Malware Analysis Report

2024-10-19 08:43

Sample ID 240729-c95atayhrp
Target 6663483929f325b3fe2f8a351787aebf.bin
SHA256 cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42
Tags
guest revengerat discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42

Threat Level: Known bad

The file 6663483929f325b3fe2f8a351787aebf.bin was found to be: Known bad.

Malicious Activity Summary

guest revengerat discovery persistence trojan

Revengerat family

RevengeRAT

Executes dropped EXE

Loads dropped DLL

Drops startup file

Uses the VBS compiler for execution

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 02:47

Signatures

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 02:47

Reported

2024-07-29 02:50

Platform

win7-20240704-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe"

Signatures

RevengeRAT

trojan revengerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Client.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2096 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2516 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2516 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2516 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2516 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 808 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 808 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 808 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 808 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1580 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1580 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1580 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1580 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2092 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2092 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2092 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2092 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 2180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2272 wrote to memory of 2180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2272 wrote to memory of 2180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2272 wrote to memory of 2180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe

"C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mxl0ello.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAF2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9h338zb_.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC1A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\csihgfwb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD62.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9dgzgivi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE3C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gdjqrrbs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF07.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b56vijqi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFFB3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t8wlc2jf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sgjulejf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES243.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc242.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\baws217c.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qu4_ayd1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES475.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc464.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zuas6fxt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xqtxeq4u.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc619.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ng7d7khr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES742.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc732.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qo7kmsy7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-imw-mh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES945.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc944.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oklregjj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\srkfypk-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB08.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbjaeiti.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wku7ow2m.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-oyipdt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE72.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qlpl0hmf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3y_xlqfy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1037.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1036.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qdz4zb4g.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1102.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1101.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\odfol4hf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES116F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc116E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iz7gqoji.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES122B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc122A.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k8vznyps.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABAA.tmp"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0rfz0u7t.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC28.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC27.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x-4wdsbj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACA4.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\njmknxzj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD21.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-rxonmpp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADBD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fklj0wb-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE68.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q_f98jso.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF14.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\26cbq13s.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFB1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFB0.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sljfch2v.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB06C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB06B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dojewcoe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB146.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB145.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9tmipog5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1E1.tmp"

C:\Windows\system32\taskeng.exe

taskeng.exe {F75C3B47-4E4A-4C63-9914-14113B25896F} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:8848 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:8848 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:8848 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp

Files

memory/2096-0-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmp

memory/2096-2-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

memory/2096-3-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

memory/2752-4-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2752-9-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2752-13-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2752-11-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2752-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-7-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2752-6-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2752-5-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2752-14-0x0000000074231000-0x0000000074232000-memory.dmp

memory/2096-15-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

memory/2752-16-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/2752-17-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/2720-18-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2720-28-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vwfRtNH.txt

MD5 ee67e73252c29160f738f28771118fae
SHA1 969bfe134c3fb11ad04db32e594b6634c56a72b9
SHA256 0b36fab6078c10c82cb54f10ec68cb35cbd2c219534145ffd3fc7bc84649bb2d
SHA512 19c5b6fc0379c0310f7387933ed7e22e2ef9a3c01076518408da9472fcc5f2bc4026d894a8c35e52eaac1b5f227a69f443b210f7cb74737ee829f6d56f21f03d

memory/2720-24-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2720-22-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2720-20-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2720-33-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2720-31-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2720-34-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/2720-35-0x0000000074230000-0x00000000747DB000-memory.dmp

memory/2752-36-0x0000000074230000-0x00000000747DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mxl0ello.cmdline

MD5 f89f170abb133de528bcc0aa5aad6f18
SHA1 f848f36b176395defeb912e92b05b028dbd8541f
SHA256 8ae79a59ab41bb3057be1936a801d7b275fbad651a6153b06b8b210ed95d3459
SHA512 8957ef72d2c314c79955c232a61b554bd484ec69135e45d5e962c1a8f8d7016e1a220f76ff22c9f7c32b843bf7b42b0d01caf11cfddb5d3840ed5a9f40deccd5

C:\Users\Admin\AppData\Local\Temp\mxl0ello.0.vb

MD5 3c88d0389da097789f854d19e5a6851c
SHA1 9e0f6bb3a576bb0eaf7fa1384018e57b50401adf
SHA256 b0c7beac256055e2a91713ef20ab4bc9eb5785e2a7cd30f64ab95fe37ff4d60c
SHA512 92799b8e42dd602cb9686820bc75136e26f2f356a731c23e3a3c5d9f65ff0b2325666aebd1f34f4ebf240eb047a11e9a37751f3fa3e30264738e6c113f8d9ead

C:\ProgramData\Index\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcFAF2.tmp

MD5 6cefaf397ee40eb5c3df27193a26e399
SHA1 ab6097301a83d831b6b63acbaaec0285126f4ae5
SHA256 43a6fa373945bde88b7cc7a083aa81c18e959815f79c4b304afcded5230789df
SHA512 30f4fadab57fbcd25e58c842a98583dc607c52c6a21ef346f63d4035c2d34243a11ce572cd401e6958262509bf91b71e02f56236c69f3c1f606f5720210cb9de

C:\Users\Admin\AppData\Local\Temp\RESFAF3.tmp

MD5 6155d6c0e7db9ff1b28ea8c91dce1cf8
SHA1 ef929e2b64c0c8c62234e118ddb2e41599a462c9
SHA256 8f3139d2ae7f993f0850158b68351f413e82ae864fe21c38ae35501160819491
SHA512 b979900a014c8b742de2cb71629b11bbe8b8ac3dc975a810b06ef61a819352ca0d1e0cdba466b9be16468c4874901ecd325918d5a4975d28aecb1f92e0d5b87c

C:\Users\Admin\AppData\Local\Temp\9h338zb_.cmdline

MD5 f3cdf08c7dc4cdf5f1c4a3a34ac196d4
SHA1 c55e90c6d96ce425c8331c8e62ff61cea9f39678
SHA256 02ee305716ce6dfff84b56d7b7f765d521f0a22ddc04d6caeb6c3f650b20d877
SHA512 c99d08dcb68156b9b7e7273e36dcef4c1d5d07210374103b97f9d28e6542235bb33cb1ffc5826b6a77d441edc70a086f0af7ffa3c3cdf2ec4461eb282e6e51b5

C:\Users\Admin\AppData\Local\Temp\9h338zb_.0.vb

MD5 3fa7c020766873f8b58d109177c7d7a1
SHA1 716be689ba29ba1493a617920c24fa6ef036ed5d
SHA256 dfcfb090d3b80c08c34aa55028773778a8a745c2eef48d8c572b043fb421e3e7
SHA512 1657d79d5bd7768984df780f71e9609c69fa58c7370eb5ee8122c97daf1a2c47fb0217f3f69e07f8fd0c51c8f8e078a00f8275eed3bbb02ec23ba092c47ec196

C:\ProgramData\Index\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbcFC1A.tmp

MD5 1925b323c24d5e44f273b65bdf58f85e
SHA1 704e92b27adad5266b25a84b66491065e6a8e077
SHA256 f1109f98dcf21ba90f165c3062b89f8f730850c75cbb1ced23b75c7ea1443f63
SHA512 c3c03be1d12b8c3dd33fa234d60d0328bfc0ea2bfad160d825d5ebf8ef1511f66cd85c9b0d419e83b2ced52fe99ef0df992fea35b2cb912b60ef5635ac25e969

C:\Users\Admin\AppData\Local\Temp\RESFC1B.tmp

MD5 53ff4e090a4d71c0bde80f272a0fc38e
SHA1 f127fee37c4f480b03a4ad60b98803a836401a2c
SHA256 90500e5e9c217951c049389ea270f19d443ea18cafdc57c5e2cebed3d3d0245d
SHA512 0c2838119cec14733ff81c981159c42d595b6c065804e229678a65910d577ff1441e3c12b3b849b536d0ce7366602384ee69f2a1fdd8b2a8d0247fa2d514dbbf

C:\Users\Admin\AppData\Local\Temp\csihgfwb.cmdline

MD5 ac82fbf0702050eb86b8590929219bed
SHA1 29030b44df8b3ecfc59f91f3c57e236e484ce269
SHA256 c5ba14845e5b7763407dc482266a0a384e792e9e7b6fcd0ad1335c4664463554
SHA512 bfe90539ef9b0c0f98c07f2a04a5290c65235fb0f0b048f7430e4a02fac86881a3da5a5d4fb60877b8f2ed69ad60e23107e361b3f6dd623370242b406f512fc1

