Analysis Overview
SHA256
cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42
Threat Level: Known bad
The file Client.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Revengerat family
Uses the VBS compiler for execution
Drops startup file
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 21:05
Signatures
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 21:05
Reported
2024-07-27 21:08
Platform
win7-20240705-en
Max time kernel
143s
Max time network
161s
Command Line
Signatures
RevengeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Client.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2660 set thread context of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 2716 set thread context of 2792 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 1964 set thread context of 2092 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 2092 set thread context of 576 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5z3rdjgd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8DDE.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afxe9xzm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F06.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\37in9maw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES906E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc906D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8qhfn6si.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9232.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9231.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmv5sdgr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES932C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc932B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adkdf12j.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9454.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhdvnbaf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9609.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95F9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eji4f_4f.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9760.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc975F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkuhkk-v.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98B7.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v89bsdes.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A3D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-ctrdgls.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BC3.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zl_6fcrp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D58.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yjneypjm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ED0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9ECF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w7js2-mz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FD8.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_jrawm-q.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA14F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA14E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twr3hdx8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA296.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6jtkvwxz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA41D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA41C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-itskbso.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA526.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA525.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u99bhkxz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA795.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oo9ekpnx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8AE.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmw4nmgy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA989.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA988.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ic04u5t.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAB2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA91.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\noid8s_e.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABC9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tio8we8n.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD4F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhgl6pvk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE87.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nkoeq1ar.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB02E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB02D.tmp"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s9bmyvxp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3FDE.tmp"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dgf8hds9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4136.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4135.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6fjd7_so.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES425E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc425D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eytb3uxi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4319.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4318.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hr3ba3xv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44AE.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\myx8xs-h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45E6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n_92kyl1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES476D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc476C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jcl9xzm6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4941.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4930.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m1zow24v.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A49.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yf5cs5f5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B72.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s3uxjngo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CD9.tmp"
C:\Windows\system32\taskeng.exe
taskeng.exe {54162E4D-6B1C-4004-96FE-8E34393FA2D4} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:8848 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:8848 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:8848 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:8848 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:8848 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:8848 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:8848 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/2716-17-0x0000000073F81000-0x0000000073F82000-memory.dmp
