppData\Local\Temp\-ctrdgls.cmdline

MD5 ed07f3108db15914095bd3e4ad13c131
SHA1 f0c12626b19b753db41304e12a6da18090028f39
SHA256 fb9d4defb4acaa7ac0eb69efd734e97ea174eebb0b02f62b4a10e52a773fb461
SHA512 4eb38c3f00c0ae2c0fc2eec9df1f2c2817b1621fc9231d3ee7a5b6b03739ad8354723d7c6eb7c8823e428a2ac8b1a0cb3e0011082896d673c2362720732c79fe

C:\Users\Admin\AppData\Local\Temp\-ctrdgls.0.vb

MD5 31fc52bfcb5cf9a12d52b79c7dceaf11
SHA1 ec19379305a8404d3c86adb65782467d1c9c3b38
SHA256 2b2c31fe62190c52b62ece3e29a19af2309832922d627abd7b2900eab548c19e
SHA512 38679030edebf6272eb04b0ef9b0b432eef26b23e7c6a517518db3a15ba40bd33eba33835a5cafba2a9fbe73c90ba964cb6bcf375ae6a84dc75693008a8da627

C:\Users\Admin\AppData\Local\Temp\vbc9BC3.tmp

MD5 e6c60ba9b4fd13ac52f6b57ead9650a0
SHA1 d21772c045803b49002066829c675c5be2e37dcc
SHA256 473f21d49c26b2a13798ba62741c565f0f32c25e49fc3b38244d303d01f946bc
SHA512 af86bf7105190630729f567362a93c34625b91af7844d6df27670beac7be6f948e462d88e3438a0ce467a62a8375eacdc455f13e201fc9db1dabe3cf413c1da7

C:\Users\Admin\AppData\Local\Temp\RES9BC4.tmp

MD5 ab871eca371a3c541e9fb3cb9f73a018
SHA1 827510382cc527048c95d28d3c59ce98c4df622e
SHA256 87bf07a00ecd19663fa1bf336172588634e8a4d904c0b42acd7518e9e6ddd2cd
SHA512 12df658b22bdae532b75637158c02b5701e7d453368b7e972f4ce81d84fa05594abb438f9f1b9f853acfb66c13a7b93c6efb5fdd21f368b1c6cf7c92910c282c

C:\Users\Admin\AppData\Local\Temp\zl_6fcrp.cmdline

MD5 0ef1adf842a5f61ef738fc465c9bee2d
SHA1 5127c0340835194f0cc0665ef1cc79ce72553682
SHA256 fed436899f1bf0c464c00d95b1960d0fc02548b5f081f4d25057361c77f8c040
SHA512 245484e535f249567081df89149de264161e0f915d7496b335c35468ff1c1057a91b9e22f3a44b1f04b0dd33b462fac4f8702bcd8d7ea01a6ef5c764b5000459

C:\Users\Admin\AppData\Local\Temp\zl_6fcrp.0.vb

MD5 1d051ff4cd0a27121e93aeb23d1df6ef
SHA1 4c66c8113b537573b9e54193605009ef612d0ee9
SHA256 c052ad284c34c0af73d878521251ca7bad9a390e5e7e3b2422dc0f5ca86f4b82
SHA512 501b5eb718214634c3386ad9a6df7dd48d9a75d4ecbdc2217d1e785e04e725d899a173b06354b21abb16e976e98a1869792cfa1618069090005425bf9472bb38

C:\Users\Admin\AppData\Local\Temp\vbc9D58.tmp

MD5 3c6dff42b6144277ccd0f823e1792790
SHA1 261efd8b74fe00e4630f52b3273f412ded3428d6
SHA256 a6d25d650e3cc9ee7c407b971a9e5d3d02583e955d58422721dc9354d33fe47f
SHA512 7ee1aa029ba06c93f06cc8f99f569a18d53b8569fcc57c8aa170ed185a82ed5cf1ec9052b6060c5302a62a20ac8a54ec11b4479002d2bacff41cdacdcb4f87ba

C:\Users\Admin\AppData\Local\Temp\RES9D59.tmp

MD5 0a38fb8501f2ce56b16a72691a6d1a19
SHA1 9cfda27a4ec919df168b568a965636d69429ad5f
SHA256 94047f0ae46b85cf0af6495ef953b66dc565a60473a6e56e1e970700ea996a0c
SHA512 d90e55ad07d2ac1a0d05ab4bb19294030b115456139012c6ddf647b5862b6550bcfaf92974d22d1242969faa0e38f2f3cf30cc79d2cd568a19b584b7fb38bcdc

C:\Users\Admin\AppData\Local\Temp\yjneypjm.cmdline

MD5 58af5db8451f043caa1821de49b26bee
SHA1 b05384aae8b378f7fca495a57766e2d568c4926f
SHA256 721272c58c531ae8f7a752ff39cf7983313822dfe4881f79a14e9400e7ea0f7e
SHA512 67340a2be241dbd9adc83a826b8bce51c0e39a864d132139166e23b02002c9b67cb1179338dd79841336dba83d35f825590adc02d772c1e1abe3c38fca2adbbe