C:\Users\Admin\AppData\Local\Temp\csihgfwb.0.vb

MD5 a44396dac48f30ef8c8608531567fb83
SHA1 905391559e0577fbc6cefd0d13eb10f9dbcd63c3
SHA256 1ba098682cded71da604d1c99018e43622cf0bd8a609c0c6e2752e9ff1944b4f
SHA512 168ef2aa0bcc07f4e1a1f6652c8d459cd6c3c31ee579702e06977733da856419c9ebd1f2da06fdd185655dc464cd40183ddb32cfe0e960bc6104c64fdc9976fc

C:\Users\Admin\AppData\Local\Temp\vbcFD62.tmp

MD5 2aa7b07c157877ad67f7d79b15da9ff6
SHA1 451dad641b7b329378d0238e1d0c9a27d47a3f40
SHA256 9f5688e5525be99764b3e610afa58af84e43191d524c99a196ffca8118e4f950
SHA512 5a358cd9b6003a867c5c94e3ee0ec49a8cf04c313995fb3999f7cd5fbfc6dc2fdf52da181054aeeb6b05025e603110bda1f2440bbeb2c848698da412c7a695d3

C:\Users\Admin\AppData\Local\Temp\RESFD63.tmp

MD5 1761fe2c1661404a362b703f476753b1
SHA1 d06d982c4423a423d1ce0b65b1e4d316a5b16990
SHA256 d561b836e71e1d85ba147b67e9b6fb68fce9905d7e9d26de1c0b24fd12d3767e
SHA512 57dff52863d825417654aaf29a7016d374765348b8fdaf792001a6d5ba7f50ff7b4970b942b6d465c4c2089dbbb6365c9b423a18b7f93d000c0fa981993d5c1c

C:\Users\Admin\AppData\Local\Temp\9dgzgivi.cmdline

MD5 33fb15459c00baa28c02d50a526480bd
SHA1 24d7070077dc9ce27780735a5d55c0eeba799c00
SHA256 d5c99a00ccaf03d931ec370e4da4e965862bd23cd5a58b66c5d3cd040e8d395e
SHA512 6bc1297717fc1c92fb759d6d4f524ff966504aff8f1fb8d4c76a2e291a26781f6c9a3f227b5c21319bde8d6d6bc569bc5b4765fa8b72256e2543276b8fbc26f1

C:\Users\Admin\AppData\Local\Temp\9dgzgivi.0.vb

MD5 55baa1a9cc195fdeb239fd42886466ed
SHA1 21d56bd00b7bdefb6fd1f2735f2249cde0812132
SHA256 483fae1036126f05605dff2447307d8e840ff775f5cf7574fb5b0256beb95766
SHA512 8dc014a020e6ecda766b1f58928b1d10a20c5ea2e3973e94d8c339ea772044e3898004b753b9ff4020b436c543206f4ab46468b789d08466136baf0812e81daf

C:\Users\Admin\AppData\Local\Temp\vbcFE3C.tmp

MD5 552cdad34f767fe9ceba407cfeaaa5f2
SHA1 95291c8d45589e53428a2895b17c8c0f9d398eb4
SHA256 69d9a6c71053bfda400ee50b358b31346621457181ba94ec8645f4df87f82f49
SHA512 b5e66fc5e7c782da773228e79872590354d39baadb57ae32b25d816d612d580056c8cb9b7a5dd07c0a82230e69f5672dd3329b04028ffec3e5a7c2a5ebea0ad0

C:\Users\Admin\AppData\Local\Temp\RESFE4D.tmp

MD5 a25394cc0164145bded4cd7c5607fd5f
SHA1 b4ad41c2e16ee684ae133fdb097323128ca9306d
SHA256 467d8392387358793f48e1a0f580cf899609c4669b7c1aefdeb088bbc354c87a
SHA512 4ca6c94214d4a6abf6658113946e92c1e186ada9d67f5f61d908ca3e97a14e1555bf3c357c330bcf2b69de87b674e1b15e0773820e10b8a98b71b1a277c5ba5d

C:\Users\Admin\AppData\Local\Temp\gdjqrrbs.cmdline

MD5 c6d23542b873da09470559d598239404
SHA1 9369a6f8f46787e4cb34d7d676247c19dc3628cf
SHA256 32cc1acf806c67598865922fc33ba1c27cc6b1ce5443749af0915593bf3dea5a
SHA512 0986b2fd65831257ecb883003370184f05c051696fc957774f39f9d6e80b255b82897cd384289dd0704028d4c53b830b5e4ef5fec0ca9a498158d894794e740d

C:\Users\Admin\AppData\Local\Temp\gdjqrrbs.0.vb

MD5 4a447b73c91023eb6c863a34742dbfdd
SHA1 68fbb85cab50aaeaa9abedff254efba01892310a
SHA256 b9d69dba98cd1d12c4a0ed06def7734936270924cb3847807f6f04f3d0fac242
SHA512 dfc531d34abadc872b5db88a087784181970d8cb5b958fe979e431dd2bd135c6699c738a61e26e7fd9674af90449fbcbf810b42e765b0add5d9d66ad6e83299d

C:\Users\Admin\AppData\Local\Temp\vbcFF07.tmp

MD5 3ccbd45c6b0f194811118d4b7323362a
SHA1 4e1376f6cf4d183f7b29496e1419f9fbb3f9786a
SHA256 77d234f1c365f565425c5af9873bdc915bd6a81d69fee1fad8ddf01217bb32ee
SHA512 ae3dbeea13020c3a68c53b0818a84973dea9d33e787675d0e2a42aa3988fe54e893a6eb113fe4bf7349ed7a9d2315adef1412d2f31f483df1dba65f1b5685968

C:\Users\Admin\AppData\Local\Temp\RESFF08.tmp

MD5 746bf802ba52b6f7a2499bb92413f053
SHA1 5ce4cbde59ec51f7d3c43cc7860750231bf481a3
SHA256 f1cfeffcb36ef64417e401f43e33af26e9adba9eaf8f8f3432bf3e592704c90a
SHA512 e646fadf8cce89fbc1f2e56405dc196d0ede49a6f3cdfb5823b9d0fc87e93f0424b666b7edd3e0ba557ab72faf0d11f74a78940d454b2c940afb4d01fc54113b

C:\Users\Admin\AppData\Local\Temp\b56vijqi.cmdline

MD5 30e002c86879f6369bc1abadaaa45c6f
SHA1 26358fb2f28a4343d9a27d16f7382ee09c8ff67f
SHA256 86d331282881ad96e2ed8c61f5ef258e069617d3f9fe2d65ea0bb7a848a6b213
SHA512 e6a7f25fe59bd001de090cb06f6e7e85f6ae58d360db49fbc16521d4dce49a9fb9df920a25aeb270ff605074bcc6b4bc8ced40341b4f1409531331a9acfd310c

C:\Users\Admin\AppData\Local\Temp\b56vijqi.0.vb

MD5 846365ec5052d6dabd406c35fb9393cd
SHA1 9abf408ca3938f0acbfc6eab9fccd33b4cfc43b0
SHA256 f1c039830bf9f701f465510cf16ae094214fcfc23a3c311adee9e6f4c18851b3
SHA512 cf3a29a98a1a53982bd6afbc8dc61b954c26138f9b85473b8a3297ca7ee3c3b782a3b6edde8b0dbbe406bd26e52d72c40a0c1d58dbdfb40c8f9e461bd6542b2d

C:\Users\Admin\AppData\Local\Temp\vbcFFB3.tmp

MD5 4367a7371c6b4a0684704d101371b319
SHA1 017269e6b19d459626d4809ebd7f0679ea69b0ec
SHA256 8ca899b5a49a42920615d57d571ed2f74c7513175d5a5fd3de81cc13ab87b1b0
SHA512 ea0dc5cfe5deb08cb192eee62ea9855a76317169d0bd0238a8707748e8c942f2ab14b182f6b3b65d1ea5905e5f1e62bbf33aef02cdf4476a97e871b19c05f225