memory/2660-16-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp
memory/2716-15-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2716-13-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2660-11-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp
memory/2716-10-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2716-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2716-8-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2716-7-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2716-5-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2716-3-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2660-1-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp
memory/2660-0-0x000007FEF557E000-0x000007FEF557F000-memory.dmp
memory/2716-18-0x0000000073F80000-0x000000007452B000-memory.dmp
memory/2716-19-0x0000000073F80000-0x000000007452B000-memory.dmp
memory/2792-20-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vwfRtNH.txt
| MD5 | bfbee1ccbe6981fafb1c7bff99680882 |
| SHA1 | 3866c915b8a7e0592f8728c89faf6bb4d5ecf002 |
| SHA256 | 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235 |
| SHA512 | 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e |
memory/2792-30-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2792-26-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2792-24-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2792-22-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2792-33-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2792-35-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2792-36-0x0000000073F80000-0x000000007452B000-memory.dmp
memory/2792-37-0x0000000073F80000-0x000000007452B000-memory.dmp
memory/2792-38-0x0000000073F80000-0x000000007452B000-memory.dmp
memory/2716-39-0x0000000073F80000-0x000000007452B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5z3rdjgd.cmdline
| MD5 | 2537ab5c3fc3b2a0a042471d0680f9cf |
| SHA1 | 1a3ce843256277d082af5c7059492b204fd07cfa |
| SHA256 | 97899e859ab0018b3a38933675c5df69ef5571d31c06a4f5512ce6e078eb5f17 |
| SHA512 | f7b078b4ca0e043653701f36888a62bedc30368efa6d5551612caf405bf8b8d0f16a33e30a4125f98856ed5ef496328b26693211f1d0f5c0fc59b32baff3a907 |
C:\Users\Admin\AppData\Local\Temp\5z3rdjgd.0.vb
| MD5 | 3c88d0389da097789f854d19e5a6851c |
| SHA1 | 9e0f6bb3a576bb0eaf7fa1384018e57b50401adf |
| SHA256 | b0c7beac256055e2a91713ef20ab4bc9eb5785e2a7cd30f64ab95fe37ff4d60c |
| SHA512 | 92799b8e42dd602cb9686820bc75136e26f2f356a731c23e3a3c5d9f65ff0b2325666aebd1f34f4ebf240eb047a11e9a37751f3fa3e30264738e6c113f8d9ead |
C:\ProgramData\Index\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8DDE.tmp
| MD5 | 6cefaf397ee40eb5c3df27193a26e399 |
| SHA1 | ab6097301a83d831b6b63acbaaec0285126f4ae5 |
| SHA256 | 43a6fa373945bde88b7cc7a083aa81c18e959815f79c4b304afcded5230789df |
| SHA512 | 30f4fadab57fbcd25e58c842a98583dc607c52c6a21ef346f63d4035c2d34243a11ce572cd401e6958262509bf91b71e02f56236c69f3c1f606f5720210cb9de |
C:\Users\Admin\AppData\Local\Temp\RES8DDF.tmp
| MD5 | 3139e880d751e2a754aa4ec1bb03ee29 |
| SHA1 | 0dbdca3922864f78b303fc55bcb1b318524c6796 |
| SHA256 | 1abe82a42fd53f24e79945aedb88442f7d6b7ad9f618dddc4747cbbbcf9c824c |
| SHA512 | c594084b812c719a78e2eb21c7638e84d8546874ebced3dc0d6c088d759be28c730f7b8813a938920385aed8adcff7d756f108be810dbb8776bbb488e64affd7 |
C:\Users\Admin\AppData\Local\Temp\afxe9xzm.cmdline
| MD5 | ce20329fe82bfc804042850316a5a2c2 |
| SHA1 | d749110d35278752a0a96d76de025e9db331b01c |
| SHA256 | 6e11355a2021c8445f0deae783bdc6ff30c3c90f50683aa310e56a80fb50d28b |
| SHA512 | ce16eecfde2316850029df40d5867c3e15a1956ea4a055c10f3eb409a36ab311e28e92db95116e17822ffdd62c008a9f763cc3002e6ecab12763fd8a7cb8924b |
C:\Users\Admin\AppData\Local\Temp\afxe9xzm.0.vb
| MD5 | 3fa7c020766873f8b58d109177c7d7a1 |
| SHA1 | 716be689ba29ba1493a617920c24fa6ef036ed5d |
| SHA256 | dfcfb090d3b80c08c34aa55028773778a8a745c2eef48d8c572b043fb421e3e7 |
| SHA512 | 1657d79d5bd7768984df780f71e9609c69fa58c7370eb5ee8122c97daf1a2c47fb0217f3f69e07f8fd0c51c8f8e078a00f8275eed3bbb02ec23ba092c47ec196 |
C:\ProgramData\Index\vcredist2010_x64.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
C:\Users\Admin\AppData\Local\Temp\vbc8F06.tmp
| MD5 | 1925b323c24d5e44f273b65bdf58f85e |
| SHA1 | 704e92b27adad5266b25a84b66491065e6a8e077 |
| SHA256 | f1109f98dcf21ba90f165c3062b89f8f730850c75cbb1ced23b75c7ea1443f63 |
| SHA512 | c3c03be1d12b8c3dd33fa234d60d0328bfc0ea2bfad160d825d5ebf8ef1511f66cd85c9b0d419e83b2ced52fe99ef0df992fea35b2cb912b60ef5635ac25e969 |
C:\Users\Admin\AppData\Local\Temp\RES8F07.tmp
| MD5 | 88ef457da2f098863cff35438d31a832 |
| SHA1 | cc3459dcf80faf62ebc66b5218d82382a22bd0c2 |
| SHA256 | 6874d1dc42ecd72d0b65235d7d0084132fa71c73756a6a3444355441cecf19d2 |
| SHA512 | 9cfb5f71c7ca74d87afe5dfd8d764601063d881353132309a29bf61c055754fa8c75e613c7ce101ad92c5b2069ef49648add686fe90763149a672812d4dafdda |
C:\Users\Admin\AppData\Local\Temp\37in9maw.cmdline
| MD5 | c51481ac8066a7aa5f7df30be9f00314 |
| SHA1 | 3f0e07afa5d29af7f7555c571805210dcbcc9671 |
| SHA256 | 32d4abbf18b32b343151c5ce6ec4cfa699188ee5c8660ef85287342ac342def0 |
| SHA512 | 9069b132bcf59b2ba47503a123f65990336bb3d7b9c40ae084e7f4ed1446f57605cd345223f0cd7c695ae7235cd914546aae88cd2b50ef351063c5e27e28783a |
C:\Users\Admin\AppData\Local\Temp\37in9maw.0.vb
| MD5 | a44396dac48f30ef8c8608531567fb83 |
| SHA1 | 905391559e0577fbc6cefd0d13eb10f9dbcd63c3 |
| SHA256 | 1ba098682cded71da604d1c99018e43622cf0bd8a609c0c6e2752e9ff1944b4f |
| SHA512 | 168ef2aa0bcc07f4e1a1f6652c8d459cd6c3c31ee579702e06977733da856419c9ebd1f2da06fdd185655dc464cd40183ddb32cfe0e960bc6104c64fdc9976fc |
C:\Users\Admin\AppData\Local\Temp\vbc906D.tmp
| MD5 | 2aa7b07c157877ad67f7d79b15da9ff6 |
| SHA1 | 451dad641b7b329378d0238e1d0c9a27d47a3f40 |
| SHA256 | 9f5688e5525be99764b3e610afa58af84e43191d524c99a196ffca8118e4f950 |
| SHA512 | 5a358cd9b6003a867c5c94e3ee0ec49a8cf04c313995fb3999f7cd5fbfc6dc2fdf52da181054aeeb6b05025e603110bda1f2440bbeb2c848698da412c7a695d3 |
C:\Users\Admin\AppData\Local\Temp\RES906E.tmp
| MD5 | 5e2b59906751ab63bed438f754815d79 |
| SHA1 | cfd3ca4f200339a11395d02d8dcadbe364e789fc |
| SHA256 | bc598cf4acfcac85488c49ac7c0892891f002808587158d4072ef97fd5768eb5 |
| SHA512 | 8804f75ee7febd323b6782909e1b6090ed944110bbde1cade622b472bbaebf7752a900233fa04a78537e1a2f5a47a905d4271ebf338b060130cbc8b6b0cee805 |
C:\Users\Admin\AppData\Local\Temp\8qhfn6si.cmdline
| MD5 | cd8d1876e38bebddd1ed55a9b6a5bdee |
| SHA1 | df96835219a79b5406a9529e4a4b54da03f226d7 |
| SHA256 | 6c6016ceddb2a3d3b4717a70af3d659b4c2e0b3e40dd112c13a87d596d6cbc65 |
| SHA512 | 88550f508b28a23ac4304da2c92ac4b0e8c4a071dbe9ff1cdc9487127807cfded41dd7ec102eb0647a1d465bfce415ddaa41473b2f945a3daad891ba91f7bd5d |
C:\Users\Admin\AppData\Local\Temp\8qhfn6si.0.vb
| MD5 | 55baa1a9cc195fdeb239fd42886466ed |
| SHA1 | 21d56bd00b7bdefb6fd1f2735f2249cde0812132 |
| SHA256 | 483fae1036126f05605dff2447307d8e840ff775f5cf7574fb5b0256beb95766 |