C:\Users\Admin\AppData\Local\Temp\yjneypjm.0.vb

MD5 70829c1a9fba55df73e0bb03cc02dfba
SHA1 e0eb831dfee7c9daf3856af584d62c4cb202e852
SHA256 70274ebc993bc093082ff93802e33a7107df02aee8d392fe723459d31bba7fe0
SHA512 47eeac79275c292076c22348179543e3e3aa26c51c759d72c42362799437a761dc7707640b3634572b0c1e80b64fd82feae271ed45e06794976278a51252433a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

MD5 6663483929f325b3fe2f8a351787aebf
SHA1 eaef70212f2f361a3167340d7c76e07246f1e427
SHA256 cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42
SHA512 12d51bd6328fd6a7572c97fdd3ac7b5d74dfd1379d5553f890af6c5a2effa65c61ecb78588fddac239881391ed9e2831f65a6f70e83a7047b980bcd4cb501eb9

memory/2716-363-0x00000000705C0000-0x00000000709CB000-memory.dmp

memory/2716-389-0x00000000701B0000-0x00000000705BF000-memory.dmp

memory/2716-392-0x000000006F940000-0x00000000701A4000-memory.dmp

memory/2716-394-0x0000000073F80000-0x000000007452B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc45E6.tmp

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 21:05

Reported

2024-07-27 21:09

Platform

win10v2004-20240709-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Client.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 400 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 400 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 400 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 400 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 400 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 400 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 400 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5008 wrote to memory of 3604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 3604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 3604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3604 wrote to memory of 4172 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3604 wrote to memory of 4172 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3604 wrote to memory of 4172 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5008 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2824 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2824 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2824 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5008 wrote to memory of 4864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 4864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 4864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4864 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4864 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4864 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5008 wrote to memory of 404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 404 wrote to memory of 1788 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 404 wrote to memory of 1788 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 404 wrote to memory of 1788 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5008 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4804 wrote to memory of 3388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4804 wrote to memory of 3388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4804 wrote to memory of 3388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5008 wrote to memory of 3628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 3628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 3628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3628 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3628 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3628 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5008 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1064 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1064 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1064 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5008 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5008 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1492 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1492 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1492 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tx_3nxxj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DB7E5BDE8704F16AC2FC1D849A5782.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2j1alvdm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc121F6A6089EB49019935FCE756FB50CC.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfvkhhoj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A457A0252A6466998BCFB2BE02A551F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x_2e2kwe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA79B9A91A9D48CEAE9B39D72AA4786.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9k9agqvu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES414A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D4D484C489144E0B057D89C9B731D2E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r3k6k4ha.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES436D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFDE3D297174448EAA5A9A701F1D96F5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ubqc4dw4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4541.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3B6C75C95CA45CE93283B50D0578F23.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o_np6yby.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc259F23E86514A02A91B16569D98B669.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y4hqktk5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDDA26D2097AE4282898862ADBD54C74.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cggrkb4g.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC93E9BE37A814A21AE35A026723F9D5B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sxcjwx11.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc798D2D55C7124A8EA3882376473DC7FF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5nmb5cg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D0FE588AB744C40A9B47C4984D593F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2-bwft4o.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5196.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2AA81C6B6A64D79ABCCDAE08B6274CB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dovcpapm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES535B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F6FF0B1FC5946EEABBC1DB0975FAC5C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stxhojmp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5501.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD71AD89BB92403BBF867C54CC9573.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x6fjfmh9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5781.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7AE2D1EE78A4C7C938B6092861136AA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qfz39_jw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc486FC0DAFF34240BD9E9EBB7FDE779D.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dfdwlrpg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7159722BDA94D958BAA64D222D77B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ejvol3ao.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66853ECBD34432B92283250182D9294.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4uhsw-p1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7357455B3D8341EAB6728C22E620F61F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\orpoe0l9.cmdline"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBC97853E1E040A3AF7CB325417B58AA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ilcspff6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zbv48tvd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F0F5DB3DB1D41A2B1462E5197A95D3A.TMP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x16d6uzc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40A9B00E8770497E9ABB3DDC2A40B772.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9yvbpqkc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1B4D572B6A44AAB0874DF6B2E34.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oh9atfdr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES219.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA81D7386BA24347B7756CCE299CBDB1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mj5ap8gl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87AD159ADF9346F3831EF55DF1729FA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ajbymlts.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES601.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25DEC36FCFF443AB8C51DA8A7DE44891.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdr0-eyp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES882.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc639D73C8F6874F39A766A28F3FDBD9DD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nsr1q2gc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA28.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DAC37A2D69D406083C9F55B751F312A.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-bwmhux.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43F3992CC78A4991A2F0AA53296B21CF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdaxkxx6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80797381E0694765B1B870672D58ACA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9b7z0qbw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc763B3E1A5A2A4F7BB2E3DB253C0814F.TMP"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:8848 0.tcp.eu.ngrok.io tcp