C:\Users\Admin\AppData\Local\Temp\RESFFC3.tmp

MD5 5736e9f45f0d9cd9ec3c3d4efb757f62
SHA1 f250d2ae8316bdcd93ad92e360f1e1832332e080
SHA256 5e6a122d317e6bf1dc8b72166972d201f820f4764402243dcbdb06d0448361fd
SHA512 3015c6db54782b04e52f2da54982449d9a3f9b0939eb0b970cd76a3f74aeb46afc3d89858b258cc48719e1cb56542508103a4be6af078ced385f7f93464b9546

C:\Users\Admin\AppData\Local\Temp\t8wlc2jf.cmdline

MD5 4fb23c26780ac8216e73261100958508
SHA1 74b96db575b9b698feeee8673a0b20c68ade0146
SHA256 a5cee1f36cc4bdb54b85e1509b06338cd6aa0ffd08ff037e76d92ec858ed6e14
SHA512 b496dd99da57d29541ea42e11303b01f1646b17ff7593eebdc026da6b1e5b9f3ffbe71edc8fba983484e4832d07ae1a49bc89b532cf16edd57fba71418dc13a7

C:\Users\Admin\AppData\Local\Temp\t8wlc2jf.0.vb

MD5 847182193015fc5d88f0c98c81c630ee
SHA1 7811018c8b8e5d6d01fb62972a426541635f7cf4
SHA256 08ebdceaef531c894727e6332a804ff5bead32831c6744ea1b52b22d420060a2
SHA512 1de1f111195e1f8d492c8ecd884d04fbb3b39f4781849c2d4d56085555844f34c2b6f6af15ea7a234fb6ed3b21f08deb19fc0238fd57f58df2b0cf1c59d0047c

C:\Users\Admin\AppData\Local\Temp\vbcAC.tmp

MD5 3843a53d7e2dbfa4c232bdeadd21c357
SHA1 3940e541bde859a4f090303c16731a24dca505fc
SHA256 0bb59ed84a49d712878598b06ad05f0c26f5f7a155509554ccf96c14ab6e29f9
SHA512 1d9ae65cd4f765e04c5ec1d717c15df13d4c92b32624e7a5772b4068ae3c74e8159e32552bbaa18cf34b656b788971e21b1d37801d3accc567bd7e2dfddaa111

C:\Users\Admin\AppData\Local\Temp\RESAD.tmp

MD5 f6b8e95fb6c638bd89f0a58521aa8048
SHA1 4b7f9bb6ef5deaa09c355330264dcc9667d7f203
SHA256 76db967eed7db4dbfa959a41ab89846a834f8439784e9be2bc885a94a4da5b00
SHA512 8f69317d5dfe3c6445074fc1e7504e4f9464af2020291808eaee3edd5c954f8e7a23cebe62dccbcd6c949775ae2cecfef948caa4c45b498e182eabb88539e8ed

C:\Users\Admin\AppData\Local\Temp\sgjulejf.cmdline

MD5 a19b9794c33bf57e786105b8d7f0990e
SHA1 50237f6f63871eeed7ad50a28ac0d9971f034d42
SHA256 89bc274ed736f8c6cd736e3cd2e5118ef6dc223bbc2610c35852fc1ac4aae0d8
SHA512 196b2f9f6e74a6c03680a35bc5f3d6d6ca9259a5830dc2ffb47fd27b12426deef2ebbdb33bc2e3fb56c3c6dfbe3202501ad8bc12bbe9497722bab8278291c8cc

C:\Users\Admin\AppData\Local\Temp\sgjulejf.0.vb

MD5 556472f96ba0a829d9cd7592411c2347
SHA1 a2fae1bb654469d975926c75b9635a169a80c76b
SHA256 6589cfed04466d3dc448361f54572309a731aa8d54aacf50aade28c0f9225679
SHA512 a938b6b875dd8be3e942cb4c9939f7718ef930d1feddba516070fc5a308065e8c7ebe7ebd606e3fcf61d25a06d9197b3285043f85dd7c69b072cd9daf90f414a

C:\Users\Admin\AppData\Local\Temp\vbc242.tmp

MD5 3ea71f08d9ecaad5d91ef675c333e68d
SHA1 fc7b47ccdee042f88ce0b83188a65dbfe14403b5
SHA256 19b095eec85ee85b484bee4630f38f2a0966e289761fe2773be9f24ec67dd5cb
SHA512 99111f95e59e03cf379f49e63035b81f0402ad080c1a7ff21f4fff4aa3e1b8102a623e8ce02c75e8ac9c9884c558ce3ac9174e6fa680c57f92d47de3f143f4ec

C:\Users\Admin\AppData\Local\Temp\RES243.tmp

MD5 a54f02d7382bff4e952f9fd38e178a2c
SHA1 3e1dcaf1c6cce2c40578eb1e6808e7da794a2839
SHA256 45c8299a6ed3625d77e592a079ab5a487e0aa70af1568a3d9869aced5e037c59
SHA512 66141e2da2d5284b572194aa89104411ef80b3789d57b2ac713921768129602e909350a2e52095eab8d29c642c94d0c504491fbd53badd43d740e84976b23699

C:\Users\Admin\AppData\Local\Temp\baws217c.cmdline

MD5 5c6f8a0cfa8dd6564bfef3b66d403158
SHA1 c811c3c19db9e10924ba76f09a4b487eb465b44d
SHA256 06f308ad985d95dcaf59435980281456cbecf1565e8be6fe80756b6101e37463
SHA512 9a26bcdcb81ccfb3660432ad3732ba043e35175c68b4524c0f2c94fbc23edbb61c6520fc4f3f695af7bd7fb49552b44a04e2b2432adf77a8435dd123dd59e9eb

C:\Users\Admin\AppData\Local\Temp\baws217c.0.vb

MD5 1f417cddc94c64fd41d1b03233e3d717
SHA1 a975afc240e01942f2cb9291b330a54978478676
SHA256 f357af7974b441bd08fa7681276f3881b79a707bf06473cf3ed83e6fdcfb7dc6
SHA512 1cecfcda35fd60e407d990523c09c082426e692b8967588b4c5d7a8e8b62cd19dcb5aa1a9b0f1a648d578506009bccda57b4748fa4698922d001cf8dafb7de92

C:\Users\Admin\AppData\Local\Temp\RES34C.tmp

MD5 a2b43770abb02db2c44f1b944aee65a4
SHA1 3d688b9430e6c84c210ba22dad925b550049b1c2
SHA256 3cde4b5f1586b60546aad0c3d9cea3ed40b418dd5459cee25e5b3ce34292eacd
SHA512 5a881a54966fef02d1d21cbb2de136d738feda1673828a4c08ae7774cf142170a7c85f268ee20604ceef019fcad157f69f879ea37ed3f51cfa223d0e75c08713

C:\Users\Admin\AppData\Local\Temp\vbc34B.tmp

MD5 0d0d6ed11d344375bb5f36f73d7e7d13
SHA1 e98e0cac9032acfc45b0b198d6d49d04a0fcefad
SHA256 896cfead95deca64f70e1f6d2c14dc7d36b8ece6a3cf715ccc09cd27797a2a86
SHA512 3111490956a85b21e161eeee31ab7f7fe37e8c1981576b70952ffd5e176b1c51bf1e7da8499bf9bf475f3bc8d94ee8ca461e4d449e4b07ffc879c5c0fe43eb4c

C:\Users\Admin\AppData\Local\Temp\qu4_ayd1.cmdline

MD5 6fadad7e737b319faab7add39ca2fa82
SHA1 b7150f302b289d723921947a9599da828aac5837
SHA256 353b8200610b9af9791ab457e884ac7ced72ffec8c794937990f484c43375fdf
SHA512 8750c7e65fe273a6afa32a0c25ac6643410dedeb7786efd1d9ee50495b1af528c5e43390f84408a8b54636f2f79d0aee54d755903f5aad9d97c633f28673ca2f

C:\Users\Admin\AppData\Local\Temp\qu4_ayd1.0.vb

MD5 31fc52bfcb5cf9a12d52b79c7dceaf11
SHA1 ec19379305a8404d3c86adb65782467d1c9c3b38
SHA256 2b2c31fe62190c52b62ece3e29a19af2309832922d627abd7b2900eab548c19e
SHA512 38679030edebf6272eb04b0ef9b0b432eef26b23e7c6a517518db3a15ba40bd33eba33835a5cafba2a9fbe73c90ba964cb6bcf375ae6a84dc75693008a8da627