| SHA512 | 8dc014a020e6ecda766b1f58928b1d10a20c5ea2e3973e94d8c339ea772044e3898004b753b9ff4020b436c543206f4ab46468b789d08466136baf0812e81daf |
C:\Users\Admin\AppData\Local\Temp\vbc9231.tmp
| MD5 | 552cdad34f767fe9ceba407cfeaaa5f2 |
| SHA1 | 95291c8d45589e53428a2895b17c8c0f9d398eb4 |
| SHA256 | 69d9a6c71053bfda400ee50b358b31346621457181ba94ec8645f4df87f82f49 |
| SHA512 | b5e66fc5e7c782da773228e79872590354d39baadb57ae32b25d816d612d580056c8cb9b7a5dd07c0a82230e69f5672dd3329b04028ffec3e5a7c2a5ebea0ad0 |
C:\Users\Admin\AppData\Local\Temp\RES9232.tmp
| MD5 | 44c4f56d63806a203d3b11c4b06b4dc1 |
| SHA1 | c88927a8f371dcd75e3e91becb5b0b26f7ac81de |
| SHA256 | 3710833f0433a3dafd6b771f4ac50f82a4a0cdf8871ec38834ea7e21ebad5e80 |
| SHA512 | 744f7ff496a15dbcc6f6711afec6e5a281a3a9b05ad3e43d84a0796478b706982665a2becfcbe99930f9c4881a0e2d0808084a3cfe72643f2ee2c20fbc641ec9 |
C:\Users\Admin\AppData\Local\Temp\bmv5sdgr.cmdline
| MD5 | db6a7a9ef7d6ab5d78512eacc0501d15 |
| SHA1 | 82a87e89997aa33cb3c11d2a6a844551d01e4e2f |
| SHA256 | 7babcd725b9b33ac4aa1b311df2838ef2dceb0cf4bdc8e099bd81b652a23eb9a |
| SHA512 | 15436ace78f1f60b12ad2cfde53ca9fb3151fc7814411dded5969b54a0d05066bcb537e0db38bc9b27d41fc26d324c04dc6f92472a71ef8d8a269f53f1938538 |
C:\Users\Admin\AppData\Local\Temp\bmv5sdgr.0.vb
| MD5 | 78fa359ee91a0ac0453b7fa92df75649 |
| SHA1 | bab1cff88be95b883b900d06be9242e93fd25f94 |
| SHA256 | 37d2c292818dbc06626bd9fd12eb14a33ef65f82356cc9345ee449ba62fd4a52 |
| SHA512 | d6c2fa6abadd2588355225403713905d02ff19365bbf1e415df1bdd4aceeab35ba29767d09b072c513bb23a10779a5198cd6550ff9ab3e0e58bfccc9b2c5726e |
C:\Users\Admin\AppData\Local\Temp\vbc932B.tmp
| MD5 | 088c37d81dc5ad27664ac1097307b614 |
| SHA1 | b29acd60e4297267b798b78357fd6be2105fd395 |
| SHA256 | ba5b85970b94de08b3cf0d511d4e0df19b2452323a2402b2e103c7f619675b77 |
| SHA512 | 454a72332f3cc8e2aff4a2257101006f5d5d40eb9441f83b944542dcc98b1e41120609d75f53fa3a269b92797cf2f607961dcf517d3b4a5290025ea8a0657715 |
C:\Users\Admin\AppData\Local\Temp\RES932C.tmp
| MD5 | 5d7869b16b908bc6eaaafe9a7642951d |
| SHA1 | a115a952baf506b5545e02fde9084d6b4b89b569 |
| SHA256 | 6cc11fef09d5a79b803fd2240ee951f5536c206d4a344bd639bac93dda4e6056 |
| SHA512 | d093db8e9166834b39e679848c68a925c265a9ad8e7d05fb2465a5a46acf3386f9f1a99fbf69959465cb80d868531b0ee2eea7b1696ad00346be1cf75c352b09 |
C:\Users\Admin\AppData\Local\Temp\adkdf12j.cmdline
| MD5 | c846d6918d57b2f4a85d01449256a1b2 |
| SHA1 | 03a8ed60423ea2ea7623ec65f66e6e692f2bf4b9 |
| SHA256 | 0948f1b32e5eb3c51f36e04d56a9ed2338d8b687908831e2a296d1092a016651 |
| SHA512 | 9f3720fd63c697289b02d284cf755f6f7296d328ef2e9d171a43f6a13967631b6f823f8d8e1750d9b8500acc5c4cc4269662e3e55e6d2e987a20f80a12369504 |
C:\Users\Admin\AppData\Local\Temp\adkdf12j.0.vb
| MD5 | 4a447b73c91023eb6c863a34742dbfdd |
| SHA1 | 68fbb85cab50aaeaa9abedff254efba01892310a |
| SHA256 | b9d69dba98cd1d12c4a0ed06def7734936270924cb3847807f6f04f3d0fac242 |
| SHA512 | dfc531d34abadc872b5db88a087784181970d8cb5b958fe979e431dd2bd135c6699c738a61e26e7fd9674af90449fbcbf810b42e765b0add5d9d66ad6e83299d |
C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp
| MD5 | 3ccbd45c6b0f194811118d4b7323362a |
| SHA1 | 4e1376f6cf4d183f7b29496e1419f9fbb3f9786a |
| SHA256 | 77d234f1c365f565425c5af9873bdc915bd6a81d69fee1fad8ddf01217bb32ee |
| SHA512 | ae3dbeea13020c3a68c53b0818a84973dea9d33e787675d0e2a42aa3988fe54e893a6eb113fe4bf7349ed7a9d2315adef1412d2f31f483df1dba65f1b5685968 |
C:\Users\Admin\AppData\Local\Temp\RES9454.tmp
| MD5 | 9f6c0ea244d11de0991d09f9fcee777c |
| SHA1 | 637bacd450ed8f94589fee65ed2a2da958bc5cec |
| SHA256 | 89603381509be84a3e3d9585543f73c98b70d1527b93cf8f06109cd077c34573 |
| SHA512 | d28af3be34e2aeff7a9d5631800fcb4c29cff1ee9e429fab9f7b7634677de122501dfdafd913e16468bc8517b8111dc2cbd8d948486c896711af2777a7ba52ab |
C:\Users\Admin\AppData\Local\Temp\xhdvnbaf.cmdline
| MD5 | 34aa2b1a2fb0965959b620d7b8c6b0b9 |
| SHA1 | 7f4e9b2f4713e4254f1181d2de31ecea761432a7 |
| SHA256 | abc1692fe522f238ff68df85d94392b60473e3aab9e5551db7ce10e88683b64b |
| SHA512 | bf1a67ab55a961571568c6f1bf03906f64d6e4c2c586efee0d5d823c5578729b6efc485e15cd62692dad630ec64c4fb9baed9d06787248189f672ef93be19dc4 |
C:\Users\Admin\AppData\Local\Temp\xhdvnbaf.0.vb
| MD5 | 846365ec5052d6dabd406c35fb9393cd |
| SHA1 | 9abf408ca3938f0acbfc6eab9fccd33b4cfc43b0 |
| SHA256 | f1c039830bf9f701f465510cf16ae094214fcfc23a3c311adee9e6f4c18851b3 |
| SHA512 | cf3a29a98a1a53982bd6afbc8dc61b954c26138f9b85473b8a3297ca7ee3c3b782a3b6edde8b0dbbe406bd26e52d72c40a0c1d58dbdfb40c8f9e461bd6542b2d |
C:\Users\Admin\AppData\Local\Temp\vbc95F9.tmp
| MD5 | 4367a7371c6b4a0684704d101371b319 |
| SHA1 | 017269e6b19d459626d4809ebd7f0679ea69b0ec |
| SHA256 | 8ca899b5a49a42920615d57d571ed2f74c7513175d5a5fd3de81cc13ab87b1b0 |
| SHA512 | ea0dc5cfe5deb08cb192eee62ea9855a76317169d0bd0238a8707748e8c942f2ab14b182f6b3b65d1ea5905e5f1e62bbf33aef02cdf4476a97e871b19c05f225 |
C:\Users\Admin\AppData\Local\Temp\RES9609.tmp
| MD5 | 9bea4f999e5567bc447bca904c203066 |
| SHA1 | b164cac2a83b73220ad950e59547f626d4555066 |
| SHA256 | b43dcb0abb2306e568f012646114da1744b35831270b45738655b9748262521b |
| SHA512 | 0e880b0993a5112c6ea28dba0cc2c4139cddf9441b3be0dcfaa9cb7ff886fc54ed7f098a8ae3f984712243d85f6273033f19fff1abae3b273c3166a09e357eb0 |
C:\Users\Admin\AppData\Local\Temp\eji4f_4f.cmdline
| MD5 | 364aaac89894814eab0adb034884361c |
| SHA1 | 79c9da7505fd15e520525d74f7554a9f2659d1bd |
| SHA256 | 9587c6d1b3ccf860ffcd8b1f8a81d1a13770f1cd5f9a9421c72e8bb6a751c327 |
| SHA512 | 942faffc9f356e4d7bbe15eb76333e1e9a7145c26eb0d5b569e3e4a44b57ca4c5f9b991b13931a8c1f40f7a1047f73e08bf73fda27e5807e1202935a0ed2ce2f |
C:\Users\Admin\AppData\Local\Temp\eji4f_4f.0.vb
| MD5 | df1975c930424e8628631c7d62ec352e |
| SHA1 | 4af9901ee310e4af180378c50eeb28d4c4e1f9a8 |
| SHA256 | 0c4b24af1f47981d06c889d02d24f1047b9e8388945ad2a1b079166acbb40c2c |
| SHA512 | d58bc77ed44d68f60b2b9f158c53b31cd47bdae16a555bea9a437bdec2bc3c7ec3b5a500eab7aa4c9a3eea546c93e99f3786f62dba37f86db0b8d20c67c083e9 |
C:\Users\Admin\AppData\Local\Temp\vbc975F.tmp
| MD5 | a6c43b263e6b425580e0e8e86dc235bd |
| SHA1 | 9e48907e177ec653a029dc2df455f1f042df7308 |
| SHA256 | 050542468ce8ed1767cf42833f80e7d2eea0309c51be5cc331a1d6cd8f66d817 |
| SHA512 | 6e152ee0d74de352ad9fc484eef32c50941cd9dc50ef41a8a379a36920d4d3f4933b4428849d764f66ec5924d211155d5a219f6aa57e229a4980cbef8fbafa40 |
C:\Users\Admin\AppData\Local\Temp\RES9760.tmp
| MD5 | dcb21afd2a5647036b8a50b1f2958f00 |
| SHA1 | 251facfe9cd714fb0c1a1fcbc12bb21a4138d7b5 |
| SHA256 | a351b7776083dc746bc762be8cba8609f72a216cb9cdb53acbdb2092a6d5d7fa |
| SHA512 | 570352e351179c579d48414565f6c0121e42ddd2804c73e79280b550dc6154fc042db1202a39ed31cea8014700061fafdc4f0b9cb0c4f9c9266b812c59deecd9 |
C:\Users\Admin\AppData\Local\Temp\kkuhkk-v.cmdline
| MD5 | 6ccbd71df86a8313694d61e220a71378 |
| SHA1 | e319f37215b497926df3927433442c8f671f0e18 |
| SHA256 | 1b3cca5f1f4d7312ab2ed0b94aafd2a34a214a4820dafe339001dbfba6b851aa |