Files

memory/400-0-0x00007FFD30DE5000-0x00007FFD30DE6000-memory.dmp

memory/400-1-0x00007FFD30B30000-0x00007FFD314D1000-memory.dmp

memory/400-2-0x00007FFD30B30000-0x00007FFD314D1000-memory.dmp

memory/400-3-0x000000001C0F0000-0x000000001C5BE000-memory.dmp

memory/400-4-0x000000001BB10000-0x000000001BBB6000-memory.dmp

memory/400-5-0x000000001C680000-0x000000001C6E2000-memory.dmp

memory/5008-7-0x0000000000400000-0x0000000000422000-memory.dmp

memory/400-8-0x00007FFD30B30000-0x00007FFD314D1000-memory.dmp

memory/5008-9-0x0000000074972000-0x0000000074973000-memory.dmp

memory/5008-10-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/5008-11-0x0000000074970000-0x0000000074F21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vwfRtNH.txt

MD5 bfbee1ccbe6981fafb1c7bff99680882
SHA1 3866c915b8a7e0592f8728c89faf6bb4d5ecf002
SHA256 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235
SHA512 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e

memory/4208-14-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/4208-15-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/4208-16-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/4208-18-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/5008-19-0x0000000074972000-0x0000000074973000-memory.dmp

memory/5008-20-0x0000000074970000-0x0000000074F21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tx_3nxxj.cmdline

MD5 7564f79e57c2c3183d80a43e9ef1067d
SHA1 7f320f7d2ae030d0e7768c4116faa429fd6779ff
SHA256 20b2678a60aac706aba743d33cef9ef84b501a4b6a9026bbcd5218f5ee966cf0
SHA512 fa1a1fb9dbd7056f8c9d71de08924ff0e54026e79c2f8f6fdff5115b8ec555a87340bda3e2c8d961b9eedcd9b6b19a5635d8dd893059d26e514c7a097aecf39f

C:\Users\Admin\AppData\Local\Temp\tx_3nxxj.0.vb

MD5 3c88d0389da097789f854d19e5a6851c
SHA1 9e0f6bb3a576bb0eaf7fa1384018e57b50401adf
SHA256 b0c7beac256055e2a91713ef20ab4bc9eb5785e2a7cd30f64ab95fe37ff4d60c
SHA512 92799b8e42dd602cb9686820bc75136e26f2f356a731c23e3a3c5d9f65ff0b2325666aebd1f34f4ebf240eb047a11e9a37751f3fa3e30264738e6c113f8d9ead

C:\ProgramData\Index\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc4DB7E5BDE8704F16AC2FC1D849A5782.TMP

MD5 dae0bcef83564fd019409964995440a3
SHA1 72227ef8d352f83128124d59abced5453981017f
SHA256 bb59c081158d18030c797fe785ab434d2c7b512891b111a4cbabaeccfe43297d
SHA512 e88ce22701c011cd522f04bc4d81ae8515d5f1ddab762adbcd827a058fac7207a07b546876321184f36899768c6a2f13e3845eae258882748c544fde5a1b2558

C:\Users\Admin\AppData\Local\Temp\RES38BE.tmp

MD5 2fe53c1f1a540134860b160615918dee
SHA1 0da71fde356459ec7e17cbb77666772d733b4019
SHA256 197ede4018f2253026f373a118df0247d4f1dad1d5cc16e987c5f390b8204ce1
SHA512 2d520c64aab2375acce1894af788e0edc4d3030ddecc51daad4c25774415501357f6bc5da2b9f3e27b7a5ba0f9edee2f595d535fd15f9d026b2c8d227526d46a

C:\Users\Admin\AppData\Local\Temp\2j1alvdm.cmdline

MD5 5f1dfc3f9ea661299c366d4e0978482f
SHA1 792862c333614814b2c42aef21744fc0f715b03f
SHA256 284bb2f04d599a4de4bb7be1747e4049a3cd0edd98f32bfbfa2858a39a5cf7ba
SHA512 ccfab972a9f22c562b3560c9c99f828f8377a79f52e732d7ce7fe074129ce35dd36a81e164fecf881237c869c36b8ddc7a9ba79442801175e6565c45570753a1

C:\Users\Admin\AppData\Local\Temp\2j1alvdm.0.vb

MD5 3fa7c020766873f8b58d109177c7d7a1
SHA1 716be689ba29ba1493a617920c24fa6ef036ed5d
SHA256 dfcfb090d3b80c08c34aa55028773778a8a745c2eef48d8c572b043fb421e3e7
SHA512 1657d79d5bd7768984df780f71e9609c69fa58c7370eb5ee8122c97daf1a2c47fb0217f3f69e07f8fd0c51c8f8e078a00f8275eed3bbb02ec23ba092c47ec196

C:\ProgramData\Index\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc121F6A6089EB49019935FCE756FB50CC.TMP

MD5 b07f007145f01b56abdfb53b487f0458
SHA1 9923c81f68e73be76b5f4964bdc4044334a415ae
SHA256 5c84e2e6f556654e4f4c0805c5a6a507fb9c1bbe02cc04fc05c2e8ee32e40c4e
SHA512 f635f804e1fd38b63bf5c128b711315e8da9bae51c0a906fcc6ace60d980dc23ab4cbe8613496771da23915359ce8bc2ae4e6a2261f039a46cd24e3ab9d78eab