C:\Users\Admin\AppData\Local\Temp\vbc464.tmp

MD5 e6c60ba9b4fd13ac52f6b57ead9650a0
SHA1 d21772c045803b49002066829c675c5be2e37dcc
SHA256 473f21d49c26b2a13798ba62741c565f0f32c25e49fc3b38244d303d01f946bc
SHA512 af86bf7105190630729f567362a93c34625b91af7844d6df27670beac7be6f948e462d88e3438a0ce467a62a8375eacdc455f13e201fc9db1dabe3cf413c1da7

C:\Users\Admin\AppData\Local\Temp\RES475.tmp

MD5 a4987b0e385f10434c9e5a187eea8f93
SHA1 773f5fd1af90debc6b7c9ee17ed43196555f039b
SHA256 e0f53e2b47b9fa36fa96b77c79d1035154375d19ef863e7166dbf1182a745b23
SHA512 24b5fab08cb6bfd7ec3b1f665d5c5f6597bdb03bd39ebc718f0e136c67bcaf2687b4ac4b79490da2baaf8a07137272c1f12474be5fbb76511c5eb34d00e8032e

C:\Users\Admin\AppData\Local\Temp\zuas6fxt.cmdline

MD5 4b74b3604058bf574def2ef4aa52913e
SHA1 de31424e904b47eb84cbd82700bcc86d907fea78
SHA256 5be09322d97fb190b13edbf9944bbce965f1f30ca68292d2678d70cd28440d31
SHA512 1df863374111eb68ecece45e82f50b428f79f2e6ca44e16e420a57f8e355dc54febee46cda0133be32cecfbde3b0a03915fda99add9706ce114f026235c3955f

C:\Users\Admin\AppData\Local\Temp\zuas6fxt.0.vb

MD5 1d051ff4cd0a27121e93aeb23d1df6ef
SHA1 4c66c8113b537573b9e54193605009ef612d0ee9
SHA256 c052ad284c34c0af73d878521251ca7bad9a390e5e7e3b2422dc0f5ca86f4b82
SHA512 501b5eb718214634c3386ad9a6df7dd48d9a75d4ecbdc2217d1e785e04e725d899a173b06354b21abb16e976e98a1869792cfa1618069090005425bf9472bb38

C:\Users\Admin\AppData\Local\Temp\vbc56D.tmp

MD5 3c6dff42b6144277ccd0f823e1792790
SHA1 261efd8b74fe00e4630f52b3273f412ded3428d6
SHA256 a6d25d650e3cc9ee7c407b971a9e5d3d02583e955d58422721dc9354d33fe47f
SHA512 7ee1aa029ba06c93f06cc8f99f569a18d53b8569fcc57c8aa170ed185a82ed5cf1ec9052b6060c5302a62a20ac8a54ec11b4479002d2bacff41cdacdcb4f87ba

C:\Users\Admin\AppData\Local\Temp\RES56E.tmp

MD5 16386aa92e597fa9af0d1bf2c5615bb4
SHA1 72a49771961ff16b05944b21da8c8d57941d742b
SHA256 8d885ee8fd3863ac92547ca66a0c4510a7ad1b37de46676da2f818d8ebbc4dbb
SHA512 480d774956c7d36b4381cfdcc888bb5f6eb6d3c9e9c9a64168c7c03339b13a3892f9f274a26fd9c2a8dde73628b8a50cd4978cce384896534a8212e3f925be01

C:\Users\Admin\AppData\Local\Temp\xqtxeq4u.cmdline

MD5 35d72145d4946aebfb0265f3107e12d3
SHA1 0c4bb213e384e758d8f33424e7990054ec52e5ce
SHA256 4d40b8068aaccdc4aec18cf3c2be4eb85b5059cb3d2c425513850aa175e22008
SHA512 1ab7bacf913dc027b383d023b81c6c1fa143d406eefb39d4f633123935cc5a3ed4242df8ed313723bd4a2d9648ba96358161ed4d288f1c1e4631baf16cd013cd

C:\Users\Admin\AppData\Local\Temp\xqtxeq4u.0.vb

MD5 70829c1a9fba55df73e0bb03cc02dfba
SHA1 e0eb831dfee7c9daf3856af584d62c4cb202e852
SHA256 70274ebc993bc093082ff93802e33a7107df02aee8d392fe723459d31bba7fe0
SHA512 47eeac79275c292076c22348179543e3e3aa26c51c759d72c42362799437a761dc7707640b3634572b0c1e80b64fd82feae271ed45e06794976278a51252433a

C:\Users\Admin\AppData\Local\Temp\vbc619.tmp

MD5 cc9595f1554e79f85e023a31a6bb98bc
SHA1 d8ab7ff6fe9ae1daceb434627bb4e7a88f169cf8
SHA256 8d884a110f5e0763ca8cc798d1e5c16d61bc2f7610ccefc9d60aa63931ccce71
SHA512 d03881577ca1144bcfb7bfe66794068984beca6e9af893ef3093fca860fa415f43ceb9529a6db1b46fd99e61db43f62cfe897caac0a2319bcb1f9826f2b54096

C:\Users\Admin\AppData\Local\Temp\RES61A.tmp

MD5 bc6eaa42a582a9b25d0ffba56820e9dc
SHA1 8c904c785a8db2f8086fd022cc2906ce3ce4c53e
SHA256 68a9d2be4eaaf29f8a90cf1b8775096bea6588f978f939e24214552007784889
SHA512 266edadd5c1e37727ce5ea924d48c54ad43e70ea7f7e68d3b173ba425c22dfa666226b56cdd6e2d10fe5b4f254da8f7b4547fddacd957901bedd7aad532fe571

C:\Users\Admin\AppData\Local\Temp\ng7d7khr.cmdline

MD5 da3a1d923cbdfd7f8312c025d312b737
SHA1 040c5ea1d41d47a55e863d385e57ee7989c15afb
SHA256 7bb17e5cfaf83ae220c9aa7f15ff1b6d5f6fe7834cddbae4cee1f10fd1fa4a33
SHA512 cd8f37d04e93076ca4255df9356cd8433be99fab856843f67353ba1009cc4f8d5e58f5d437ccd311d3756db1da05cab4b9f29b03483f8e366f53d38a90a5be44

C:\Users\Admin\AppData\Local\Temp\ng7d7khr.0.vb

MD5 adaa061d082a7b86bc1f959594a01eff
SHA1 9398852f8cfe36144a64ccded6b7775acdce59a9
SHA256 99391f66edd6bcddcc4c1f156572f4d193538b6e42793cf0694c97f02d6efc9c
SHA512 fc51f77ad8634b2a7512b76eac8cea3be9e04c5ff59b1fdedb6c0e99c71b7d4a5128b6f72fb217a8e7925371b98e0c94bc228c504125ae08cd3bb9daa26e6186

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

MD5 6663483929f325b3fe2f8a351787aebf
SHA1 eaef70212f2f361a3167340d7c76e07246f1e427
SHA256 cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42
SHA512 12d51bd6328fd6a7572c97fdd3ac7b5d74dfd1379d5553f890af6c5a2effa65c61ecb78588fddac239881391ed9e2831f65a6f70e83a7047b980bcd4cb501eb9

memory/1736-372-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-350-0x00000000708D0000-0x0000000070CDB000-memory.dmp

memory/2752-376-0x00000000704C0000-0x00000000708CF000-memory.dmp

memory/2752-377-0x000000006FC50000-0x00000000704B4000-memory.dmp

memory/2752-378-0x0000000074230000-0x00000000747DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcAE68.tmp

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 02:47

Reported

2024-07-29 02:51

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe"

Signatures

RevengeRAT

trojan revengerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Client.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3036 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3036 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3036 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3036 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3036 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3036 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3036 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 4984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 4984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 4984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 4984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 4984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 4984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 4984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 4984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5040 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2068 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2068 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2068 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 3828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 3828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 3828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3828 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3828 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3828 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4944 wrote to memory of 4176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4944 wrote to memory of 4176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4944 wrote to memory of 4176 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4112 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4112 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4112 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 3992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 3992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 3992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3992 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3992 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3992 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1416 wrote to memory of 3996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1416 wrote to memory of 3996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1416 wrote to memory of 3996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2388 wrote to memory of 8 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2388 wrote to memory of 8 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2388 wrote to memory of 8 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1112 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1112 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1112 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe

"C:\Users\Admin\AppData\Local\Temp\6663483929f325b3fe2f8a351787aebf.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b2-nld4c.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES317B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD7AB08615EB4ADCABA96D2DDAF7EAC.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pc1w0wp-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3350.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B6EC76131F64763B0D12D206B6C59F3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1w2qbmnn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3534.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE725E161F1CD4A5B8FCB825ABBA4BF6.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kpbkdbmu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3709.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84C2882321124A3DABFA53F12044AB60.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svzrl46r.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3841.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B41247C813B4358A6D197D794C6B66.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ierwr8gv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES391C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE7150794B1940609725410E3EF819.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\21igad1k.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28CD100A7E524B478E30503EAD38A1DD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m2y-ltgj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D4B693AA95748C586E45AF285414629.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gompkqz3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE99B89A347E46B7B98EA0EB3F11DD27.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mht1dgqp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA714752B29F84D44852F59E47792DB84.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3-vqazz9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES411B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18948C7D8B5D4D21BE3F8A368BF9466.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmoiywih.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4282.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF3A375DBE8140C08B1E716928769419.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ppkddeba.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4457.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA3406FE7D0742DDA87975516E11573.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-a-pc0qt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75B2BCAE3BDA4FD88FD77022ECCC21E9.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2uwjffhm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4755.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41C049695FFC4C8EB617781B3C8CB040.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ugzqa2vr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45EB53A7E5F439BACF735A96CF164ED.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j8sm945k.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B82695E1AED49E89A7A1E3BF16BDB1E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvka9nb8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D20B76C3DDA450AB5AC3FCE5B187D74.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sjgjvi2h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5758EA6F44E94B878CA5BCEBF537CF80.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\22zgzoxh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5196.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc550788CBBCD64100A5758FFB5E5502.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d8rjtw-b.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES536A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F92F6A2A700495F92244D1D24F1ECC6.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a1eibwja.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES558D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50BF2C1DCC4244C992CBF38C3DB9B5DC.TMP"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wa6nad9d.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC9F98485F404C48878730EDBC726C25.TMP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e1mf3dkm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6EDF9363A5EF43439190F24F731AF6.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ru0dfb6r.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB652275E1AF34C2A8719AE836FD36DFD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-fmnwt9y.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF056.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc422123B1305C4942A893BD196E94BF63.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\guiibvam.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF18F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB39BD9E9FB0E4DBABA9B8E38C27F60.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n1s5kzuv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBE80DBC2E954D68BA91ED173DC6E7C9.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eoc0lyrr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc480ED55BB27341F69B7A7965445E31E4.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xmoxs9z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF548.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1334FDA1F2FA4E6698CEF66FA07311BF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kqtghfx7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF661.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD58F4E3AB95541F6A49581AF6C87AA51.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q1mhosfq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF79A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE02DCF43F8F843B692EF824267AEA590.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gzq18nbc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF911.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA915926939B4262B7116E355041861.TMP"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 18.158.249.75:8848 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:8848 0.tcp.eu.ngrok.io tcp

Files

memory/3036-0-0x00007FFBBF875000-0x00007FFBBF876000-memory.dmp

memory/3036-1-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

memory/3036-2-0x000000001BD80000-0x000000001C24E000-memory.dmp

memory/3036-3-0x000000001C250000-0x000000001C2F6000-memory.dmp

memory/3036-4-0x000000001C400000-0x000000001C462000-memory.dmp

memory/5040-6-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3036-7-0x00007FFBBF5C0000-0x00007FFBBFF61000-memory.dmp

memory/5040-8-0x0000000075332000-0x0000000075333000-memory.dmp

memory/5040-9-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/5040-10-0x0000000075330000-0x00000000758E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vwfRtNH.txt

MD5 ee67e73252c29160f738f28771118fae
SHA1 969bfe134c3fb11ad04db32e594b6634c56a72b9
SHA256 0b36fab6078c10c82cb54f10ec68cb35cbd2c219534145ffd3fc7bc84649bb2d
SHA512 19c5b6fc0379c0310f7387933ed7e22e2ef9a3c01076518408da9472fcc5f2bc4026d894a8c35e52eaac1b5f227a69f443b210f7cb74737ee829f6d56f21f03d

memory/4984-11-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4984-13-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/4984-14-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/4984-16-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/4984-17-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/5040-18-0x0000000075332000-0x0000000075333000-memory.dmp

memory/5040-19-0x0000000075330000-0x00000000758E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b2-nld4c.cmdline

MD5 1b2198438742067feeb2c48897612a42
SHA1 1acc81a42271072ee092cca0ee5d957164a09d55
SHA256 9308584adf798d7eccd62d46744913c9b4d0e88bea29337367c95e5aaf29f08d
SHA512 7a9c98e403b1ce446fd0e7a8005df7b2c392ce28e973e87607c1fd82a845d21f8efcf43951d71247307c061595bf6edf5504b013134ab461d28f280123165b68

C:\Users\Admin\AppData\Local\Temp\b2-nld4c.0.vb

MD5 3c88d0389da097789f854d19e5a6851c
SHA1 9e0f6bb3a576bb0eaf7fa1384018e57b50401adf
SHA256 b0c7beac256055e2a91713ef20ab4bc9eb5785e2a7cd30f64ab95fe37ff4d60c
SHA512 92799b8e42dd602cb9686820bc75136e26f2f356a731c23e3a3c5d9f65ff0b2325666aebd1f34f4ebf240eb047a11e9a37751f3fa3e30264738e6c113f8d9ead

C:\ProgramData\Index\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcDD7AB08615EB4ADCABA96D2DDAF7EAC.TMP

MD5 dae0bcef83564fd019409964995440a3
SHA1 72227ef8d352f83128124d59abced5453981017f
SHA256 bb59c081158d18030c797fe785ab434d2c7b512891b111a4cbabaeccfe43297d
SHA512 e88ce22701c011cd522f04bc4d81ae8515d5f1ddab762adbcd827a058fac7207a07b546876321184f36899768c6a2f13e3845eae258882748c544fde5a1b2558

C:\Users\Admin\AppData\Local\Temp\RES317B.tmp

MD5 c40c173230e34043755dd631c2aadfef
SHA1 ca4f7046115b5431ea5ade03a2ae9d5ee24cf348
SHA256 9c2ffa13a6bef6e746d2d75b7748f9ce4f06c819cd3e41ed4ae850369eaf3fcb
SHA512 94c85337009ba73f7cc411ede8e51e38fe05f6b78d3c5cc4c548ca0d3803d7c2a0f0bd5f49f82fd2003d382179d914b93d75a094186423995351cbb758416dad

C:\Users\Admin\AppData\Local\Temp\pc1w0wp-.cmdline

MD5 ed2e1cc24b894f6593ee7c3928e5eea5
SHA1 cc7f6a07e496f7d477ee1b0a66d8fd849cd1507f
SHA256 98c480b31065ab04fd2805314e17de67bc678b77fe2bfd2226168d9a21bf8b52
SHA512 1e774461356a486612a318d58eeb43db5096e2db3c9527753d885c7bb1c1642415525a35288281948d57ffd987f3eb301bfc58c1ec6cfcee720731c4aeeafd60

C:\Users\Admin\AppData\Local\Temp\pc1w0wp-.0.vb

MD5 3fa7c020766873f8b58d109177c7d7a1
SHA1 716be689ba29ba1493a617920c24fa6ef036ed5d
SHA256 dfcfb090d3b80c08c34aa55028773778a8a745c2eef48d8c572b043fb421e3e7
SHA512 1657d79d5bd7768984df780f71e9609c69fa58c7370eb5ee8122c97daf1a2c47fb0217f3f69e07f8fd0c51c8f8e078a00f8275eed3bbb02ec23ba092c47ec196

C:\ProgramData\Index\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc9B6EC76131F64763B0D12D206B6C59F3.TMP

MD5 b07f007145f01b56abdfb53b487f0458
SHA1 9923c81f68e73be76b5f4964bdc4044334a415ae
SHA256 5c84e2e6f556654e4f4c0805c5a6a507fb9c1bbe02cc04fc05c2e8ee32e40c4e
SHA512 f635f804e1fd38b63bf5c128b711315e8da9bae51c0a906fcc6ace60d980dc23ab4cbe8613496771da23915359ce8bc2ae4e6a2261f039a46cd24e3ab9d78eab