| SHA512 | adaa42e3453aab5724714a94c525c6d5f7013308f4d1a947e86f031a10124c6482ec4b9a46934efe54c0de8e4996c402cf928c8322af91e06a11827b7fc00eb7 |
C:\Users\Admin\AppData\Local\Temp\kkuhkk-v.0.vb
| MD5 | 847182193015fc5d88f0c98c81c630ee |
| SHA1 | 7811018c8b8e5d6d01fb62972a426541635f7cf4 |
| SHA256 | 08ebdceaef531c894727e6332a804ff5bead32831c6744ea1b52b22d420060a2 |
| SHA512 | 1de1f111195e1f8d492c8ecd884d04fbb3b39f4781849c2d4d56085555844f34c2b6f6af15ea7a234fb6ed3b21f08deb19fc0238fd57f58df2b0cf1c59d0047c |
C:\Users\Admin\AppData\Local\Temp\vbc98B7.tmp
| MD5 | 3843a53d7e2dbfa4c232bdeadd21c357 |
| SHA1 | 3940e541bde859a4f090303c16731a24dca505fc |
| SHA256 | 0bb59ed84a49d712878598b06ad05f0c26f5f7a155509554ccf96c14ab6e29f9 |
| SHA512 | 1d9ae65cd4f765e04c5ec1d717c15df13d4c92b32624e7a5772b4068ae3c74e8159e32552bbaa18cf34b656b788971e21b1d37801d3accc567bd7e2dfddaa111 |
C:\Users\Admin\AppData\Local\Temp\RES98B8.tmp
| MD5 | 3b65a6b47a1e8c87be3a7419d8884bcf |
| SHA1 | 53780de1db837839decf4c40c3bc1944a46a1521 |
| SHA256 | f5dac1fcb189f114c7d3c3a17edc205425500a5aad7e0f1ce8b1b79519086a22 |
| SHA512 | 86811d4a14e32abbe00d0c2e434cb82450490537084502e35219fdbe3e4302c89a9ea442850201d5a27e01d3c888646eaade8a90fba2ac447370b62d25756f7a |
C:\Users\Admin\AppData\Local\Temp\v89bsdes.cmdline
| MD5 | 5a0e5d523b9a6288c96cdc4b1570f4db |
| SHA1 | 1e8a972441e98fa5d32dd21bdcbd3048451eab78 |
| SHA256 | d606e640b7b8cc63d0484057bf094df0abc9c249f1ae594a05421c84111173f9 |
| SHA512 | 5521bd0b646a0bee04f94bb3acf553fae47db84049ea5289a8131b05af54cb742da5f1e01cdccf001d920817c9912939d3a4c303a7ce0630b4ce6bf6ebee9c7c |
C:\Users\Admin\AppData\Local\Temp\v89bsdes.0.vb
| MD5 | 556472f96ba0a829d9cd7592411c2347 |
| SHA1 | a2fae1bb654469d975926c75b9635a169a80c76b |
| SHA256 | 6589cfed04466d3dc448361f54572309a731aa8d54aacf50aade28c0f9225679 |
| SHA512 | a938b6b875dd8be3e942cb4c9939f7718ef930d1feddba516070fc5a308065e8c7ebe7ebd606e3fcf61d25a06d9197b3285043f85dd7c69b072cd9daf90f414a |
C:\Users\Admin\AppData\Local\Temp\vbc9A3D.tmp
| MD5 | 3ea71f08d9ecaad5d91ef675c333e68d |
| SHA1 | fc7b47ccdee042f88ce0b83188a65dbfe14403b5 |
| SHA256 | 19b095eec85ee85b484bee4630f38f2a0966e289761fe2773be9f24ec67dd5cb |
| SHA512 | 99111f95e59e03cf379f49e63035b81f0402ad080c1a7ff21f4fff4aa3e1b8102a623e8ce02c75e8ac9c9884c558ce3ac9174e6fa680c57f92d47de3f143f4ec |
C:\Users\Admin\AppData\Local\Temp\RES9A6C.tmp
| MD5 | 02720e8fb0a123a23f436911402a7d0c |
| SHA1 | b16be9e0282ca0f4e4b2c5090fbb3c9eb318f86b |
| SHA256 | 696547891270c53126ff3968169d60dfb0044734af72cdb4ba38eb6e79b04cf3 |
| SHA512 | 63a6f127023c22bbe35eaeeea9a95a38c9be4cd0d853b54643f9b5a8a8a682aea642646303f0ae7b1ce0316a3fb4cb27d158c883bb4a2e0d82cbc5f43b98c790 |
C:\Users\Admin\AppData\Local\Temp\-ctrdgls.cmdline
| MD5 | ed07f3108db15914095bd3e4ad13c131 |
| SHA1 | f0c12626b19b753db41304e12a6da18090028f39 |
| SHA256 | fb9d4defb4acaa7ac0eb69efd734e97ea174eebb0b02f62b4a10e52a773fb461 |
| SHA512 | 4eb38c3f00c0ae2c0fc2eec9df1f2c2817b1621fc9231d3ee7a5b6b03739ad8354723d7c6eb7c8823e428a2ac8b1a0cb3e0011082896d673c2362720732c79fe |
C:\Users\Admin\AppData\Local\Temp\-ctrdgls.0.vb
| MD5 | 31fc52bfcb5cf9a12d52b79c7dceaf11 |
| SHA1 | ec19379305a8404d3c86adb65782467d1c9c3b38 |
| SHA256 | 2b2c31fe62190c52b62ece3e29a19af2309832922d627abd7b2900eab548c19e |
| SHA512 | 38679030edebf6272eb04b0ef9b0b432eef26b23e7c6a517518db3a15ba40bd33eba33835a5cafba2a9fbe73c90ba964cb6bcf375ae6a84dc75693008a8da627 |
C:\Users\Admin\AppData\Local\Temp\vbc9BC3.tmp
| MD5 | e6c60ba9b4fd13ac52f6b57ead9650a0 |
| SHA1 | d21772c045803b49002066829c675c5be2e37dcc |
| SHA256 | 473f21d49c26b2a13798ba62741c565f0f32c25e49fc3b38244d303d01f946bc |
| SHA512 | af86bf7105190630729f567362a93c34625b91af7844d6df27670beac7be6f948e462d88e3438a0ce467a62a8375eacdc455f13e201fc9db1dabe3cf413c1da7 |
C:\Users\Admin\AppData\Local\Temp\RES9BC4.tmp
| MD5 | ab871eca371a3c541e9fb3cb9f73a018 |
| SHA1 | 827510382cc527048c95d28d3c59ce98c4df622e |
| SHA256 | 87bf07a00ecd19663fa1bf336172588634e8a4d904c0b42acd7518e9e6ddd2cd |
| SHA512 | 12df658b22bdae532b75637158c02b5701e7d453368b7e972f4ce81d84fa05594abb438f9f1b9f853acfb66c13a7b93c6efb5fdd21f368b1c6cf7c92910c282c |
C:\Users\Admin\AppData\Local\Temp\zl_6fcrp.cmdline
| MD5 | 0ef1adf842a5f61ef738fc465c9bee2d |
| SHA1 | 5127c0340835194f0cc0665ef1cc79ce72553682 |
| SHA256 | fed436899f1bf0c464c00d95b1960d0fc02548b5f081f4d25057361c77f8c040 |
| SHA512 | 245484e535f249567081df89149de264161e0f915d7496b335c35468ff1c1057a91b9e22f3a44b1f04b0dd33b462fac4f8702bcd8d7ea01a6ef5c764b5000459 |
C:\Users\Admin\AppData\Local\Temp\zl_6fcrp.0.vb
| MD5 | 1d051ff4cd0a27121e93aeb23d1df6ef |
| SHA1 | 4c66c8113b537573b9e54193605009ef612d0ee9 |
| SHA256 | c052ad284c34c0af73d878521251ca7bad9a390e5e7e3b2422dc0f5ca86f4b82 |
| SHA512 | 501b5eb718214634c3386ad9a6df7dd48d9a75d4ecbdc2217d1e785e04e725d899a173b06354b21abb16e976e98a1869792cfa1618069090005425bf9472bb38 |
C:\Users\Admin\AppData\Local\Temp\vbc9D58.tmp
| MD5 | 3c6dff42b6144277ccd0f823e1792790 |
| SHA1 | 261efd8b74fe00e4630f52b3273f412ded3428d6 |
| SHA256 | a6d25d650e3cc9ee7c407b971a9e5d3d02583e955d58422721dc9354d33fe47f |
| SHA512 | 7ee1aa029ba06c93f06cc8f99f569a18d53b8569fcc57c8aa170ed185a82ed5cf1ec9052b6060c5302a62a20ac8a54ec11b4479002d2bacff41cdacdcb4f87ba |
C:\Users\Admin\AppData\Local\Temp\RES9D59.tmp
| MD5 | 0a38fb8501f2ce56b16a72691a6d1a19 |
| SHA1 | 9cfda27a4ec919df168b568a965636d69429ad5f |
| SHA256 | 94047f0ae46b85cf0af6495ef953b66dc565a60473a6e56e1e970700ea996a0c |
| SHA512 | d90e55ad07d2ac1a0d05ab4bb19294030b115456139012c6ddf647b5862b6550bcfaf92974d22d1242969faa0e38f2f3cf30cc79d2cd568a19b584b7fb38bcdc |
C:\Users\Admin\AppData\Local\Temp\yjneypjm.cmdline
| MD5 | 58af5db8451f043caa1821de49b26bee |
| SHA1 | b05384aae8b378f7fca495a57766e2d568c4926f |
| SHA256 | 721272c58c531ae8f7a752ff39cf7983313822dfe4881f79a14e9400e7ea0f7e |
| SHA512 | 67340a2be241dbd9adc83a826b8bce51c0e39a864d132139166e23b02002c9b67cb1179338dd79841336dba83d35f825590adc02d772c1e1abe3c38fca2adbbe |
C:\Users\Admin\AppData\Local\Temp\yjneypjm.0.vb
| MD5 | 70829c1a9fba55df73e0bb03cc02dfba |
| SHA1 | e0eb831dfee7c9daf3856af584d62c4cb202e852 |
| SHA256 | 70274ebc993bc093082ff93802e33a7107df02aee8d392fe723459d31bba7fe0 |
| SHA512 | 47eeac79275c292076c22348179543e3e3aa26c51c759d72c42362799437a761dc7707640b3634572b0c1e80b64fd82feae271ed45e06794976278a51252433a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe
| MD5 | 6663483929f325b3fe2f8a351787aebf |
| SHA1 | eaef70212f2f361a3167340d7c76e07246f1e427 |
| SHA256 | cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42 |
| SHA512 | 12d51bd6328fd6a7572c97fdd3ac7b5d74dfd1379d5553f890af6c5a2effa65c61ecb78588fddac239881391ed9e2831f65a6f70e83a7047b980bcd4cb501eb9 |
memory/2716-363-0x00000000705C0000-0x00000000709CB000-memory.dmp
memory/2716-389-0x00000000701B0000-0x00000000705BF000-memory.dmp
memory/2716-392-0x000000006F940000-0x00000000701A4000-memory.dmp
memory/2716-394-0x0000000073F80000-0x000000007452B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc45E6.tmp