C:\Users\Admin\AppData\Local\Temp\RES3AC2.tmp

MD5 a7bc65d26c1cb64fe32eeabcda455a30
SHA1 3674949e41ee5c8e181255b03870be6a979809c7
SHA256 02c2b02ab60253196f5f358aecf403a770bc4f7da936cc22785b05359b477033
SHA512 a0733b00675e8266cb4a279218f469aba7b4c1939efda97873b63a9ee619fd29ea69f18881d833dfcaa31c139ca3c136500b14618f0a658edcd905af1c0a33ca

C:\Users\Admin\AppData\Local\Temp\rfvkhhoj.cmdline

MD5 d5bab84e10a4a0f45a5a047fef86b54c
SHA1 bac73d26ad2823fc1d114509cc267aec08802b6f
SHA256 ab2e7a917737005632a95922e25beede7b91295ce8cd7d8a31164310755a7181
SHA512 11e610cb410c97f35b6ea096111c3e1e4c17d76ff5041eb07c9b7612ede7838f628c5790d2f5b611ec251da65edd5e7b470144a58925d517e84e94e0ba83a20b

C:\Users\Admin\AppData\Local\Temp\rfvkhhoj.0.vb

MD5 a44396dac48f30ef8c8608531567fb83
SHA1 905391559e0577fbc6cefd0d13eb10f9dbcd63c3
SHA256 1ba098682cded71da604d1c99018e43622cf0bd8a609c0c6e2752e9ff1944b4f
SHA512 168ef2aa0bcc07f4e1a1f6652c8d459cd6c3c31ee579702e06977733da856419c9ebd1f2da06fdd185655dc464cd40183ddb32cfe0e960bc6104c64fdc9976fc

C:\Users\Admin\AppData\Local\Temp\vbc2A457A0252A6466998BCFB2BE02A551F.TMP

MD5 9a4a50d48b6d2a888bca457bce353fd7
SHA1 2cd6a91f297026f9e7b403b2a7f0b64050b4551b
SHA256 2713e5da2ad133a36377caea864c108db20eb5d0c5b86bb81ae409b2fab4aadd
SHA512 d1ab5d088d0dd1c20a0550d888f87e806e6139529e046dd479bb1af20153612b2fe81c12a8cf3ff4095796757e152d8d2fb5760b247d25208d219dea1b1a7a09

C:\Users\Admin\AppData\Local\Temp\RES3C97.tmp

MD5 0a7c4420522f3f3219b96e2690323319
SHA1 5311be6b1c362490fd13cf4bf712404e4b7d2f7c
SHA256 1f53af27663bc98b6fe6730ac3417da72dcf969ca2040d629bab2a704a640ed2
SHA512 e7669ab6b81b8c0f794ccf019cf092d99cb0e6f142fb69cca7974b690f503bc80c646b9b045fc573e41eb34a6e759813f0f9ceb38c50ae582863826248c4a2a1

C:\Users\Admin\AppData\Local\Temp\x_2e2kwe.cmdline

MD5 4712e636222327f4f68bbc907e2363f7
SHA1 be8cb4fc78dd7a0b739f606daf9a4d08e1e62069
SHA256 8a073538384ac3bc1d5f6570dfc738fe746c763b4e54a0d4d7d90d14f0ded34f
SHA512 17e4ceda852ce70f17c62c9b86d29cac3cefdcca2bfd0c76d046eb8dbd9413b6a6bc96a9408bb0e7ea62085ce819b6bfcb0d181a87f3b75ec804646612946e03

C:\Users\Admin\AppData\Local\Temp\x_2e2kwe.0.vb

MD5 55baa1a9cc195fdeb239fd42886466ed
SHA1 21d56bd00b7bdefb6fd1f2735f2249cde0812132
SHA256 483fae1036126f05605dff2447307d8e840ff775f5cf7574fb5b0256beb95766
SHA512 8dc014a020e6ecda766b1f58928b1d10a20c5ea2e3973e94d8c339ea772044e3898004b753b9ff4020b436c543206f4ab46468b789d08466136baf0812e81daf

C:\Users\Admin\AppData\Local\Temp\vbcA79B9A91A9D48CEAE9B39D72AA4786.TMP

MD5 707ccd65076784de34fd01c4aed82881
SHA1 3db7612956960ebb19ff7e1d9268506b639dc7c9
SHA256 945e1ccbc8e84b145d73102432bccf8040f77795424b1f7f0bfadb9add78d786
SHA512 767db8f7683c6256ef155f147fbd2202d22b2f91f2769e34de0ca5c8d525f04d9739647bb0e6f312d6f634366b6529fb83e2cafe153c727c861a9b6212d0dd34

C:\Users\Admin\AppData\Local\Temp\RES3F27.tmp

MD5 a5b09bec21f8feba6200269a952afb49
SHA1 c5afa43347acb6da3877f3f614478152109894e0
SHA256 53cd27d7dd44d534f7d4b73ba6c25c3684025c92763d02f78e801e29b549ee4d
SHA512 cb73ff0e6e189dd85882462f7e926741d78ded8d720b59b497b98f1aec881f3a24521c865160f112b65fb24e1ad653554a8c5af9f4eb71dbbce281688bd5929b