C:\Users\Admin\AppData\Local\Temp\RES3350.tmp

MD5 3b8307cfc20795d878dd4bbdc67f60c7
SHA1 b26d329f0c4a265ce658b01bf1edd2fe09fde767
SHA256 1980aac3342a765aea961816216a042b8e478a7b79d4efc4c9e8ec793ca40d04
SHA512 d71e7e2d6a5fe6e97ea9dc8140101421fa5c8d882e2966cd028a3cff4d0a9ba9c40601a074d3f21319f5f396ea9250341bd18d42fd5f37e226005aaba53a9e89

C:\Users\Admin\AppData\Local\Temp\1w2qbmnn.cmdline

MD5 aa3a0301a11df5052966c34ee4c65fc3
SHA1 ad5c0ff8878527dc72ac1bb239e573f46a0eb341
SHA256 2111605100a36e43cd16a5ba3333794e5d91a95ece0b6e1d1c97292a34834279
SHA512 a64dca0e07b916457959f7ea92bb1483d0b60be44fdf653b28ec01c38206e3b82f4e5ff5fca20edc4cfb2a8c8a80a832ad4490b30839311664aa3ab69f394ebf

C:\Users\Admin\AppData\Local\Temp\1w2qbmnn.0.vb

MD5 a44396dac48f30ef8c8608531567fb83
SHA1 905391559e0577fbc6cefd0d13eb10f9dbcd63c3
SHA256 1ba098682cded71da604d1c99018e43622cf0bd8a609c0c6e2752e9ff1944b4f
SHA512 168ef2aa0bcc07f4e1a1f6652c8d459cd6c3c31ee579702e06977733da856419c9ebd1f2da06fdd185655dc464cd40183ddb32cfe0e960bc6104c64fdc9976fc

C:\Users\Admin\AppData\Local\Temp\kpbkdbmu.cmdline

MD5 f556c24073d5c813f56c6cdda4a7654c
SHA1 29f5388d1d387230a64876a78ad004e76f0d0184
SHA256 c9b506dcf3b02fc98e816e905840e5576cab5d6d9278e34e07280165fbdfd2db
SHA512 0d23bdfde493eaf5bc387a100d92ea63215be9773adcd81dcbd4d1ff0bc8302b8481d871c1e2ff243945fb48f74ed86afc8e78319285f22e8b9c9bf92fc5da15

C:\Users\Admin\AppData\Local\Temp\kpbkdbmu.0.vb

MD5 55baa1a9cc195fdeb239fd42886466ed
SHA1 21d56bd00b7bdefb6fd1f2735f2249cde0812132
SHA256 483fae1036126f05605dff2447307d8e840ff775f5cf7574fb5b0256beb95766
SHA512 8dc014a020e6ecda766b1f58928b1d10a20c5ea2e3973e94d8c339ea772044e3898004b753b9ff4020b436c543206f4ab46468b789d08466136baf0812e81daf

C:\Users\Admin\AppData\Local\Temp\vbc84C2882321124A3DABFA53F12044AB60.TMP

MD5 707ccd65076784de34fd01c4aed82881
SHA1 3db7612956960ebb19ff7e1d9268506b639dc7c9
SHA256 945e1ccbc8e84b145d73102432bccf8040f77795424b1f7f0bfadb9add78d786
SHA512 767db8f7683c6256ef155f147fbd2202d22b2f91f2769e34de0ca5c8d525f04d9739647bb0e6f312d6f634366b6529fb83e2cafe153c727c861a9b6212d0dd34

C:\Users\Admin\AppData\Local\Temp\RES3709.tmp

MD5 4868d61d9aa25322cb56014228fd19d7
SHA1 0944a17831e0476da0a1a32df7376ffd83592353
SHA256 fb61c7e735bc0bbcc75c9782e99f34b19126ed95a1d815e1b721ee449995c839
SHA512 06a2165bff7859bed9a4c545a8c7e40b84a54982adb100841dc149ae15de94824bba4635215698e57f73a955591b0913600ce365e308e27b9c7b0e4474ed191e

C:\Users\Admin\AppData\Local\Temp\svzrl46r.cmdline

MD5 5f4f55709fc02aa8a204f13ac7a07779
SHA1 f9cfabfa3a02d6aa8a0239ede09dd768ad203815
SHA256 1d08758381e961c36fc5120047edfe22a2681891c7b948f94472063481740ff3
SHA512 21548b2953b05575376f89a52aecc280bf837ceb109289200e03f10ebd6c1adad15174f75eb6c80bb508cd6a3661e5b503719866de58d15e69611cbf82bbc426

C:\Users\Admin\AppData\Local\Temp\svzrl46r.0.vb

MD5 4a447b73c91023eb6c863a34742dbfdd
SHA1 68fbb85cab50aaeaa9abedff254efba01892310a
SHA256 b9d69dba98cd1d12c4a0ed06def7734936270924cb3847807f6f04f3d0fac242
SHA512 dfc531d34abadc872b5db88a087784181970d8cb5b958fe979e431dd2bd135c6699c738a61e26e7fd9674af90449fbcbf810b42e765b0add5d9d66ad6e83299d

C:\Users\Admin\AppData\Local\Temp\vbc8B41247C813B4358A6D197D794C6B66.TMP

MD5 161e68e923d56e4253270ef3afecb8ab
SHA1 7fd1bb35f3fd39f23a033861a4b92f4171545c69
SHA256 429dabd3474e79f2f7b456166e975c3f8760201b06f13b42bc4843f3b4dde419
SHA512 2f47d87471710b90b91d20eae71b666aa9dc124e42f39c5a63ab2df9131f9799133e5ed8c03d9385f5ba55988c62a99b96b7e056d61fb3e484e47de308f2a3b8

C:\Users\Admin\AppData\Local\Temp\RES3841.tmp

MD5 f7a0ea9f0c1d918bd531ce908cd67362
SHA1 5029043df24f158d57b50f62eca0d1e6768c9d36
SHA256 86681b329910d27b5665ee2baa645aad5867642681205fa1ada667ddd56f376b
SHA512 38aae435aaf9531b588e54f89d2e85d0760ddfb14ae30313f8cae80c6c523fc12368d06c0b75bc28041d1e4091ca8a4fa029444e75200ee0c77f6d4fd664bffa

C:\Users\Admin\AppData\Local\Temp\ierwr8gv.cmdline

MD5 00e54c5203ae10852db86eece074aecf
SHA1 2e040418bb7be2f2e87c1de2eb4a828ef9ae1794
SHA256 f18b374cf6722d23aa9b4b13b421870ff1e5f767ca3ffc313bdfb57810fceafb
SHA512 4ff91bc1fb630d367127cb27db58e5799ee918eb7888ba93de8911a6be96f0fd60cd089b68a192c4f49331af6d4ac01304d95e7d4e7d95a3e1b49cc5ca5bcb17

C:\Users\Admin\AppData\Local\Temp\ierwr8gv.0.vb

MD5 846365ec5052d6dabd406c35fb9393cd
SHA1 9abf408ca3938f0acbfc6eab9fccd33b4cfc43b0
SHA256 f1c039830bf9f701f465510cf16ae094214fcfc23a3c311adee9e6f4c18851b3
SHA512 cf3a29a98a1a53982bd6afbc8dc61b954c26138f9b85473b8a3297ca7ee3c3b782a3b6edde8b0dbbe406bd26e52d72c40a0c1d58dbdfb40c8f9e461bd6542b2d

C:\Users\Admin\AppData\Local\Temp\vbcBE7150794B1940609725410E3EF819.TMP

MD5 0951a669ef19737038b5a334186f1708
SHA1 53bbfbc282621ad57e7b091da3ae6a4ec0121596
SHA256 b582bab6100c6e758e62306f36f2693bc9ec729a95b4ffb5f3f715979efb6811
SHA512 7fde5deb696c18e2d7b5a94ea3a2af7aff25c593a364c366b6b5f70aefb618f38bddf6c64235a73ceb1e29a5c73d4e643dfec6e2aadafa23935e33ad77165a5b

C:\Users\Admin\AppData\Local\Temp\RES391C.tmp

MD5 6732ae8ae1c272d3dd4fe284873d011b
SHA1 f4d2f0b8fe4d1bffbb23f22a819d972dc2254c97
SHA256 87ada87f2cf54d684ed3defec8909faec59f4fbb59c7994cd5a0a329ab47d130
SHA512 3eecbb6db568c12d1e336e7590af49b1e43cfcfc4e17209f91a159f97a766f5fcb760cb6e037177eeea24ae38895f1448c5cf92c8c02c54852543262d7b309e8