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 21:05
Reported
2024-07-27 21:09
Platform
win10v2004-20240709-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
RevengeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Client.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 400 set thread context of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 5008 set thread context of 4208 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 4284 set thread context of 116 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 116 set thread context of 1768 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 5004 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 2764 set thread context of 3372 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tx_3nxxj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DB7E5BDE8704F16AC2FC1D849A5782.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2j1alvdm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc121F6A6089EB49019935FCE756FB50CC.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfvkhhoj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A457A0252A6466998BCFB2BE02A551F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x_2e2kwe.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA79B9A91A9D48CEAE9B39D72AA4786.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9k9agqvu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES414A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D4D484C489144E0B057D89C9B731D2E.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r3k6k4ha.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES436D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFDE3D297174448EAA5A9A701F1D96F5.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ubqc4dw4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4541.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3B6C75C95CA45CE93283B50D0578F23.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o_np6yby.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc259F23E86514A02A91B16569D98B669.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y4hqktk5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDDA26D2097AE4282898862ADBD54C74.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cggrkb4g.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC93E9BE37A814A21AE35A026723F9D5B.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sxcjwx11.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc798D2D55C7124A8EA3882376473DC7FF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5nmb5cg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D0FE588AB744C40A9B47C4984D593F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2-bwft4o.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5196.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2AA81C6B6A64D79ABCCDAE08B6274CB.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dovcpapm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES535B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F6FF0B1FC5946EEABBC1DB0975FAC5C.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stxhojmp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5501.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD71AD89BB92403BBF867C54CC9573.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x6fjfmh9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5781.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7AE2D1EE78A4C7C938B6092861136AA.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qfz39_jw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc486FC0DAFF34240BD9E9EBB7FDE779D.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dfdwlrpg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7159722BDA94D958BAA64D222D77B.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ejvol3ao.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66853ECBD34432B92283250182D9294.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4uhsw-p1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7357455B3D8341EAB6728C22E620F61F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\orpoe0l9.cmdline"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBC97853E1E040A3AF7CB325417B58AA.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ilcspff6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zbv48tvd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F0F5DB3DB1D41A2B1462E5197A95D3A.TMP"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x16d6uzc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40A9B00E8770497E9ABB3DDC2A40B772.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9yvbpqkc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1B4D572B6A44AAB0874DF6B2E34.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oh9atfdr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES219.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA81D7386BA24347B7756CCE299CBDB1.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mj5ap8gl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87AD159ADF9346F3831EF55DF1729FA.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ajbymlts.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES601.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25DEC36FCFF443AB8C51DA8A7DE44891.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdr0-eyp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES882.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc639D73C8F6874F39A766A28F3FDBD9DD.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nsr1q2gc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA28.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DAC37A2D69D406083C9F55B751F312A.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-bwmhux.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43F3992CC78A4991A2F0AA53296B21CF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdaxkxx6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80797381E0694765B1B870672D58ACA.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9b7z0qbw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc763B3E1A5A2A4F7BB2E3DB253C0814F.TMP"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:8848 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.125.102.39:8848 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:8848 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:8848 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 18.158.249.75:8848 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:8848 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/400-0-0x00007FFD30DE5000-0x00007FFD30DE6000-memory.dmp
memory/400-1-0x00007FFD30B30000-0x00007FFD314D1000-memory.dmp
memory/400-2-0x00007FFD30B30000-0x00007FFD314D1000-memory.dmp
memory/400-3-0x000000001C0F0000-0x000000001C5BE000-memory.dmp
memory/400-4-0x000000001BB10000-0x000000001BBB6000-memory.dmp
memory/400-5-0x000000001C680000-0x000000001C6E2000-memory.dmp