C:\Users\Admin\AppData\Local\Temp\9k9agqvu.cmdline

MD5 09eb5ef2eeca8fad63365b75d27e36bb
SHA1 82d556e9fbc65d06df5f2993f7c3e149e243355d
SHA256 ed81af878728f46ab5305362f96ee76829f10ce0f411f29ffe207b0fbe08b94d
SHA512 179beb4873bccac003de446ddbda1e57af095695c925cab552b2ef66da6d63a7ee76daa041223726f1d36e3a89d7457a3ffd0f07cdc278896a750b4b84aa7faf

C:\Users\Admin\AppData\Local\Temp\9k9agqvu.0.vb

MD5 4a447b73c91023eb6c863a34742dbfdd
SHA1 68fbb85cab50aaeaa9abedff254efba01892310a
SHA256 b9d69dba98cd1d12c4a0ed06def7734936270924cb3847807f6f04f3d0fac242
SHA512 dfc531d34abadc872b5db88a087784181970d8cb5b958fe979e431dd2bd135c6699c738a61e26e7fd9674af90449fbcbf810b42e765b0add5d9d66ad6e83299d

C:\Users\Admin\AppData\Local\Temp\vbc9D4D484C489144E0B057D89C9B731D2E.TMP

MD5 161e68e923d56e4253270ef3afecb8ab
SHA1 7fd1bb35f3fd39f23a033861a4b92f4171545c69
SHA256 429dabd3474e79f2f7b456166e975c3f8760201b06f13b42bc4843f3b4dde419
SHA512 2f47d87471710b90b91d20eae71b666aa9dc124e42f39c5a63ab2df9131f9799133e5ed8c03d9385f5ba55988c62a99b96b7e056d61fb3e484e47de308f2a3b8

C:\Users\Admin\AppData\Local\Temp\RES414A.tmp

MD5 39d6b960a56a61775701ed0987ecc75e
SHA1 be73c1e42bde807aa24226d7d0a5fff388d94bb7
SHA256 bc74a92ff30c5929a2f5361809b94352a4e87a62b526ea08eaac8221d29f674a
SHA512 a5602ed237c857ff00f102f32ebc7ba8455f814f49c4033b156bc406971d20fea9a575ad0f57664b1e86641c55e533169ee454d3a0f55728f259532a43cef055

C:\Users\Admin\AppData\Local\Temp\r3k6k4ha.cmdline

MD5 b262c768d617c0b9ed0155fa2b25f3f2
SHA1 59334fe8476320dece78b48d66eb93b1fb439564
SHA256 ec1e7a30d8fb5af9dfd717e23b427c597e029b5091d7c9bfc51d24bcdb24825e
SHA512 b6a4625cc0add0860e17beed9060d230cb894ccaec36c8105c73dbce94bf1d33e6c2408beb0ee94aaaa6fe36d9aacfcf9a761f8a9d3d4d6bd81b8a0b88e861c2

C:\Users\Admin\AppData\Local\Temp\r3k6k4ha.0.vb

MD5 846365ec5052d6dabd406c35fb9393cd
SHA1 9abf408ca3938f0acbfc6eab9fccd33b4cfc43b0
SHA256 f1c039830bf9f701f465510cf16ae094214fcfc23a3c311adee9e6f4c18851b3
SHA512 cf3a29a98a1a53982bd6afbc8dc61b954c26138f9b85473b8a3297ca7ee3c3b782a3b6edde8b0dbbe406bd26e52d72c40a0c1d58dbdfb40c8f9e461bd6542b2d

C:\Users\Admin\AppData\Local\Temp\vbcBFDE3D297174448EAA5A9A701F1D96F5.TMP

MD5 0951a669ef19737038b5a334186f1708
SHA1 53bbfbc282621ad57e7b091da3ae6a4ec0121596
SHA256 b582bab6100c6e758e62306f36f2693bc9ec729a95b4ffb5f3f715979efb6811
SHA512 7fde5deb696c18e2d7b5a94ea3a2af7aff25c593a364c366b6b5f70aefb618f38bddf6c64235a73ceb1e29a5c73d4e643dfec6e2aadafa23935e33ad77165a5b

C:\Users\Admin\AppData\Local\Temp\RES436D.tmp

MD5 d35e2e06f672dbfe153a596efc727514
SHA1 39e5b594866ff9de0b3d033c909ea79b8e60549b
SHA256 7179998268f7c180e70ce111833f174478eaca9e867a9f06c1e878af4713f6b4
SHA512 848c26cbd7e6ca047b04240535a39b00c49823b64924715a59568e0d98536f30e10672adb837a2edc005c6bfd30448bcad69819fbc4d0a6b7b0280207b053590

C:\Users\Admin\AppData\Local\Temp\ubqc4dw4.cmdline

MD5 6262de0da3d7a1caf70081d43ddd4b21
SHA1 c8a7cd1223904ed449126c83b04dd4316f4639ca
SHA256 38e56d9725b767d8245dbd0e239c6ecbb07b49b1be3114f8a85ded38217d2e8c
SHA512 01b7c60976e97e005c19d60833296a2bf2c6a8daa5f739f49c5f15a74b1174ee7f61ab0934807ffbfb42c0e33dbb5f7a435405631e7bcc41f171bac72cd5560a