C:\Users\Admin\AppData\Local\Temp\21igad1k.cmdline

MD5 0b73f3bf15f4f87dc5930682c87b8d59
SHA1 bb7bf0d8622e5f717f540589d52d87eeebb28f93
SHA256 96adb94235ef6867ba6ee0c17203b72dca647af0bbc70b35a23b174a72457363
SHA512 8b91161b97e31b9ce306af356998ce40b82065ad0ef0080f0fa82f859c1ad51e194e98c3e7d777cd3b74d479bf61128471a7b6f5626d79d293a282c769eb1e98

C:\Users\Admin\AppData\Local\Temp\21igad1k.0.vb

MD5 847182193015fc5d88f0c98c81c630ee
SHA1 7811018c8b8e5d6d01fb62972a426541635f7cf4
SHA256 08ebdceaef531c894727e6332a804ff5bead32831c6744ea1b52b22d420060a2
SHA512 1de1f111195e1f8d492c8ecd884d04fbb3b39f4781849c2d4d56085555844f34c2b6f6af15ea7a234fb6ed3b21f08deb19fc0238fd57f58df2b0cf1c59d0047c

C:\Users\Admin\AppData\Local\Temp\vbc28CD100A7E524B478E30503EAD38A1DD.TMP

MD5 cdb46c68f63ef379787c06e589936cbd
SHA1 0afcacbc9dbafe5ece918d2abd7e8c359a850c93
SHA256 e8afb68368eaff8356b363fb296aef4e2da063cddcf08e0b4a0e9d580fa9c84b
SHA512 083ba0fa6e8d08dd851be5671c50382a169416e1b8e623ace0cb6b9f98f1b02008947882509f19e646139d3129ab9cedf53b8bab5bf1bbc72f4377aad4ebf189

C:\Users\Admin\AppData\Local\Temp\RES3AA3.tmp

MD5 2ae141022fb898a9b35d462a841c7ec0
SHA1 a6bbda076597079a01743196bca8e36e0a6674d5
SHA256 2c2260d5fd2454ca944c6f16dac11d0be9c8c4f06108477fe16aac3f64cfdb1a
SHA512 1c7dced5614acf4a861e222aed6ec5f46d12f05c531fa4794fec12ecbcdc794cd18a41dc83a916d6868054b166767cabae15cdcc13ff8b0dfa37f7f317fd9f6b

C:\Users\Admin\AppData\Local\Temp\m2y-ltgj.cmdline

MD5 d4b6732c149a7184808f72ab6cba1c82
SHA1 905a4baae24310510949d95bcf9ca1059d16610e
SHA256 2d5ee9faccd447cf065f0519c53ed5035a03bb05b78b1c085ea0c1ec2e514b50
SHA512 62ea05f77b4faad83a3cc7c16b5327b9245452fce2bf72daf779987b29ea90f9831b4db4159841ed307452d0675eee827ab7a7936bb10e0a7dcff3e56aff24b1

C:\Users\Admin\AppData\Local\Temp\m2y-ltgj.0.vb

MD5 556472f96ba0a829d9cd7592411c2347
SHA1 a2fae1bb654469d975926c75b9635a169a80c76b
SHA256 6589cfed04466d3dc448361f54572309a731aa8d54aacf50aade28c0f9225679
SHA512 a938b6b875dd8be3e942cb4c9939f7718ef930d1feddba516070fc5a308065e8c7ebe7ebd606e3fcf61d25a06d9197b3285043f85dd7c69b072cd9daf90f414a

C:\Users\Admin\AppData\Local\Temp\vbc3D4B693AA95748C586E45AF285414629.TMP

MD5 c3f8ad47348d4dc388b98c82291c4e3e
SHA1 f92b80d1a9467d4b6ef9604d82dbdc43d15bfe38
SHA256 609c321fc1bbce8a03476a1fd09100ad0148c33646804d58f9a1efd5e73e3b85
SHA512 74508a1cf26b23376d7e006786887f0057a970a17e9644871bbc6c642aeb799d86b71aa25ecfc986854c154ebe7db088270bf3b766cdfb71d1145cf67eea4c54

C:\Users\Admin\AppData\Local\Temp\RES3C68.tmp

MD5 eeed6008ba6f8edd0f704b1ff32e73f2
SHA1 8fad7b24ce5f9a0d1933f08a52f814602d8345e6
SHA256 59b516a3979ad36fabdff561a106365324f0b3ec7666608419a7a69a53abf3fb
SHA512 2a39ea4d5fb98a081be0f7b01962d72c5e4f0c50fd3825a21710d1abe777abd766b719ffc76099e490c0ab5f98a4fca57ce31876a0655ab0e28a44159dace6e6

C:\Users\Admin\AppData\Local\Temp\gompkqz3.cmdline

MD5 89941ab9a0da44427ceffb56533409ba
SHA1 b12857603186c1d29d1d697b10d77087101719b5
SHA256 d8cb8dcb0fee30327df5b605128e9e44965f01b44ec60cd1923c86a2c9be1a74
SHA512 2352cf389a2d323f0b47e872960971002ed655814e7d80f8a07c4888422f768c3f71b15f87f15cf947863eb276b30b15b88409d59f3748698308f6aaaaf885f8

C:\Users\Admin\AppData\Local\Temp\gompkqz3.0.vb

MD5 31fc52bfcb5cf9a12d52b79c7dceaf11
SHA1 ec19379305a8404d3c86adb65782467d1c9c3b38
SHA256 2b2c31fe62190c52b62ece3e29a19af2309832922d627abd7b2900eab548c19e
SHA512 38679030edebf6272eb04b0ef9b0b432eef26b23e7c6a517518db3a15ba40bd33eba33835a5cafba2a9fbe73c90ba964cb6bcf375ae6a84dc75693008a8da627

C:\Users\Admin\AppData\Local\Temp\vbcBE99B89A347E46B7B98EA0EB3F11DD27.TMP

MD5 8cb42e87bed9f4f5dddcfc0b4ed57515
SHA1 c5dadeac1347aedfb13eda2a7ec9040bead1147d
SHA256 968b017601126179c5c112428d2bb44b40ce26fa34ee82c34c363d5f582addbd
SHA512 bdcede0a75ea1f95aae11fab7755961cb27700b575cda72195511212567d8636f7feb9fb25b0b7b5ef03aca7b995d519839a761a579e58bda94fdba909fea2b4

C:\Users\Admin\AppData\Local\Temp\RES3E1D.tmp

MD5 327ae080ebc89796e68cc491ba7cb7a6
SHA1 b8123f8f8fb78785a3a4b2be033ca82c34c6595a
SHA256 7e2aef8b98c6512e9566e8ace29f044a3c00a58e145d2248630f2ad1e80e31b0
SHA512 b54b38c520780e9a51d93f85f31eaa1393c264a63ca7199a7a41ab999d41ce2758afbd30f040d2a5e961721b51bf1a51387e597b787ce91d2493b2bfb67989f3

C:\Users\Admin\AppData\Local\Temp\mht1dgqp.cmdline

MD5 a96c9c4fa4895e33d811e6f79900ff81
SHA1 3ac06cf5df0c8aeae5afedada801ed11627c866a
SHA256 0e528709650ce276596d92f30aedd7157d7eb7732902ba462aa3397beeead77c
SHA512 f037320c21944e3f2b9fbfbf50d6b7821449c1204b3e9013c6e5d6408766d48dfe81980a635e5c9ea5e6fd5f64b6d44feb8867a61664eb1ae396862a553dc5a5

C:\Users\Admin\AppData\Local\Temp\mht1dgqp.0.vb

MD5 1d051ff4cd0a27121e93aeb23d1df6ef
SHA1 4c66c8113b537573b9e54193605009ef612d0ee9
SHA256 c052ad284c34c0af73d878521251ca7bad9a390e5e7e3b2422dc0f5ca86f4b82
SHA512 501b5eb718214634c3386ad9a6df7dd48d9a75d4ecbdc2217d1e785e04e725d899a173b06354b21abb16e976e98a1869792cfa1618069090005425bf9472bb38

C:\Users\Admin\AppData\Local\Temp\vbcA714752B29F84D44852F59E47792DB84.TMP

MD5 5ae046a15bea3386071f0c63192ba29f
SHA1 94d51e6f2711362ade4879a29dba8f5abccdf884
SHA256 3b7d80821582922f747077294e51e2936cf3bc7dcf6ab999e83795a306e4b378
SHA512 29cb86aa3b76c1d1c2812baec48a036923050314450451b8fca317c2dd8dc3bbaffbd776cdb9d1f038aab703b5bfd91c8153e41a330dbba2671fc33ec7df2a03

C:\Users\Admin\AppData\Local\Temp\RES3FA4.tmp

MD5 d9ec5c6ef52ee3e878c2cf0c64e672f2
SHA1 a68c9e7225d770de21f85a8a2230d30271d9f3fd
SHA256 a31a1bcdafc8b335fc3489da18593b33571616a6a17ff3c14978164d4d71d3ef
SHA512 de2d115d0e25684e69b1457e6418e33b28f6cdd31a1a3616fb3d7db1e33afaa60aed1e725a91af6c587ecd0c89afa723ebf68eebaa607b15ee4adec1914a6e7b

C:\Users\Admin\AppData\Local\Temp\3-vqazz9.cmdline

MD5 ce0f908c46fbf046a4324305870c699c
SHA1 7f93c54bd699289e52a662229ac885f33bb990e9
SHA256 88c60feca5301bd152c2fd73ed685595315efa03ba9621e9ec985524d7a31ff3
SHA512 663c98b2a112eb879cbfd2b5bdf33037df9413d8614e7dc35e81116a3c3a8b7563dbab12db4917dd5e9306ab97c86ee975baa35f68cb5aa5f29b23f085fe2ea3

C:\Users\Admin\AppData\Local\Temp\3-vqazz9.0.vb

MD5 70829c1a9fba55df73e0bb03cc02dfba
SHA1 e0eb831dfee7c9daf3856af584d62c4cb202e852
SHA256 70274ebc993bc093082ff93802e33a7107df02aee8d392fe723459d31bba7fe0
SHA512 47eeac79275c292076c22348179543e3e3aa26c51c759d72c42362799437a761dc7707640b3634572b0c1e80b64fd82feae271ed45e06794976278a51252433a

C:\Users\Admin\AppData\Local\Temp\vbc18948C7D8B5D4D21BE3F8A368BF9466.TMP

MD5 e5e552a63bec43aafd93067052091b70
SHA1 65d27ec9696e4eab2e9c9f03ce6a91330d194230
SHA256 19333143ba21e54fbaab635b061f7166a0db918057804cefd54e46586a0ccffb
SHA512 8703b20ea2ea148882430c4a13643978b9eb68212e74f257a8cf9d0cf56a1a7d285fe05663f8e43556ad2e802c27c8324751974cbb984dc5e7e54cb96b6063f6

C:\Users\Admin\AppData\Local\Temp\RES411B.tmp

MD5 0642443bc607703ef5cc76e52ca50f16
SHA1 a3e2eca44dba186bdeadff4749295da5c41ffcd6
SHA256 2ffb05680eb841527092d315b87431f8f49eb47b38e3df9bebc65d5ea90eaa9c
SHA512 e2384adc7a7964307c2eb02bc76454bd57bef2fbe6992f2682bcd2fc1f06435a8a9bf64c9ff2367ec773165bdd816a8ea937a70f7f91313a2aade98d209ee8d9

C:\Users\Admin\AppData\Local\Temp\bmoiywih.cmdline

MD5 23e94740d0acac4aba262734328eb40f
SHA1 7e34d53f6dfc7778a89c276dfa3c24c3c6432a09
SHA256 83d0087f43925d500955fb31f01359013773d7a7f9c6ca6577c4058c71aec62c
SHA512 2b6a61a6b233e65272f2b3f485f3754e7d71a60f247625bcd51d5946741347b6a52727f2d0eb9c0c4888ff257c028a11370fd7e213301f7c59d8120e4f51f290

C:\Users\Admin\AppData\Local\Temp\bmoiywih.0.vb

MD5 adaa061d082a7b86bc1f959594a01eff
SHA1 9398852f8cfe36144a64ccded6b7775acdce59a9
SHA256 99391f66edd6bcddcc4c1f156572f4d193538b6e42793cf0694c97f02d6efc9c
SHA512 fc51f77ad8634b2a7512b76eac8cea3be9e04c5ff59b1fdedb6c0e99c71b7d4a5128b6f72fb217a8e7925371b98e0c94bc228c504125ae08cd3bb9daa26e6186

C:\Users\Admin\AppData\Local\Temp\vbcEF3A375DBE8140C08B1E716928769419.TMP

MD5 387784f57a2f90edee143411c749a86f
SHA1 fa730a840a2caf64f612d65634f6940af8bc73f5
SHA256 2a6c05b939a7b9fe43b8f936c7deddf4d096e54ac2eeb7bd1aa022ebf5b69a63
SHA512 5d71d66db1278e7316a42d6dda97b04669ba137d371fa4798eaf311b9d9d78a4c441cbe404dde93569baf64403d2054d0e4834640d6c80dbf5b82602b2c80ea6

C:\Users\Admin\AppData\Local\Temp\RES4282.tmp

MD5 bf46463baf1fd78148f79583980317b9
SHA1 2e2ad08409af77af6562fa5c4aad267f377b17e9
SHA256 c8b1b3f1f16a1bcbf958767ffe2ee79160be9a81651f71b495b8014b530fd598
SHA512 72fbf300e7b4a67c961b39d2c98e634d7aa00fa62171089e0614e5bb1481306b47bc01eb4800dc42bbbbf3719ae0bbec0dee2e71f260a38f86f87ab06a020184

C:\Users\Admin\AppData\Local\Temp\ppkddeba.cmdline

MD5 7873984290ecf3b04ae9c0c8d8fb04aa
SHA1 09db75873ce407d99cb38322df918b84f0ff3b11
SHA256 c3672823f3bc1315cb55b9941133da0b1deff7a642c0af8ee0a891817572a409
SHA512 3e96d5e414b205bc7b0badc68c6f249ae8b0fcf2f8bf32141d96058d752c803f75680300e415cdb8ddc24e45ced91755c8cebc38f1c4e10eacb1b2b529c2b525

C:\Users\Admin\AppData\Local\Temp\ppkddeba.0.vb

MD5 f1f4b97a4a7ccacf00d680ed41092d6b
SHA1 f8b32a0d52cb9a1f1d87752f9f3883c56eee16aa
SHA256 4050ab47352c7d9e885aec0f16054cfab523d854b4f4956027b82277379e1e80
SHA512 2b3ba9c1250e5c56267a99e79c155927c3b353734c485b31b0537c50a3cde35ca0d75a5bb8e1d230be8a3685dfe41bf3238263d03566ec6889bec6ffb233d210

C:\Users\Admin\AppData\Local\Temp\vbcEA3406FE7D0742DDA87975516E11573.TMP

MD5 88f358395e0d0e3eb364f270c2cab9ed
SHA1 702d676a051d435112bedb3acbd627c09e9dd6f8
SHA256 6f636608da5f6af0655cdab5e25fd7e59b6fb0bc1c4686cdec1060cdbf7fcfac
SHA512 dfe6920434fcda8bac7c4301324afda0f75ea34130a212ffc0feb84dd387134e2de4003fcbd48d8a386a4602d97e49978a78a9a7302ff129bc092203bcd08a0d

C:\Users\Admin\AppData\Local\Temp\RES4457.tmp

MD5 b353c236d48b8f62b9c288df8f1875a4
SHA1 1efbf6fd597f6df2caf9ef8c5dfafb17b0db6fb2
SHA256 c613baa046d0acc34427c756b1dc7780bb6e6e60b36b5fc2280c8882504d01b3
SHA512 6fe2e2c894571df97e63e12a6a481d731d6d69596b488313739fffaaee0101ed5bda7a98b170b8f2cf2018e182015bd9b2319a4a0793f73edbadddf5647bf862

F:\Index\Client.exe

MD5 6663483929f325b3fe2f8a351787aebf
SHA1 eaef70212f2f361a3167340d7c76e07246f1e427
SHA256 cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42
SHA512 12d51bd6328fd6a7572c97fdd3ac7b5d74dfd1379d5553f890af6c5a2effa65c61ecb78588fddac239881391ed9e2831f65a6f70e83a7047b980bcd4cb501eb9

memory/5040-308-0x0000000075330000-0x00000000758E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcB39BD9E9FB0E4DBABA9B8E38C27F60.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\vbc480ED55BB27341F69B7A7965445E31E4.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\vbcD58F4E3AB95541F6A49581AF6C87AA51.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084