memory/5008-7-0x0000000000400000-0x0000000000422000-memory.dmp
memory/400-8-0x00007FFD30B30000-0x00007FFD314D1000-memory.dmp
memory/5008-9-0x0000000074972000-0x0000000074973000-memory.dmp
memory/5008-10-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/5008-11-0x0000000074970000-0x0000000074F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vwfRtNH.txt
| MD5 | bfbee1ccbe6981fafb1c7bff99680882 |
| SHA1 | 3866c915b8a7e0592f8728c89faf6bb4d5ecf002 |
| SHA256 | 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235 |
| SHA512 | 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e |
memory/4208-14-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/4208-15-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/4208-16-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/4208-18-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/5008-19-0x0000000074972000-0x0000000074973000-memory.dmp
memory/5008-20-0x0000000074970000-0x0000000074F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tx_3nxxj.cmdline
| MD5 | 7564f79e57c2c3183d80a43e9ef1067d |
| SHA1 | 7f320f7d2ae030d0e7768c4116faa429fd6779ff |
| SHA256 | 20b2678a60aac706aba743d33cef9ef84b501a4b6a9026bbcd5218f5ee966cf0 |
| SHA512 | fa1a1fb9dbd7056f8c9d71de08924ff0e54026e79c2f8f6fdff5115b8ec555a87340bda3e2c8d961b9eedcd9b6b19a5635d8dd893059d26e514c7a097aecf39f |
C:\Users\Admin\AppData\Local\Temp\tx_3nxxj.0.vb
| MD5 | 3c88d0389da097789f854d19e5a6851c |
| SHA1 | 9e0f6bb3a576bb0eaf7fa1384018e57b50401adf |
| SHA256 | b0c7beac256055e2a91713ef20ab4bc9eb5785e2a7cd30f64ab95fe37ff4d60c |
| SHA512 | 92799b8e42dd602cb9686820bc75136e26f2f356a731c23e3a3c5d9f65ff0b2325666aebd1f34f4ebf240eb047a11e9a37751f3fa3e30264738e6c113f8d9ead |
C:\ProgramData\Index\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc4DB7E5BDE8704F16AC2FC1D849A5782.TMP
| MD5 | dae0bcef83564fd019409964995440a3 |
| SHA1 | 72227ef8d352f83128124d59abced5453981017f |
| SHA256 | bb59c081158d18030c797fe785ab434d2c7b512891b111a4cbabaeccfe43297d |
| SHA512 | e88ce22701c011cd522f04bc4d81ae8515d5f1ddab762adbcd827a058fac7207a07b546876321184f36899768c6a2f13e3845eae258882748c544fde5a1b2558 |
C:\Users\Admin\AppData\Local\Temp\RES38BE.tmp
| MD5 | 2fe53c1f1a540134860b160615918dee |
| SHA1 | 0da71fde356459ec7e17cbb77666772d733b4019 |
| SHA256 | 197ede4018f2253026f373a118df0247d4f1dad1d5cc16e987c5f390b8204ce1 |
| SHA512 | 2d520c64aab2375acce1894af788e0edc4d3030ddecc51daad4c25774415501357f6bc5da2b9f3e27b7a5ba0f9edee2f595d535fd15f9d026b2c8d227526d46a |
C:\Users\Admin\AppData\Local\Temp\2j1alvdm.cmdline
| MD5 | 5f1dfc3f9ea661299c366d4e0978482f |
| SHA1 | 792862c333614814b2c42aef21744fc0f715b03f |
| SHA256 | 284bb2f04d599a4de4bb7be1747e4049a3cd0edd98f32bfbfa2858a39a5cf7ba |
| SHA512 | ccfab972a9f22c562b3560c9c99f828f8377a79f52e732d7ce7fe074129ce35dd36a81e164fecf881237c869c36b8ddc7a9ba79442801175e6565c45570753a1 |
C:\Users\Admin\AppData\Local\Temp\2j1alvdm.0.vb
| MD5 | 3fa7c020766873f8b58d109177c7d7a1 |
| SHA1 | 716be689ba29ba1493a617920c24fa6ef036ed5d |
| SHA256 | dfcfb090d3b80c08c34aa55028773778a8a745c2eef48d8c572b043fb421e3e7 |
| SHA512 | 1657d79d5bd7768984df780f71e9609c69fa58c7370eb5ee8122c97daf1a2c47fb0217f3f69e07f8fd0c51c8f8e078a00f8275eed3bbb02ec23ba092c47ec196 |
C:\ProgramData\Index\vcredist2010_x64.log.ico
| MD5 | bb4ff6746434c51de221387a31a00910 |
| SHA1 | 43e764b72dc8de4f65d8cf15164fc7868aa76998 |
| SHA256 | 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506 |
| SHA512 | 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1 |
C:\Users\Admin\AppData\Local\Temp\vbc121F6A6089EB49019935FCE756FB50CC.TMP
| MD5 | b07f007145f01b56abdfb53b487f0458 |
| SHA1 | 9923c81f68e73be76b5f4964bdc4044334a415ae |
| SHA256 | 5c84e2e6f556654e4f4c0805c5a6a507fb9c1bbe02cc04fc05c2e8ee32e40c4e |
| SHA512 | f635f804e1fd38b63bf5c128b711315e8da9bae51c0a906fcc6ace60d980dc23ab4cbe8613496771da23915359ce8bc2ae4e6a2261f039a46cd24e3ab9d78eab |
C:\Users\Admin\AppData\Local\Temp\RES3AC2.tmp
| MD5 | a7bc65d26c1cb64fe32eeabcda455a30 |
| SHA1 | 3674949e41ee5c8e181255b03870be6a979809c7 |
| SHA256 | 02c2b02ab60253196f5f358aecf403a770bc4f7da936cc22785b05359b477033 |
| SHA512 | a0733b00675e8266cb4a279218f469aba7b4c1939efda97873b63a9ee619fd29ea69f18881d833dfcaa31c139ca3c136500b14618f0a658edcd905af1c0a33ca |
C:\Users\Admin\AppData\Local\Temp\rfvkhhoj.cmdline
| MD5 | d5bab84e10a4a0f45a5a047fef86b54c |
| SHA1 | bac73d26ad2823fc1d114509cc267aec08802b6f |
| SHA256 | ab2e7a917737005632a95922e25beede7b91295ce8cd7d8a31164310755a7181 |
| SHA512 | 11e610cb410c97f35b6ea096111c3e1e4c17d76ff5041eb07c9b7612ede7838f628c5790d2f5b611ec251da65edd5e7b470144a58925d517e84e94e0ba83a20b |
C:\Users\Admin\AppData\Local\Temp\rfvkhhoj.0.vb
| MD5 | a44396dac48f30ef8c8608531567fb83 |
| SHA1 | 905391559e0577fbc6cefd0d13eb10f9dbcd63c3 |
| SHA256 | 1ba098682cded71da604d1c99018e43622cf0bd8a609c0c6e2752e9ff1944b4f |
| SHA512 | 168ef2aa0bcc07f4e1a1f6652c8d459cd6c3c31ee579702e06977733da856419c9ebd1f2da06fdd185655dc464cd40183ddb32cfe0e960bc6104c64fdc9976fc |
C:\Users\Admin\AppData\Local\Temp\vbc2A457A0252A6466998BCFB2BE02A551F.TMP
| MD5 | 9a4a50d48b6d2a888bca457bce353fd7 |
| SHA1 | 2cd6a91f297026f9e7b403b2a7f0b64050b4551b |
| SHA256 | 2713e5da2ad133a36377caea864c108db20eb5d0c5b86bb81ae409b2fab4aadd |
| SHA512 | d1ab5d088d0dd1c20a0550d888f87e806e6139529e046dd479bb1af20153612b2fe81c12a8cf3ff4095796757e152d8d2fb5760b247d25208d219dea1b1a7a09 |
C:\Users\Admin\AppData\Local\Temp\RES3C97.tmp
| MD5 | 0a7c4420522f3f3219b96e2690323319 |
| SHA1 | 5311be6b1c362490fd13cf4bf712404e4b7d2f7c |
| SHA256 | 1f53af27663bc98b6fe6730ac3417da72dcf969ca2040d629bab2a704a640ed2 |
| SHA512 | e7669ab6b81b8c0f794ccf019cf092d99cb0e6f142fb69cca7974b690f503bc80c646b9b045fc573e41eb34a6e759813f0f9ceb38c50ae582863826248c4a2a1 |
C:\Users\Admin\AppData\Local\Temp\x_2e2kwe.cmdline
| MD5 | 4712e636222327f4f68bbc907e2363f7 |
| SHA1 | be8cb4fc78dd7a0b739f606daf9a4d08e1e62069 |
| SHA256 | 8a073538384ac3bc1d5f6570dfc738fe746c763b4e54a0d4d7d90d14f0ded34f |
| SHA512 | 17e4ceda852ce70f17c62c9b86d29cac3cefdcca2bfd0c76d046eb8dbd9413b6a6bc96a9408bb0e7ea62085ce819b6bfcb0d181a87f3b75ec804646612946e03 |
C:\Users\Admin\AppData\Local\Temp\x_2e2kwe.0.vb
| MD5 | 55baa1a9cc195fdeb239fd42886466ed |
| SHA1 | 21d56bd00b7bdefb6fd1f2735f2249cde0812132 |
| SHA256 | 483fae1036126f05605dff2447307d8e840ff775f5cf7574fb5b0256beb95766 |
| SHA512 | 8dc014a020e6ecda766b1f58928b1d10a20c5ea2e3973e94d8c339ea772044e3898004b753b9ff4020b436c543206f4ab46468b789d08466136baf0812e81daf |
C:\Users\Admin\AppData\Local\Temp\vbcA79B9A91A9D48CEAE9B39D72AA4786.TMP
| MD5 | 707ccd65076784de34fd01c4aed82881 |
| SHA1 | 3db7612956960ebb19ff7e1d9268506b639dc7c9 |
| SHA256 | 945e1ccbc8e84b145d73102432bccf8040f77795424b1f7f0bfadb9add78d786 |
| SHA512 | 767db8f7683c6256ef155f147fbd2202d22b2f91f2769e34de0ca5c8d525f04d9739647bb0e6f312d6f634366b6529fb83e2cafe153c727c861a9b6212d0dd34 |
C:\Users\Admin\AppData\Local\Temp\RES3F27.tmp
| MD5 | a5b09bec21f8feba6200269a952afb49 |