C:\Users\Admin\AppData\Local\Temp\ubqc4dw4.0.vb

MD5 847182193015fc5d88f0c98c81c630ee
SHA1 7811018c8b8e5d6d01fb62972a426541635f7cf4
SHA256 08ebdceaef531c894727e6332a804ff5bead32831c6744ea1b52b22d420060a2
SHA512 1de1f111195e1f8d492c8ecd884d04fbb3b39f4781849c2d4d56085555844f34c2b6f6af15ea7a234fb6ed3b21f08deb19fc0238fd57f58df2b0cf1c59d0047c

C:\Users\Admin\AppData\Local\Temp\vbcF3B6C75C95CA45CE93283B50D0578F23.TMP

MD5 cdb46c68f63ef379787c06e589936cbd
SHA1 0afcacbc9dbafe5ece918d2abd7e8c359a850c93
SHA256 e8afb68368eaff8356b363fb296aef4e2da063cddcf08e0b4a0e9d580fa9c84b
SHA512 083ba0fa6e8d08dd851be5671c50382a169416e1b8e623ace0cb6b9f98f1b02008947882509f19e646139d3129ab9cedf53b8bab5bf1bbc72f4377aad4ebf189

C:\Users\Admin\AppData\Local\Temp\RES4541.tmp

MD5 3bd296c48952232c140019d56db8c055
SHA1 fd78e18f74ebdad112f905750ffb01cb11076d95
SHA256 b1cb771c392a9ae9546ccc0c9ef97a6f8c62942c3fe89b540c4caefa06fdb307
SHA512 2ca33d2b56a085975274c147b3ae03b2f69fd860a8c3dc2586af2d8ad5ce19a7842f5c0c64db0a4546075b58aad7e9b036346f47a3baeaaf71a3393fcd00660c

C:\Users\Admin\AppData\Local\Temp\o_np6yby.cmdline

MD5 903b2bd2052b3ca5768047bbfcc234ec
SHA1 c817f07ac351d833d45e1c49b995fd4c62e3ca3c
SHA256 a891d13d81bd82e462b181dad960440e22e37e88f9eb06e8ab7b53322541adeb
SHA512 f62bebd456a041cf27594fa0646d7b9722b9f4e1a2631a058af9ce3d68ad6613616427697f81efab528d324e34bd3a28a8079b4e3519ff817a7033653848e900

C:\Users\Admin\AppData\Local\Temp\o_np6yby.0.vb

MD5 556472f96ba0a829d9cd7592411c2347
SHA1 a2fae1bb654469d975926c75b9635a169a80c76b
SHA256 6589cfed04466d3dc448361f54572309a731aa8d54aacf50aade28c0f9225679
SHA512 a938b6b875dd8be3e942cb4c9939f7718ef930d1feddba516070fc5a308065e8c7ebe7ebd606e3fcf61d25a06d9197b3285043f85dd7c69b072cd9daf90f414a

C:\Users\Admin\AppData\Local\Temp\vbc259F23E86514A02A91B16569D98B669.TMP

MD5 c3f8ad47348d4dc388b98c82291c4e3e
SHA1 f92b80d1a9467d4b6ef9604d82dbdc43d15bfe38
SHA256 609c321fc1bbce8a03476a1fd09100ad0148c33646804d58f9a1efd5e73e3b85
SHA512 74508a1cf26b23376d7e006786887f0057a970a17e9644871bbc6c642aeb799d86b71aa25ecfc986854c154ebe7db088270bf3b766cdfb71d1145cf67eea4c54

C:\Users\Admin\AppData\Local\Temp\RES4735.tmp

MD5 f03f9bd524c54439b718759105298c6e
SHA1 ee17f35c95b5477b0ae7867bd23b2f2006f4f25d
SHA256 dd54aed71e33bd0e954b07f1b646b973f040639d84fa7df87a254561255bee1c
SHA512 abb6f6ca226ce1865aed55b99b0d9cdab96c81f241b4b122d099efe317279886f72d3c3e51d590542f85bcf3fdc4e029b7d1baee54fa7841a89e33981ae2aada

C:\Users\Admin\AppData\Local\Temp\y4hqktk5.cmdline

MD5 e223687fdb5eaba9b16ecc5980b1a213
SHA1 da208a3776d0d0d4047ee8c5bbb2b76335c2c890
SHA256 ae658742a9c5a28d64567762fe339140e127e5d7fc9e6f7bdecb4872649bec4e
SHA512 d4f387ef0975bb8d2767f111049cdd62822cf3c432b03252a39033cbeca75093ee6430c3ece9989e4748c50afc051fe87d64836c5e0681916be3c7c9c61d2d11

C:\Users\Admin\AppData\Local\Temp\y4hqktk5.0.vb

MD5 31fc52bfcb5cf9a12d52b79c7dceaf11
SHA1 ec19379305a8404d3c86adb65782467d1c9c3b38
SHA256 2b2c31fe62190c52b62ece3e29a19af2309832922d627abd7b2900eab548c19e
SHA512 38679030edebf6272eb04b0ef9b0b432eef26b23e7c6a517518db3a15ba40bd33eba33835a5cafba2a9fbe73c90ba964cb6bcf375ae6a84dc75693008a8da627

C:\Users\Admin\AppData\Local\Temp\vbcDDA26D2097AE4282898862ADBD54C74.TMP

MD5 8cb42e87bed9f4f5dddcfc0b4ed57515
SHA1 c5dadeac1347aedfb13eda2a7ec9040bead1147d
SHA256 968b017601126179c5c112428d2bb44b40ce26fa34ee82c34c363d5f582addbd
SHA512 bdcede0a75ea1f95aae11fab7755961cb27700b575cda72195511212567d8636f7feb9fb25b0b7b5ef03aca7b995d519839a761a579e58bda94fdba909fea2b4

C:\Users\Admin\AppData\Local\Temp\RES49F5.tmp

MD5 4e8b5b99a09d832324b3e3e3f703eaeb
SHA1 933d8a8874a5c64152528739d73d48d2794445d2
SHA256 982d43ac90196ad10f633b58fe681e3403d917a7abad26646671a9ebaee0be12
SHA512 ec02d81d55063ffed4a0e1c93d77709bf9e4e2ffb0a9eafc70f955dc38f75717ec2eeff9736c26d5031a4dc00bf904797500a6846c20f3853b5214a5ec2d8fc8

C:\Users\Admin\AppData\Local\Temp\cggrkb4g.cmdline

MD5 21af0e4259346322b6d6e51d64c19ef1
SHA1 ce6ac44942c47010cbb843717812ede1e2a77300
SHA256 4c08c2f6a85ba36bdf6c7ace11488ede11f2f0af9bb19228322179452b856470
SHA512 4b576b56fa57dd6b165585cb0b4bef78af2d3af6dfe76f9ee10d6319264becdbecb984a338773d3682b1b19f4e2424e252fdc0e204011c077f373f8fb5b23812

C:\Users\Admin\AppData\Local\Temp\cggrkb4g.0.vb

MD5 1d051ff4cd0a27121e93aeb23d1df6ef
SHA1 4c66c8113b537573b9e54193605009ef612d0ee9
SHA256 c052ad284c34c0af73d878521251ca7bad9a390e5e7e3b2422dc0f5ca86f4b82
SHA512 501b5eb718214634c3386ad9a6df7dd48d9a75d4ecbdc2217d1e785e04e725d899a173b06354b21abb16e976e98a1869792cfa1618069090005425bf9472bb38

C:\Users\Admin\AppData\Local\Temp\vbcC93E9BE37A814A21AE35A026723F9D5B.TMP

MD5 5ae046a15bea3386071f0c63192ba29f
SHA1 94d51e6f2711362ade4879a29dba8f5abccdf884
SHA256 3b7d80821582922f747077294e51e2936cf3bc7dcf6ab999e83795a306e4b378
SHA512 29cb86aa3b76c1d1c2812baec48a036923050314450451b8fca317c2dd8dc3bbaffbd776cdb9d1f038aab703b5bfd91c8153e41a330dbba2671fc33ec7df2a03

C:\Users\Admin\AppData\Local\Temp\RES4C17.tmp

MD5 278d6d4dfd64c511a2aac25a268e4ea7
SHA1 d697ab70cd1d3e28646e892c64b7a62b8babfaf3
SHA256 b702edb239084923738a87bf001b46098428f65a3904542a0d4f35115e5ca144
SHA512 0f3272ae03cf79f4f9ca3a27c39f6a48554c7dd96e46abbf9fdf7a78062eeb9ef5a6e35197fd496c993b6b66c7c88beac3f0b390be34adf4ca82dfa9cc4e9bed

C:\Users\Admin\AppData\Local\Temp\sxcjwx11.cmdline

MD5 ed218b2c1318ddf8ad6fa56ff060afa4
SHA1 107255d82e6ca555eaf2b563afb9e1e7639db725
SHA256 c6a7847203c1f1ab0756ad2debc713dd6be5041057f66c31d79ecb0ac21c672d
SHA512 809cb12decc9b779f6e91c90e7eae1f2bef71ee0a0b4042b59e61e5607f206a145bd13fef6972544fd7a18fc6070c67a2fd395edd3763268b9507a88f1b00647

C:\Users\Admin\AppData\Local\Temp\sxcjwx11.0.vb

MD5 70829c1a9fba55df73e0bb03cc02dfba
SHA1 e0eb831dfee7c9daf3856af584d62c4cb202e852
SHA256 70274ebc993bc093082ff93802e33a7107df02aee8d392fe723459d31bba7fe0
SHA512 47eeac79275c292076c22348179543e3e3aa26c51c759d72c42362799437a761dc7707640b3634572b0c1e80b64fd82feae271ed45e06794976278a51252433a