| SHA1 | c5afa43347acb6da3877f3f614478152109894e0 |
| SHA256 | 53cd27d7dd44d534f7d4b73ba6c25c3684025c92763d02f78e801e29b549ee4d |
| SHA512 | cb73ff0e6e189dd85882462f7e926741d78ded8d720b59b497b98f1aec881f3a24521c865160f112b65fb24e1ad653554a8c5af9f4eb71dbbce281688bd5929b |
C:\Users\Admin\AppData\Local\Temp\9k9agqvu.cmdline
| MD5 | 09eb5ef2eeca8fad63365b75d27e36bb |
| SHA1 | 82d556e9fbc65d06df5f2993f7c3e149e243355d |
| SHA256 | ed81af878728f46ab5305362f96ee76829f10ce0f411f29ffe207b0fbe08b94d |
| SHA512 | 179beb4873bccac003de446ddbda1e57af095695c925cab552b2ef66da6d63a7ee76daa041223726f1d36e3a89d7457a3ffd0f07cdc278896a750b4b84aa7faf |
C:\Users\Admin\AppData\Local\Temp\9k9agqvu.0.vb
| MD5 | 4a447b73c91023eb6c863a34742dbfdd |
| SHA1 | 68fbb85cab50aaeaa9abedff254efba01892310a |
| SHA256 | b9d69dba98cd1d12c4a0ed06def7734936270924cb3847807f6f04f3d0fac242 |
| SHA512 | dfc531d34abadc872b5db88a087784181970d8cb5b958fe979e431dd2bd135c6699c738a61e26e7fd9674af90449fbcbf810b42e765b0add5d9d66ad6e83299d |
C:\Users\Admin\AppData\Local\Temp\vbc9D4D484C489144E0B057D89C9B731D2E.TMP
| MD5 | 161e68e923d56e4253270ef3afecb8ab |
| SHA1 | 7fd1bb35f3fd39f23a033861a4b92f4171545c69 |
| SHA256 | 429dabd3474e79f2f7b456166e975c3f8760201b06f13b42bc4843f3b4dde419 |
| SHA512 | 2f47d87471710b90b91d20eae71b666aa9dc124e42f39c5a63ab2df9131f9799133e5ed8c03d9385f5ba55988c62a99b96b7e056d61fb3e484e47de308f2a3b8 |
C:\Users\Admin\AppData\Local\Temp\RES414A.tmp
| MD5 | 39d6b960a56a61775701ed0987ecc75e |
| SHA1 | be73c1e42bde807aa24226d7d0a5fff388d94bb7 |
| SHA256 | bc74a92ff30c5929a2f5361809b94352a4e87a62b526ea08eaac8221d29f674a |
| SHA512 | a5602ed237c857ff00f102f32ebc7ba8455f814f49c4033b156bc406971d20fea9a575ad0f57664b1e86641c55e533169ee454d3a0f55728f259532a43cef055 |
C:\Users\Admin\AppData\Local\Temp\r3k6k4ha.cmdline
| MD5 | b262c768d617c0b9ed0155fa2b25f3f2 |
| SHA1 | 59334fe8476320dece78b48d66eb93b1fb439564 |
| SHA256 | ec1e7a30d8fb5af9dfd717e23b427c597e029b5091d7c9bfc51d24bcdb24825e |
| SHA512 | b6a4625cc0add0860e17beed9060d230cb894ccaec36c8105c73dbce94bf1d33e6c2408beb0ee94aaaa6fe36d9aacfcf9a761f8a9d3d4d6bd81b8a0b88e861c2 |
C:\Users\Admin\AppData\Local\Temp\r3k6k4ha.0.vb
| MD5 | 846365ec5052d6dabd406c35fb9393cd |
| SHA1 | 9abf408ca3938f0acbfc6eab9fccd33b4cfc43b0 |
| SHA256 | f1c039830bf9f701f465510cf16ae094214fcfc23a3c311adee9e6f4c18851b3 |
| SHA512 | cf3a29a98a1a53982bd6afbc8dc61b954c26138f9b85473b8a3297ca7ee3c3b782a3b6edde8b0dbbe406bd26e52d72c40a0c1d58dbdfb40c8f9e461bd6542b2d |
C:\Users\Admin\AppData\Local\Temp\vbcBFDE3D297174448EAA5A9A701F1D96F5.TMP
| MD5 | 0951a669ef19737038b5a334186f1708 |
| SHA1 | 53bbfbc282621ad57e7b091da3ae6a4ec0121596 |
| SHA256 | b582bab6100c6e758e62306f36f2693bc9ec729a95b4ffb5f3f715979efb6811 |
| SHA512 | 7fde5deb696c18e2d7b5a94ea3a2af7aff25c593a364c366b6b5f70aefb618f38bddf6c64235a73ceb1e29a5c73d4e643dfec6e2aadafa23935e33ad77165a5b |
C:\Users\Admin\AppData\Local\Temp\RES436D.tmp
| MD5 | d35e2e06f672dbfe153a596efc727514 |
| SHA1 | 39e5b594866ff9de0b3d033c909ea79b8e60549b |
| SHA256 | 7179998268f7c180e70ce111833f174478eaca9e867a9f06c1e878af4713f6b4 |
| SHA512 | 848c26cbd7e6ca047b04240535a39b00c49823b64924715a59568e0d98536f30e10672adb837a2edc005c6bfd30448bcad69819fbc4d0a6b7b0280207b053590 |
C:\Users\Admin\AppData\Local\Temp\ubqc4dw4.cmdline
| MD5 | 6262de0da3d7a1caf70081d43ddd4b21 |
| SHA1 | c8a7cd1223904ed449126c83b04dd4316f4639ca |
| SHA256 | 38e56d9725b767d8245dbd0e239c6ecbb07b49b1be3114f8a85ded38217d2e8c |
| SHA512 | 01b7c60976e97e005c19d60833296a2bf2c6a8daa5f739f49c5f15a74b1174ee7f61ab0934807ffbfb42c0e33dbb5f7a435405631e7bcc41f171bac72cd5560a |
C:\Users\Admin\AppData\Local\Temp\ubqc4dw4.0.vb
| MD5 | 847182193015fc5d88f0c98c81c630ee |
| SHA1 | 7811018c8b8e5d6d01fb62972a426541635f7cf4 |
| SHA256 | 08ebdceaef531c894727e6332a804ff5bead32831c6744ea1b52b22d420060a2 |
| SHA512 | 1de1f111195e1f8d492c8ecd884d04fbb3b39f4781849c2d4d56085555844f34c2b6f6af15ea7a234fb6ed3b21f08deb19fc0238fd57f58df2b0cf1c59d0047c |
C:\Users\Admin\AppData\Local\Temp\vbcF3B6C75C95CA45CE93283B50D0578F23.TMP
| MD5 | cdb46c68f63ef379787c06e589936cbd |
| SHA1 | 0afcacbc9dbafe5ece918d2abd7e8c359a850c93 |
| SHA256 | e8afb68368eaff8356b363fb296aef4e2da063cddcf08e0b4a0e9d580fa9c84b |
| SHA512 | 083ba0fa6e8d08dd851be5671c50382a169416e1b8e623ace0cb6b9f98f1b02008947882509f19e646139d3129ab9cedf53b8bab5bf1bbc72f4377aad4ebf189 |
C:\Users\Admin\AppData\Local\Temp\RES4541.tmp
| MD5 | 3bd296c48952232c140019d56db8c055 |
| SHA1 | fd78e18f74ebdad112f905750ffb01cb11076d95 |
| SHA256 | b1cb771c392a9ae9546ccc0c9ef97a6f8c62942c3fe89b540c4caefa06fdb307 |
| SHA512 | 2ca33d2b56a085975274c147b3ae03b2f69fd860a8c3dc2586af2d8ad5ce19a7842f5c0c64db0a4546075b58aad7e9b036346f47a3baeaaf71a3393fcd00660c |
C:\Users\Admin\AppData\Local\Temp\o_np6yby.cmdline
| MD5 | 903b2bd2052b3ca5768047bbfcc234ec |
| SHA1 | c817f07ac351d833d45e1c49b995fd4c62e3ca3c |
| SHA256 | a891d13d81bd82e462b181dad960440e22e37e88f9eb06e8ab7b53322541adeb |
| SHA512 | f62bebd456a041cf27594fa0646d7b9722b9f4e1a2631a058af9ce3d68ad6613616427697f81efab528d324e34bd3a28a8079b4e3519ff817a7033653848e900 |
C:\Users\Admin\AppData\Local\Temp\o_np6yby.0.vb
| MD5 | 556472f96ba0a829d9cd7592411c2347 |
| SHA1 | a2fae1bb654469d975926c75b9635a169a80c76b |
| SHA256 | 6589cfed04466d3dc448361f54572309a731aa8d54aacf50aade28c0f9225679 |
| SHA512 | a938b6b875dd8be3e942cb4c9939f7718ef930d1feddba516070fc5a308065e8c7ebe7ebd606e3fcf61d25a06d9197b3285043f85dd7c69b072cd9daf90f414a |
C:\Users\Admin\AppData\Local\Temp\vbc259F23E86514A02A91B16569D98B669.TMP
| MD5 | c3f8ad47348d4dc388b98c82291c4e3e |
| SHA1 | f92b80d1a9467d4b6ef9604d82dbdc43d15bfe38 |
| SHA256 | 609c321fc1bbce8a03476a1fd09100ad0148c33646804d58f9a1efd5e73e3b85 |
| SHA512 | 74508a1cf26b23376d7e006786887f0057a970a17e9644871bbc6c642aeb799d86b71aa25ecfc986854c154ebe7db088270bf3b766cdfb71d1145cf67eea4c54 |
C:\Users\Admin\AppData\Local\Temp\RES4735.tmp
| MD5 | f03f9bd524c54439b718759105298c6e |
| SHA1 | ee17f35c95b5477b0ae7867bd23b2f2006f4f25d |
| SHA256 | dd54aed71e33bd0e954b07f1b646b973f040639d84fa7df87a254561255bee1c |
| SHA512 | abb6f6ca226ce1865aed55b99b0d9cdab96c81f241b4b122d099efe317279886f72d3c3e51d590542f85bcf3fdc4e029b7d1baee54fa7841a89e33981ae2aada |
C:\Users\Admin\AppData\Local\Temp\y4hqktk5.cmdline
| MD5 | e223687fdb5eaba9b16ecc5980b1a213 |
| SHA1 | da208a3776d0d0d4047ee8c5bbb2b76335c2c890 |
| SHA256 | ae658742a9c5a28d64567762fe339140e127e5d7fc9e6f7bdecb4872649bec4e |
| SHA512 | d4f387ef0975bb8d2767f111049cdd62822cf3c432b03252a39033cbeca75093ee6430c3ece9989e4748c50afc051fe87d64836c5e0681916be3c7c9c61d2d11 |
C:\Users\Admin\AppData\Local\Temp\y4hqktk5.0.vb
| MD5 | 31fc52bfcb5cf9a12d52b79c7dceaf11 |
| SHA1 | ec19379305a8404d3c86adb65782467d1c9c3b38 |
| SHA256 | 2b2c31fe62190c52b62ece3e29a19af2309832922d627abd7b2900eab548c19e |
| SHA512 | 38679030edebf6272eb04b0ef9b0b432eef26b23e7c6a517518db3a15ba40bd33eba33835a5cafba2a9fbe73c90ba964cb6bcf375ae6a84dc75693008a8da627 |