C:\Users\Admin\AppData\Local\Temp\vbc798D2D55C7124A8EA3882376473DC7FF.TMP

MD5 e5e552a63bec43aafd93067052091b70
SHA1 65d27ec9696e4eab2e9c9f03ce6a91330d194230
SHA256 19333143ba21e54fbaab635b061f7166a0db918057804cefd54e46586a0ccffb
SHA512 8703b20ea2ea148882430c4a13643978b9eb68212e74f257a8cf9d0cf56a1a7d285fe05663f8e43556ad2e802c27c8324751974cbb984dc5e7e54cb96b6063f6

C:\Users\Admin\AppData\Local\Temp\RES4E4A.tmp

MD5 fc187b6190c934f1753fec9a5448e038
SHA1 62bce5e1a8e555c5f2028f0b650a8587372821a5
SHA256 e45b5dfaed7e1909c04248eee1882bd02fb04368e4777fe1e2d338ce2b3e812a
SHA512 59ecd79850d0e62cb6b92d9fc534aaa09bc2aba7dee37c6fd79fe5347b41ab6d85d8642682326f614134644f60f01019516e70f4d51cacc4dde8b6ae0e3e6f72

C:\Users\Admin\AppData\Local\Temp\w5nmb5cg.cmdline

MD5 07ae773d69cfaea762e7955c9197c412
SHA1 8827353fdde88eb29ac897a4256fda250e4580db
SHA256 59980788048d6698c14dd53a8f6b906b7e1ccb675e094855328ef068e12e2603
SHA512 b467ec33f44d973d324f4ee2af753b1704edbde00714695c82201629f6fb3501be1c33f028a2cf95231aad9db05606bd4e304baf30aa4d99ec4535daa1cb6cfa

C:\Users\Admin\AppData\Local\Temp\w5nmb5cg.0.vb

MD5 adaa061d082a7b86bc1f959594a01eff
SHA1 9398852f8cfe36144a64ccded6b7775acdce59a9
SHA256 99391f66edd6bcddcc4c1f156572f4d193538b6e42793cf0694c97f02d6efc9c
SHA512 fc51f77ad8634b2a7512b76eac8cea3be9e04c5ff59b1fdedb6c0e99c71b7d4a5128b6f72fb217a8e7925371b98e0c94bc228c504125ae08cd3bb9daa26e6186

C:\Users\Admin\AppData\Local\Temp\vbc3D0FE588AB744C40A9B47C4984D593F.TMP

MD5 387784f57a2f90edee143411c749a86f
SHA1 fa730a840a2caf64f612d65634f6940af8bc73f5
SHA256 2a6c05b939a7b9fe43b8f936c7deddf4d096e54ac2eeb7bd1aa022ebf5b69a63
SHA512 5d71d66db1278e7316a42d6dda97b04669ba137d371fa4798eaf311b9d9d78a4c441cbe404dde93569baf64403d2054d0e4834640d6c80dbf5b82602b2c80ea6

C:\Users\Admin\AppData\Local\Temp\RES4FD1.tmp

MD5 38f5c1fb5dfcb10be579f26ff27441a4
SHA1 510184d0f996ed0a442a580f5a1fbe65ca44bafc
SHA256 8b9fc37e6c9dc676e3cf66080e3d37bde97c54b86aecc0758ee6ea94f3d3fef6
SHA512 37cd620cf0591a9f97970473ccc06fe34d79a0182241fc5993f76381caee8839a8c7ab712a5b5c01af33b20bc03c2ad70077d4bbc64861f61154b1fd1bf735b7

C:\Users\Admin\AppData\Local\Temp\2-bwft4o.cmdline

MD5 6a35bc39895faf0a5f5aaca805bcdc23
SHA1 c319d97d86de228cc37462e75c86b2a1169d830a
SHA256 fe6137f1adbe69b58154df9bc4216e8831e8f7be067f2a546ea629b466fbaf18
SHA512 96a71f4579610aeb409b2f04bb994046279415b1c220821344abfea1a61d4cc441066f7d6b24481a3e9e1958f648a043a9a6f08aab48e755e279d6b5eb84efad

C:\Users\Admin\AppData\Local\Temp\2-bwft4o.0.vb

MD5 f1f4b97a4a7ccacf00d680ed41092d6b
SHA1 f8b32a0d52cb9a1f1d87752f9f3883c56eee16aa
SHA256 4050ab47352c7d9e885aec0f16054cfab523d854b4f4956027b82277379e1e80
SHA512 2b3ba9c1250e5c56267a99e79c155927c3b353734c485b31b0537c50a3cde35ca0d75a5bb8e1d230be8a3685dfe41bf3238263d03566ec6889bec6ffb233d210

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

MD5 6663483929f325b3fe2f8a351787aebf
SHA1 eaef70212f2f361a3167340d7c76e07246f1e427
SHA256 cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42
SHA512 12d51bd6328fd6a7572c97fdd3ac7b5d74dfd1379d5553f890af6c5a2effa65c61ecb78588fddac239881391ed9e2831f65a6f70e83a7047b980bcd4cb501eb9

memory/5008-305-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/1768-309-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc87AD159ADF9346F3831EF55DF1729FA.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\vbc25DEC36FCFF443AB8C51DA8A7DE44891.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\vbc43F3992CC78A4991A2F0AA53296B21CF.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084