C:\Users\Admin\AppData\Local\Temp\vbcDDA26D2097AE4282898862ADBD54C74.TMP
| MD5 | 8cb42e87bed9f4f5dddcfc0b4ed57515 |
| SHA1 | c5dadeac1347aedfb13eda2a7ec9040bead1147d |
| SHA256 | 968b017601126179c5c112428d2bb44b40ce26fa34ee82c34c363d5f582addbd |
| SHA512 | bdcede0a75ea1f95aae11fab7755961cb27700b575cda72195511212567d8636f7feb9fb25b0b7b5ef03aca7b995d519839a761a579e58bda94fdba909fea2b4 |
C:\Users\Admin\AppData\Local\Temp\RES49F5.tmp
| MD5 | 4e8b5b99a09d832324b3e3e3f703eaeb |
| SHA1 | 933d8a8874a5c64152528739d73d48d2794445d2 |
| SHA256 | 982d43ac90196ad10f633b58fe681e3403d917a7abad26646671a9ebaee0be12 |
| SHA512 | ec02d81d55063ffed4a0e1c93d77709bf9e4e2ffb0a9eafc70f955dc38f75717ec2eeff9736c26d5031a4dc00bf904797500a6846c20f3853b5214a5ec2d8fc8 |
C:\Users\Admin\AppData\Local\Temp\cggrkb4g.cmdline
| MD5 | 21af0e4259346322b6d6e51d64c19ef1 |
| SHA1 | ce6ac44942c47010cbb843717812ede1e2a77300 |
| SHA256 | 4c08c2f6a85ba36bdf6c7ace11488ede11f2f0af9bb19228322179452b856470 |
| SHA512 | 4b576b56fa57dd6b165585cb0b4bef78af2d3af6dfe76f9ee10d6319264becdbecb984a338773d3682b1b19f4e2424e252fdc0e204011c077f373f8fb5b23812 |
C:\Users\Admin\AppData\Local\Temp\cggrkb4g.0.vb
| MD5 | 1d051ff4cd0a27121e93aeb23d1df6ef |
| SHA1 | 4c66c8113b537573b9e54193605009ef612d0ee9 |
| SHA256 | c052ad284c34c0af73d878521251ca7bad9a390e5e7e3b2422dc0f5ca86f4b82 |
| SHA512 | 501b5eb718214634c3386ad9a6df7dd48d9a75d4ecbdc2217d1e785e04e725d899a173b06354b21abb16e976e98a1869792cfa1618069090005425bf9472bb38 |
C:\Users\Admin\AppData\Local\Temp\vbcC93E9BE37A814A21AE35A026723F9D5B.TMP
| MD5 | 5ae046a15bea3386071f0c63192ba29f |
| SHA1 | 94d51e6f2711362ade4879a29dba8f5abccdf884 |
| SHA256 | 3b7d80821582922f747077294e51e2936cf3bc7dcf6ab999e83795a306e4b378 |
| SHA512 | 29cb86aa3b76c1d1c2812baec48a036923050314450451b8fca317c2dd8dc3bbaffbd776cdb9d1f038aab703b5bfd91c8153e41a330dbba2671fc33ec7df2a03 |
C:\Users\Admin\AppData\Local\Temp\RES4C17.tmp
| MD5 | 278d6d4dfd64c511a2aac25a268e4ea7 |
| SHA1 | d697ab70cd1d3e28646e892c64b7a62b8babfaf3 |
| SHA256 | b702edb239084923738a87bf001b46098428f65a3904542a0d4f35115e5ca144 |
| SHA512 | 0f3272ae03cf79f4f9ca3a27c39f6a48554c7dd96e46abbf9fdf7a78062eeb9ef5a6e35197fd496c993b6b66c7c88beac3f0b390be34adf4ca82dfa9cc4e9bed |
C:\Users\Admin\AppData\Local\Temp\sxcjwx11.cmdline
| MD5 | ed218b2c1318ddf8ad6fa56ff060afa4 |
| SHA1 | 107255d82e6ca555eaf2b563afb9e1e7639db725 |
| SHA256 | c6a7847203c1f1ab0756ad2debc713dd6be5041057f66c31d79ecb0ac21c672d |
| SHA512 | 809cb12decc9b779f6e91c90e7eae1f2bef71ee0a0b4042b59e61e5607f206a145bd13fef6972544fd7a18fc6070c67a2fd395edd3763268b9507a88f1b00647 |
C:\Users\Admin\AppData\Local\Temp\sxcjwx11.0.vb
| MD5 | 70829c1a9fba55df73e0bb03cc02dfba |
| SHA1 | e0eb831dfee7c9daf3856af584d62c4cb202e852 |
| SHA256 | 70274ebc993bc093082ff93802e33a7107df02aee8d392fe723459d31bba7fe0 |
| SHA512 | 47eeac79275c292076c22348179543e3e3aa26c51c759d72c42362799437a761dc7707640b3634572b0c1e80b64fd82feae271ed45e06794976278a51252433a |
C:\Users\Admin\AppData\Local\Temp\vbc798D2D55C7124A8EA3882376473DC7FF.TMP
| MD5 | e5e552a63bec43aafd93067052091b70 |
| SHA1 | 65d27ec9696e4eab2e9c9f03ce6a91330d194230 |
| SHA256 | 19333143ba21e54fbaab635b061f7166a0db918057804cefd54e46586a0ccffb |
| SHA512 | 8703b20ea2ea148882430c4a13643978b9eb68212e74f257a8cf9d0cf56a1a7d285fe05663f8e43556ad2e802c27c8324751974cbb984dc5e7e54cb96b6063f6 |
C:\Users\Admin\AppData\Local\Temp\RES4E4A.tmp
| MD5 | fc187b6190c934f1753fec9a5448e038 |
| SHA1 | 62bce5e1a8e555c5f2028f0b650a8587372821a5 |
| SHA256 | e45b5dfaed7e1909c04248eee1882bd02fb04368e4777fe1e2d338ce2b3e812a |
| SHA512 | 59ecd79850d0e62cb6b92d9fc534aaa09bc2aba7dee37c6fd79fe5347b41ab6d85d8642682326f614134644f60f01019516e70f4d51cacc4dde8b6ae0e3e6f72 |
C:\Users\Admin\AppData\Local\Temp\w5nmb5cg.cmdline
| MD5 | 07ae773d69cfaea762e7955c9197c412 |
| SHA1 | 8827353fdde88eb29ac897a4256fda250e4580db |
| SHA256 | 59980788048d6698c14dd53a8f6b906b7e1ccb675e094855328ef068e12e2603 |
| SHA512 | b467ec33f44d973d324f4ee2af753b1704edbde00714695c82201629f6fb3501be1c33f028a2cf95231aad9db05606bd4e304baf30aa4d99ec4535daa1cb6cfa |
C:\Users\Admin\AppData\Local\Temp\w5nmb5cg.0.vb
| MD5 | adaa061d082a7b86bc1f959594a01eff |
| SHA1 | 9398852f8cfe36144a64ccded6b7775acdce59a9 |
| SHA256 | 99391f66edd6bcddcc4c1f156572f4d193538b6e42793cf0694c97f02d6efc9c |
| SHA512 | fc51f77ad8634b2a7512b76eac8cea3be9e04c5ff59b1fdedb6c0e99c71b7d4a5128b6f72fb217a8e7925371b98e0c94bc228c504125ae08cd3bb9daa26e6186 |
C:\Users\Admin\AppData\Local\Temp\vbc3D0FE588AB744C40A9B47C4984D593F.TMP
| MD5 | 387784f57a2f90edee143411c749a86f |
| SHA1 | fa730a840a2caf64f612d65634f6940af8bc73f5 |
| SHA256 | 2a6c05b939a7b9fe43b8f936c7deddf4d096e54ac2eeb7bd1aa022ebf5b69a63 |
| SHA512 | 5d71d66db1278e7316a42d6dda97b04669ba137d371fa4798eaf311b9d9d78a4c441cbe404dde93569baf64403d2054d0e4834640d6c80dbf5b82602b2c80ea6 |
C:\Users\Admin\AppData\Local\Temp\RES4FD1.tmp
| MD5 | 38f5c1fb5dfcb10be579f26ff27441a4 |
| SHA1 | 510184d0f996ed0a442a580f5a1fbe65ca44bafc |
| SHA256 | 8b9fc37e6c9dc676e3cf66080e3d37bde97c54b86aecc0758ee6ea94f3d3fef6 |
| SHA512 | 37cd620cf0591a9f97970473ccc06fe34d79a0182241fc5993f76381caee8839a8c7ab712a5b5c01af33b20bc03c2ad70077d4bbc64861f61154b1fd1bf735b7 |
C:\Users\Admin\AppData\Local\Temp\2-bwft4o.cmdline
| MD5 | 6a35bc39895faf0a5f5aaca805bcdc23 |
| SHA1 | c319d97d86de228cc37462e75c86b2a1169d830a |
| SHA256 | fe6137f1adbe69b58154df9bc4216e8831e8f7be067f2a546ea629b466fbaf18 |
| SHA512 | 96a71f4579610aeb409b2f04bb994046279415b1c220821344abfea1a61d4cc441066f7d6b24481a3e9e1958f648a043a9a6f08aab48e755e279d6b5eb84efad |
C:\Users\Admin\AppData\Local\Temp\2-bwft4o.0.vb
| MD5 | f1f4b97a4a7ccacf00d680ed41092d6b |
| SHA1 | f8b32a0d52cb9a1f1d87752f9f3883c56eee16aa |
| SHA256 | 4050ab47352c7d9e885aec0f16054cfab523d854b4f4956027b82277379e1e80 |
| SHA512 | 2b3ba9c1250e5c56267a99e79c155927c3b353734c485b31b0537c50a3cde35ca0d75a5bb8e1d230be8a3685dfe41bf3238263d03566ec6889bec6ffb233d210 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe
| MD5 | 6663483929f325b3fe2f8a351787aebf |
| SHA1 | eaef70212f2f361a3167340d7c76e07246f1e427 |
| SHA256 | cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42 |
| SHA512 | 12d51bd6328fd6a7572c97fdd3ac7b5d74dfd1379d5553f890af6c5a2effa65c61ecb78588fddac239881391ed9e2831f65a6f70e83a7047b980bcd4cb501eb9 |
memory/5008-305-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/1768-309-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc87AD159ADF9346F3831EF55DF1729FA.TMP
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\vbc25DEC36FCFF443AB8C51DA8A7DE44891.TMP
| MD5 | 85c61c03055878407f9433e0cc278eb7 |
| SHA1 | 15a60f1519aefb81cb63c5993400dd7d31b1202f |
| SHA256 | f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b |
| SHA512 | 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756 |
C:\Users\Admin\AppData\Local\Temp\vbc43F3992CC78A4991A2F0AA53296B21CF.TMP
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |