Analysis Overview
SHA256
4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9
Threat Level: Known bad
The file Client.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
RevengeRAT
Revengerat family
RevengeRat Executable
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Drops startup file
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 06:43
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 06:43
Reported
2024-10-12 06:45
Platform
win7-20240903-en
Max time kernel
136s
Max time network
118s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Windows\\SysWOW64\\xdwxsvc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\xdwxsvc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Windows\SysWOW64\xdwxsvc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2676 set thread context of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 2784 set thread context of 2684 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 1048 set thread context of 2044 | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 2044 set thread context of 2312 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 1028 set thread context of 2600 | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 2600 set thread context of 2464 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qubiz-jb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A3A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B04.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axpxq4fe.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B72.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\chvgxcz8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BC0.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C1D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ztnntzbc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C5C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tzn9l15j.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C9A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CD8.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D26.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bs08pe6n.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D65.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftsuzobj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DA3.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t83y_h18.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DE2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c_2vurs6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E20.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\su9ag85i.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E5E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irlqn-om.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EAC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsgr8oyq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\709u2uyi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F48.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g8o055_j.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F77.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0zxt_49g.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FB6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oflv9zwi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FF4.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqauhnad.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5043.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5032.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cbykn1jh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5072.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5071.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nli_wudf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50AF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xsfy6nxl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50EE.tmp"
C:\Windows\SysWOW64\xdwxsvc.exe
"C:\Windows\system32\xdwxsvc.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vkd-avtu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA85.tmp"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Windows\SysWOW64\xdwxsvc.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s4qmnjhb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAF2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wyogckhx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB40.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hhx9u9k.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB7E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\asgduvbq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBCC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\src9qfox.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3o_y6zg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC49.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2xiepvym.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCA7.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\04pzcdfe.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCF5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o4ggnr-h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD33.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q_4_6ern.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD72.tmp"
C:\Windows\system32\taskeng.exe
taskeng.exe {9F64EF28-2C35-48AA-8FE5-C4BD04C256E6} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
C:\Windows\SysWOW64\xdwxsvc.exe
C:\Windows\SysWOW64\xdwxsvc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Pizd11337-26540.portmap.host | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
Files
memory/2676-0-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp
memory/2784-2-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2784-15-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2784-14-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2784-11-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2784-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2784-8-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2784-6-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2784-4-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2676-16-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2784-17-0x0000000073FE2000-0x0000000073FE4000-memory.dmp
memory/2784-18-0x0000000073FE0000-0x000000007458B000-memory.dmp
memory/2784-19-0x0000000073FE0000-0x000000007458B000-memory.dmp
memory/2684-20-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2684-26-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PtYBxGg.txt
| MD5 | bfbee1ccbe6981fafb1c7bff99680882 |
| SHA1 | 3866c915b8a7e0592f8728c89faf6bb4d5ecf002 |
| SHA256 | 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235 |
| SHA512 | 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e |
memory/2684-30-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2684-22-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2684-24-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2684-35-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2684-33-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2684-36-0x0000000073FE0000-0x000000007458B000-memory.dmp
memory/2684-37-0x0000000073FE0000-0x000000007458B000-memory.dmp
memory/2784-38-0x0000000073FE2000-0x0000000073FE4000-memory.dmp
memory/2784-39-0x0000000073FE0000-0x000000007458B000-memory.dmp
memory/2684-40-0x0000000073FE0000-0x000000007458B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qubiz-jb.cmdline
| MD5 | 348c70be41288cb87ec5f2001317611d |
| SHA1 | a096e559336ca0370f3255add236da4a23b2fe3d |
| SHA256 | 5db9a82c9fa12da1eed274b712c86e5c6702e0a3feedb9d67c3e6bcb27bcf628 |
| SHA512 | 03fa7bb9ecaa379c3fbff4725bc001125c138513ee19b6c73b5373252987a55f009d76a54908a58a4aa1002e08a1d12f475d85b3042f428a17e6cd56a3cfa023 |
C:\Users\Admin\AppData\Local\Temp\qubiz-jb.0.vb
| MD5 | 28dbf7030dad11a54e1d95dd8eb45a98 |
| SHA1 | 4927487b557da799c952ea1abad44b9525d63eba |
| SHA256 | 0e0c4d33367405357ea78d211caab35b4ff3319b1f446108623439affcb07069 |
| SHA512 | 1c38394109665bd782863c5f45257d756187310a51ad430e280fc5cb506afae982d9cce31ed5e6f2e98fca0f2a87d30ec03cb435a985e6013e12bfbb974795d5 |
C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc4A3A.tmp
| MD5 | f56ec8e7b27ab7433cb0c35ab2df265a |
| SHA1 | ef1fece3dc9681f2b11a62101ef152b4e164b4b0 |
| SHA256 | 407fc6c2b744b259474a155aec45b829c3bf0d8b5ddf59535ffcdbec6efcd219 |
| SHA512 | cafb3b9f7dff59f975bd49375750aaf15261be2ef4b9c9ccfe0795acacdfe2d7930908bc90375fa72154d79548cc0e61f216c9d0ba4a784f3e7e9fab50bfba04 |
C:\Users\Admin\AppData\Local\Temp\RES4A3B.tmp
| MD5 | caf89b10dee8f92c4c96032f61d61b97 |
| SHA1 | a3b3be544946d2b600c4968ba7e4627f273a2475 |
| SHA256 | d7f5e6041803e853a8a393618bb05b94406a75b6197ae6f38b24ef27680d4444 |
| SHA512 | 263e45c17c9230462a2fb0b41a049930fad92cf68794e9e5d27483e72099460442d4a31aecc77f16a4af2699fdbf477b52c0cf5723c85ab6722f0669fa54ee00 |
C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.cmdline
| MD5 | a1430987517c8a53c2e43c71b5f57761 |
| SHA1 | 2f90dc39a4d510a70fdacf3f61238ca9217e6a85 |
| SHA256 | 5d3d8671752fb1c97a4dd031768ab63e4d0b077f3d5ea0e88981bda2149e0d2a |
| SHA512 | 4b57323f3d380d756bb642eede6da06d77edbcddbeca79192a3117858c5f8c11e35d7018b930b06c5d5239c4af116583bc493e6ea53727a837425553a2585010 |
C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.0.vb
| MD5 | 499edc4bf130416dc86893476a708eed |
| SHA1 | 8a3b1172f2ea07a3adfe73d66cafb94856e75c89 |
| SHA256 | dc059da9a83a450a3483e04dfb48bc2e208ab4bc4d9ca99119da5f0ca2059e0c |
| SHA512 | 7488b5d4140aba56e2814b599e0c16964f3359c8a7dc84a853169efb0a92c8fcea97f51c9e5977e4168b8e1a8ec85e9010da3c7684f8a7d4b510075d49652e1d |
C:\Users\Admin\AppData\Local\Temp\vbc4B04.tmp
| MD5 | f54e78018bff2fc0bc9629b248a209ca |
| SHA1 | 9ea9c37302a3f701ae4dea00a597ba3a6177cffd |
| SHA256 | 6fadcaf1b2bc54e4edc44c50341571c439f76bacee7545b9af51bdfcdd1b334b |
| SHA512 | 4e1a55bb988eddc4ffbb9ad568961701eea4e8a5f505562869a197daaea6e7b66b2f502b2ab99222e7ee57066de04cf7b12131c0e17247e94d157b29074353d0 |
C:\ProgramData\xdwd\vcredist2010_x64.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
C:\Users\Admin\AppData\Local\Temp\RES4B15.tmp
| MD5 | 94511ea5d02bcacb24980a5548ad2e7f |
| SHA1 | 1bc614d9ed8cd6d08ebdba01d25d7402fd5284e0 |
| SHA256 | 71ff61a8315fcb1f3060b110f8e88a326adae5418e12760b6ab24c91a8b12d9c |
| SHA512 | efc375550b19df467b81a0c4385c5143cdb4cb56137571169062f2ca8c624673f6debf6d1d995c2e07cb4cff2745d64edc8c619370b870259ba160ce5a5b1f6a |
C:\Users\Admin\AppData\Local\Temp\axpxq4fe.cmdline
| MD5 | d106a10faab8e842023b83a502d66ba2 |
| SHA1 | 8dc42848b0ca97d92b148c0f79721d17e052d16d |
| SHA256 | 7af7673857dc610cf052692d0b68c2cca3626bfccb5e0508843307f02532dea4 |
| SHA512 | ef62774e41e6e03580f34f95b2c1621ae94b1cf37c0c131d116e0ac7334e4eebc7803980fe4172b53a7df9dc060459e8390d1c630ece5b307c05312fcae0e4c6 |
C:\Users\Admin\AppData\Local\Temp\axpxq4fe.0.vb
| MD5 | 6d6736464a399fb3f33dda2efd7833e5 |
| SHA1 | 0fa9412d9f0586cf5e162b8335e08966b0439c4d |
| SHA256 | 60ad43b63d891185bc44b19b63c636dcffe24f11a5b982bddd78b7d4b36b01f7 |
| SHA512 | a0aa1b1e61358febc57bcd455b9dbf16199c2d18c2f43247f6c784b86d1b2e74b0b406339e49486156361d55fc96f5937de412ddf27016bc68da9fcd19ec50ef |
C:\Users\Admin\AppData\Local\Temp\RES4B82.tmp
| MD5 | e7e8fcbcb342a446af66c708076c0a9e |
| SHA1 | 6288f5ab7b1bb4b15dbb37c838b256108cedb34b |
| SHA256 | 48e5da0c97dde3a15aeff275fc24118599ac2c08e4f6364a1beb18281941eacf |
| SHA512 | 4f526f7b25f138cb844d5bf493448d7a1603e6b6a7599a1a9d264f171900d0e6f91ab0abf76481680432b864427492e1405862a6a458488d826d609ed95d99c7 |
C:\Users\Admin\AppData\Local\Temp\vbc4B72.tmp
| MD5 | 7d0b309b813eb9e157d49841eaf90e46 |
| SHA1 | cf12385a908b6830fc611d2ff66e22ad2e9331ef |
| SHA256 | 79c0c1ae5a7941637006b31a3e91ac04cac7f810e7960a466bc7d4ef5f72d268 |
| SHA512 | 732dc5db7d74c62fd85e72ab22fee6f4f4113bcad44363e787a7f4b9bbd627d5caf83c4925d8937a5a6d41cf535aaa1d3ad50c3c004805342e8f0bc5160cc102 |
C:\Users\Admin\AppData\Local\Temp\chvgxcz8.cmdline
| MD5 | 6bb1311cde344117b41ae1388e4af0d4 |
| SHA1 | 2d5d78b1d885d27967d9fc096490ed05871edbd3 |
| SHA256 | 7d720788f0983701a7cb5418713813bb581a2cd578c676895d95a671b09a0cdd |
| SHA512 | 16f2199b8aff5a0855c2e48ed0337bb1d860612a6bc8670d08a1b2a56568c4b85872eb431b4f51bc5585d6684aa6ddb87bacaff2daa9f6fab8c9f0f700b47047 |
C:\Users\Admin\AppData\Local\Temp\chvgxcz8.0.vb
| MD5 | 853b3577984f8d9536757122cf3fe4c1 |
| SHA1 | 99fa6df3e78b1edd2d3e8d4570e2049d8fdfc10b |
| SHA256 | 3097c64964242cbc2ecbc3313a0533b9eaaa17ee546fafae54a1c447410a0f15 |
| SHA512 | 28782107e46a49430b9f8ed402d3c440847a6faafac8b0862c378bcce39bacea7eaf6ef0f61774ade52eaafd07e3f66c582bd80cfbd3d9b26bd2e08e0579b87d |
C:\Users\Admin\AppData\Local\Temp\vbc4BC0.tmp
| MD5 | 5fd6d1a9b0847da6b9838453b0fdc6b7 |
| SHA1 | 8e3242d283c175d435aa6b02105088a02e9032d3 |
| SHA256 | de6c26880758f6c0963edcc3caccb180e551bb871189946450088212cb798cbc |
| SHA512 | 0317a7e7f9f5510036e8534199e448ad49cd48c83695c8a25d6b3549f37bf0611c56039aebf634aec2764f27f1d637d0c9eba4f781145fce7978d8a1f7003bb0 |
C:\Users\Admin\AppData\Local\Temp\RES4BC1.tmp
| MD5 | 9e98088b9a30a3007fce446515b665d4 |
| SHA1 | fa0c73c1cb688dbdf9c92b1e3e7b4de026e712af |
| SHA256 | 974ce4345b4fec58735b4901382dd521f093f5ede099e8ca3765fc1bc0432069 |
| SHA512 | 805e349be57c9a21f5e54a0f6b789bfcbeb8d7e98a20d43a6becfc3fcc6446da486e02c55670199a6a6f4ddb94dde4a39f250692f6ab8c88150db8a3a7120d24 |
C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.cmdline
| MD5 | 662f48f87889148a40bfcd9521933a68 |
| SHA1 | a0d925c94f740a53046af107b522e494ffac4177 |
| SHA256 | a4818d61476dc4ebe6fb926e21a576bfd510d4a61ca71c2475820a0ec201c119 |
| SHA512 | 74f6801ee146218559cb3504b807a41e631dc7e5b24230d13a85213a16ba07b30e853f3c4cc0f9e33e7425c4e0dccf7f132b027ca1c4f00882d88c1919b0b9c2 |
C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.0.vb
| MD5 | 091b3615e797617cedc6807190f3da05 |
| SHA1 | eb4b5f559a401fda98716fec402b9e0fc782bb97 |
| SHA256 | 82f18b95d25ba46269c7d55018d021dcd1f200fd7b44a543799cdfa70785aba3 |
| SHA512 | f50c40c9ffb3800b9c134ed10af8db4acb76d10b4c6090e3db340196c1edec862210bea72dc078ca9d3a9ddfabed0661058a8719690bb205cba4a86984f37275 |
C:\Users\Admin\AppData\Local\Temp\vbc4C1D.tmp
| MD5 | c2a1f93457194362fe4bf107160c6444 |
| SHA1 | 8e5bdb11e19b0b86a80de288ba54640681ced4c2 |
| SHA256 | 6e5bed38e821244cee51b71556e4667392b0a398dcdf30e7f58c281b2bbfc31f |
| SHA512 | dec310d68906acc7cd8bc08d57d30440402f83996a75f5e38757c08b4a4967cdbfe23fce813a2ac5c75b36625e276ab3503473dbae212c24bd0eeeb89f6b2c83 |
C:\Users\Admin\AppData\Local\Temp\RES4C1E.tmp
| MD5 | 7e4e02ae5156e672603ccc3093d5cc9a |
| SHA1 | 9006c350a8db9eb2dd3d6cdba5b1e9f4961eb61e |
| SHA256 | bd6ee7089c6a9d53a92e8192fb2de990b3016982dac2d4dbc1d616d9a6deb337 |
| SHA512 | fc0e8b28d312ee0de857c63f14ead98d9f0163aebc9d00ee6646e9af3945e2f6b92e67e042a6566a229c2448120bac3867f94d2ef061f6aceaf33db3a8b6cdc5 |
C:\Users\Admin\AppData\Local\Temp\ztnntzbc.cmdline
| MD5 | 18683cdea5015cbf49ae865dd829acb4 |
| SHA1 | 77e124d1eda6e3cc2be4cfaefd7e50230256e5a9 |
| SHA256 | 439cbad6785ffebc89a34164a949a1add4cd2d1597e758476d5b67ea86adb779 |
| SHA512 | e9f316d3aa0ad89dcf130b03fe5fb12bbab88fc97d5a0daf059a28cd02494b09339c99696f9592f10a75c8957916d8add33a32913d5c01560904d17d13875d9c |
C:\Users\Admin\AppData\Local\Temp\ztnntzbc.0.vb
| MD5 | 9106ed4276c3b384571c45cabfa628c9 |
| SHA1 | ec931a66b8adb01af8b1d95610bf2b2d2f115ffb |
| SHA256 | 459e3a5cd1e0a1c69fc3fa7e216bd024b6dda79c1faff1ffb2aa70bad0eb5b29 |
| SHA512 | 108b2a6003d091ab855228b0d178ca0037fb10f7da4ec00a7ae381962476a1dc9be819c03eb7689677da59b9583cae39752f0a860c10729d75ab1182396267f5 |
C:\Users\Admin\AppData\Local\Temp\vbc4C5C.tmp
| MD5 | b378530cd26ba7d8b82d2d2d36586d7e |
| SHA1 | 4c77ec0a0ec88ae50a38e33142f9e6cbfadbfd34 |
| SHA256 | cb452c05710d2f19a69b02824389a0c0078ee2e7d8d797949f9684e09e8f238f |
| SHA512 | b76e7e5890723c3a7890cc70c14240fb9db62eb5177a0c079b9ec3f7a594a44795cf054d35e9127204348442c2df1833fba638c7da2eba60434eda23991dcf0b |
C:\Users\Admin\AppData\Local\Temp\RES4C5D.tmp
| MD5 | ef540f48ce5b165582929cfb91609697 |
| SHA1 | a3613dfc1cfd2253ed17c0befdeb04255f9ec4ac |
| SHA256 | 9c37e422cc8e11d991f3cbc09091947582f04d06f4a43cd2ace2e9dffe61a45d |
| SHA512 | 68d8dc5baa1a823370ef2833f89dd6867fd858c6b3ef32c1e85e6ad308a46326072a4f6b343f8c27c000f4dbc13b8c60ae4733b2e34b55850202488b9752dc65 |
C:\Users\Admin\AppData\Local\Temp\tzn9l15j.cmdline
| MD5 | b7d7dc70f3590e9fa2222d89da9ba6c0 |
| SHA1 | 1874c1bcfd36d52e03eaf8f7e9e8bf3d4ba2b92c |
| SHA256 | 7a51a39bd347eb3b5ab0561d26ec7750f0774936f36319aa3dd8811e5f05273e |
| SHA512 | c7e63d8df57fe77759331355135919084ab57303a37d471f5cae543e9c804454a001a38642f3ae8b9a770358857e7ba90dc4df66ad8b3f1ae2022670dd67a2cc |
C:\Users\Admin\AppData\Local\Temp\tzn9l15j.0.vb
| MD5 | 241d42a34175e7443e7787371469d3c6 |
| SHA1 | cd4ec5655235131bcf3e31da6822be8a154e006f |
| SHA256 | c0621ca644e71002899bb4b19caaa81045234b73f1883bdd9a5a1be3ce033b1c |
| SHA512 | 6feae60ba972cb315b259b8b3e4e576b4d5c8b8d5fb383612630d2858a3a76ab896ba70ba951d26c04393861b4f986a1c13dcbea1d22776facf303a8c264077a |
C:\Users\Admin\AppData\Local\Temp\RES4C9B.tmp
| MD5 | bfd3df4a8ffc807031bda118c89e9da3 |
| SHA1 | 9f7c291b1f53f19699a67eb17e30381ab110cd0d |
| SHA256 | f62a9ed36d2fc11042a4bca512b630887763aa5d97f7f5441e61899f596f5b98 |
| SHA512 | 7921554407cf33f46eb6abb5e3f604ab02f0431923093f5b79883195f471f07b1cf112033effacbdcf3d5df303bc266f8d0850a9185cd3828a360b8322426aa5 |
C:\Users\Admin\AppData\Local\Temp\vbc4C9A.tmp
| MD5 | 24012f4aedc51242dffddeb2c96fcec2 |
| SHA1 | 786792a49e6e344ab2b983f62bcc84ced2e70b56 |
| SHA256 | 33c1e2b5ffbf847ac72cc9a4e97551f24c42dfffeb03bf4b6f823fdd6e96cdcd |
| SHA512 | f30ca575ef65cd0ce63429e4976fdfbcd353fa1567496db1634483f88c81667452862c65eed4930da3ba6cb509a089322f32ef1598e37347ea49c9aeb7408b56 |
C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.cmdline
| MD5 | 5ada34c839b36da4cce49664b6dcee46 |
| SHA1 | e51ac222cf1b2863d4ae0bf9f353913b8bae1ba9 |
| SHA256 | 6a85ad97002c37c99c48438d2f13c049392baf180b7d97ce6af908619c411d77 |
| SHA512 | c2ca3327615617a2ae2ab62f6621bbaa0e5484bd709a0ea604fd99c1a5d80b46ac8680cbb1bb752b10110879f7808a132299d59951492cd1cff8bb15bfd9e5d8 |
C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.0.vb
| MD5 | 160882c653fbbe14f076e1a651dd6fa0 |
| SHA1 | 041e85466ebb363cd5c272e048a114aed21e2011 |
| SHA256 | aa170cc9b3bb4c2e52a8dc55eefbec37403412ffea1a5ee560b10e3544804ef6 |
| SHA512 | e35c51b1738acb4a17c724ea192742a103291b085587bd626d41e010bb16c842b1719f4f627a35e278d8a4495dd72f050e9087d3cd6eddb7ab6be5cab250bd2c |
C:\Users\Admin\AppData\Local\Temp\vbc4CD8.tmp
| MD5 | 5af6523865462981381750361f7a5e8c |
| SHA1 | 5a3738e6b869adf8a8749b85b742edf39d52d6f7 |
| SHA256 | 75424b06e7a5c9f070e7a7aececc60f2427892a0b78117bea3d0aba5f562cae8 |
| SHA512 | 2bca9d858578fc4b6d605e68d6e398bbcf9940b110a08b0c6bd9a04e67861e69fcf174aeb4bdc2644bcca903713a6b4f3b65ac6960f8865655a2c1c88107f257 |
C:\Users\Admin\AppData\Local\Temp\RES4CD9.tmp
| MD5 | 6268292e44cf59442dbb64af533944ef |
| SHA1 | 477b17ea478cf75263f706e0f415469d60493528 |
| SHA256 | 8e504b854a097af24be6e41f9543f1abb384e0189fca3e57a0db8fec615281b1 |
| SHA512 | c9370903ee28a2e937d7546f00bfd16f69ec2b2c5f7b2d828d3053af2e7f900aef45ef21cfe7caed1ac496d2f9b4e5c59416057d68fc70dfda0e6412a514234a |
C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.cmdline
| MD5 | 04216f069c336d89d9eee54f07524c62 |
| SHA1 | e92e91284503b276a0a41c640e6c9baa3f70ffb1 |
| SHA256 | 59b367e58a8f8e26444bb4a01e23f4453d4446123f54388501d8ca4b3ae2b391 |
| SHA512 | c1e9826aa0ff6f991e7cd11dda27669de2e12bfffbab83af80af4cd8557fd0e36f22c711fc6f16b1fa999156f460271c31cee3765ee17254cc0874aed486315f |
C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.0.vb
| MD5 | 0e8ec7f764a9193ecfc08556f5a9c683 |
| SHA1 | 734c4b30944532856cbf0c6ca965a5ae049fffcc |
| SHA256 | 0afe1993d2e4eda96b079ac84939a828016669de8a47be15c895af2c1f563bbe |
| SHA512 | 72d0586fbceae3f47d4dfc4388acbdef930a589558f24ea6ef3a7f28591251ebdf45ea9199b57afafd7c2b9f2b7d667b42e8a1c81848268eb4d55c02709ac7c2 |
C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp
| MD5 | 8129f7e2dca51d76041b78447695a304 |
| SHA1 | 3f27b119efbbf865f2e452c4eb3b0fb2ef9f6f0a |
| SHA256 | 416c797937c243746ffd6e83311d30825488694764e01e62f8d84298c02275cb |
| SHA512 | 86e9dad3f194027a7ab4f121707574c9703e0664c216e92d0458393ed0a67b3aa12f8c09dc1594bf92a6e3fb42b13d4e0b6a26488d8e30b49e99b8d4746e37bd |
C:\Users\Admin\AppData\Local\Temp\vbc4D26.tmp
| MD5 | c64bfe995d7fb0619132a5cf383e487e |
| SHA1 | 2fe80294a7c6dae11d86063dd9ab2166325901a4 |
| SHA256 | 9db578d6f8282b675c8db2bf9446d21359234fc239b5973d8d7d0e68d86aec3c |
| SHA512 | 839e1a6913470c54232a1060c07ea95499c860015c5e894d9d9c002f9b2c6b6700d4c132b8003d91216c9ea64800a4cef9d4c9181e9317b97c98564016dd9687 |
C:\Users\Admin\AppData\Local\Temp\bs08pe6n.cmdline
| MD5 | ce9ecb159f202c97ee1974e6354f8acc |
| SHA1 | c6a3b3d20402d8301f32b356fed1d5e231b63dc1 |
| SHA256 | 8c3047622ec3ff3ce68be77b73669c6c3237ab0f0f05fc4c626698d0609f7d91 |
| SHA512 | fbb597e12284ebd67f3d8ba651da42f1bb11704e517a9fd8189c71884da0a7d6005344f74ffb3dcb076b03556ed937c1589cc04c1c64932172e0779efc88f889 |
C:\Users\Admin\AppData\Local\Temp\bs08pe6n.0.vb
| MD5 | ea34cab076d79a55441ff6b906866859 |
| SHA1 | 89cc05547fbc2a1fa93a75ded89f22e8794111d0 |
| SHA256 | 7741a03b237390f3fa340e8441ff8963032549365b32493d41de99616de22f50 |
| SHA512 | c92db99a3a4f001c6147d9ef96dee6da62abaa09effc0e4ee1399da5829647fb473f80abc0bce44ba4d304dbe05424bf52080acdf9d647d98380cf9bc52e1f25 |
C:\Users\Admin\AppData\Local\Temp\vbc4D65.tmp
| MD5 | 78b2b0efd28d76fd21accc5df43260ba |
| SHA1 | b67bee7224718c60826ca7cbcd230ca017613925 |
| SHA256 | bd4ad2a296b00df59d844704bfb0d313ded795641bdd4c6ddaf1fd62bdc7482b |
| SHA512 | b60374331f47f44036062056ee43654f762a7a4f0a24ca242739fdc6ca8e3c0d5bd24d94326c8af1735137522565b5b77cde480ead7dbb7b4b6684a826e92926 |
C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp
| MD5 | 71cc1477e3099675bf039f26d082bd90 |
| SHA1 | bc31247ea03a473890ebbdd9bd229ef1de211f2d |
| SHA256 | 40186ebc094300701573937661408c312e7a04eb5c800bfde4a64c2d1d6c5fdb |
| SHA512 | 2b741f08c273a202ef921a8b99f67167174bd0c8de8ee44bc5db93cc2f624b0163d1a95836e632a10358a68a5d865accfe08c24e87b7a466ad5b42f04b9b8629 |
C:\Users\Admin\AppData\Local\Temp\ftsuzobj.cmdline
| MD5 | f98b38334abe94d2b79b26e834c26cca |
| SHA1 | b33ed4f58a5814305887d0c37ade1513704d9aab |
| SHA256 | fa3700d9eb80b0638d0491f78f052d5489bb43b49868f229ada221c88d8d2074 |
| SHA512 | a02d2430a2c067245a800071b89da69f403bd669e04d5b05cc820e2667e6ce8201df0de142594f64a1c2c6d41ee53489d1d3209174a3721c398e0c9eb010d697 |
C:\Users\Admin\AppData\Local\Temp\ftsuzobj.0.vb
| MD5 | ed1d3589a4289178e047d233553d4426 |
| SHA1 | 2ee6fae1e3f7226e01e2726b1ddaf5aa9d904d79 |
| SHA256 | 956c6f9f4fcc5dda32e302bfa843558eaf219e78641d396ad787f9b291d70f5f |
| SHA512 | 40776729a7e875389dd4c6578c4d74451e39b08b28bb4ce117e3f7c89ed9952c11f9d9380fc787d889b3ddafe2f418cb975f0086c8467e37334dd8cc50c65bd2 |
C:\Users\Admin\AppData\Local\Temp\RES4DA4.tmp
| MD5 | 52f1aa945efc91b825794118f24a3f77 |
| SHA1 | 445d9469fce1faddcca0590ceea485009901e428 |
| SHA256 | 1d8e25845f377e9aa818ebb5493a11dbd1743ce38594179c1ba0e3299783ce3d |
| SHA512 | 0eb6b510e2c49e115224ad0df16378d211f29472406f8882e62a20ffb279733d94fe6c2f9d2a049cd61437ed264ace55dc12997edb987694a4072799379ab101 |
C:\Users\Admin\AppData\Local\Temp\vbc4DA3.tmp
| MD5 | 5d0b41994c1eed8db0edc5c7dc6326b5 |
| SHA1 | a4deffe9a8a153949ebd354f7c4e9fe916be6e04 |
| SHA256 | d7a014d773f92c9fdc5a0a61e9c595b2331170bbcfbad3f782653be266f28809 |
| SHA512 | dd7948ee2f1f022b7fe3d5fb368dc50a875ff16017a8edb077315cee74ec7a15343fe1adf7ff179e16be94b556d32db06cf3fee56e0e19f13478652458b5ad1b |
C:\Users\Admin\AppData\Local\Temp\t83y_h18.cmdline
| MD5 | 825289cc36aedcf811a04932eade8e80 |
| SHA1 | 63819a63ccf60616af2051a07d8f87efcc9ee897 |
| SHA256 | e13569644731ad2d9d8c536ce97a482bcb1a5bd30462441d7c457e5272064163 |
| SHA512 | 66c5b1a5a99865b2649fe0a7bdfa082d1613f9ee817d554352ca036502500d457a2051fea5e2bfe96a0843159bc2b1b3becf15dcd2c1ad28d496373f50ef4a26 |
C:\Users\Admin\AppData\Local\Temp\t83y_h18.0.vb
| MD5 | 172c3ca11ccd13abc7d1e1d913aa9695 |
| SHA1 | 54fe456714e8797aa6f8a4fe5256d1559a6b1faa |
| SHA256 | 1d3927c7c461e6c5df741e5747dd4ca7751a631ea7d2d1c16057dd4342cd9df8 |
| SHA512 | 14e6fc57296139b7856891e1364aed3d7824624ab996f4df120ccb86c848fabb871b751285ff71484c8d0c44811f298ccd240e7b412b059325f0552bdcee96d0 |
C:\Users\Admin\AppData\Local\Temp\vbc4DE2.tmp
| MD5 | 3e0e8bfe2f219da1eea600f4a0f466c7 |
| SHA1 | aceefc4c180dd34b21d82116aeebadfe728fef93 |
| SHA256 | cba9bb462cd314f80453e4647db5bc30568e1a3a8969e3c73195aed802154a82 |
| SHA512 | c130a29581651155ccd73b3a29a51edb7fb3f1a848622f22b2b7d9d93f4e6de1c6a605c83e09c9d5f9952af23424b55e64fb1c0643e74e0b9110a76f5aa46db5 |
C:\Users\Admin\AppData\Local\Temp\RES4DE3.tmp
| MD5 | 492f8734a28884a60a3aa05286ecc223 |
| SHA1 | fee4383e9bc00dd3f8e17ac2d9624ec637f9e348 |
| SHA256 | 818ebc942d6dc70f40679b4e49ca5dd6a82a0d38091eb3ab25031a78d3ca40a8 |
| SHA512 | 6840d2f5a57ebabe7764f9e1d45d28a623fd7c1e698834424ff84ba1f9376c28a50b92bdf8573b95b9f1229669093d0c7039d2831ae372c994330a62301a5c92 |
C:\Users\Admin\AppData\Local\Temp\c_2vurs6.cmdline
| MD5 | 6250f1661ee46be25c0db29d60625b37 |
| SHA1 | 2af874872342d500ba2bcf7dbd89c32fdf6697d1 |
| SHA256 | 0d90ca222be066f892420d37503f48275dd634b2878a5130c16cd92e315088b8 |
| SHA512 | edc8d1c3520e80f68b5c01d5c58672418a7d64eccf0d43e7bc5c12ee0e3e9563dd648f248542736c2725fb288a8e2dcd05e1483b434917f77d3ea864e7fc0a95 |
C:\Users\Admin\AppData\Local\Temp\c_2vurs6.0.vb
| MD5 | 78a7170464fb3315b350530ce4cdee0a |
| SHA1 | 02a6ed0267c59c935cc7c5b56132ec72800aed7c |
| SHA256 | 363965758ea1c851aefc6d2ef2030fd201b2a246d37364720fb04a9756bcf80f |
| SHA512 | 810e0f2746ef44aa15a982d84f67da85ca31c8a94f0ca02d7b0774ce9c303ccce5f220835d809d9d08cdbcb6ff2276f5afe219f05dade8d879f30eb4271c8144 |
memory/2784-341-0x0000000070340000-0x000000007074B000-memory.dmp
memory/2784-342-0x000000006FF30000-0x000000007033F000-memory.dmp
memory/2784-343-0x000000006F6C0000-0x000000006FF24000-memory.dmp
C:\Windows\SysWOW64\xdwxsvc.exe
| MD5 | 688a4cb70081d9edb63c1c1aa41487e1 |
| SHA1 | 3efe438b2b4a44f2dc7f02c6e1afe980e2a116d8 |
| SHA256 | 4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9 |
| SHA512 | 4f5ef2d0538a3a38748d4c2378e15cd91bd0073ac28e093be7cb86a2d9ef29aaa667f07a516a169bd0e44ab09202914c8bdae9cf5cd1f5d543ebf3388222ad2b |
memory/2784-348-0x0000000070340000-0x000000007074B000-memory.dmp
memory/2784-373-0x0000000073FE0000-0x000000007458B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 06:43
Reported
2024-10-12 06:45
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
145s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Windows\\SysWOW64\\xdwxsvc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\xdwxsvc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Windows\SysWOW64\xdwxsvc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3580 set thread context of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 4968 set thread context of 2612 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 1168 set thread context of 3572 | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 3572 set thread context of 1500 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 1096 set thread context of 3340 | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 3340 set thread context of 4560 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\xdwxsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ca7usmr3.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64D4B2D7D9954D9B9E67B8F6BE937896.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ivb6irl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3023.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AADB41FDB2486192B9B5911565877.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p8iw9tke.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5C749C08B35490582E96C74EA9D65B.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yk2y4arh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES310E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C9147229E9B4EACB6BBF92076541C27.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1l8zvdck.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES319A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C59D9A1C09342A8B2B8E668DBF693AC.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-oubtxx3.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3208.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F5356F5AA7D4A2CAA62AA27BC1E2746.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jpwbgctr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3285.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D5BEB4642784F57B9B55B67A752473D.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qchxndj9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD53DF87B9E7B4BD0B39817ABDB8AA68F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4i405wq4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES335F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2502806EA0440E89126D0D4C762FAF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9A112B6488C4A2E87449D45FE661AAF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_mk951-k.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES344A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FDFE2E9229A420B80B1BFE96CF4B337.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4ezresw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc136A19A8650A4FFB8725A1B14AEF71DB.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3524.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11C423786C5480E90D28A5BFE3AF4FA.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-sbn5t6h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3592.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB41A0FE21FC4AA9A2429ADDD33D968.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9v77c86w.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES360F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9EE33EAF4284062BB342E2A64D73E6B.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p0ro9gve.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES366D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1012F5B7CA89403E8E27C25AC4BC78BE.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hbxsmfne.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3776.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF987E76134A447C3841A7D66C6322A96.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2_t-u0ik.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3803.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70D80F347E2740CEAFC8E4ED59CBC786.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\epydxdwf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3870.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc378B500514EF4D20813C2F1E23FA60DB.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iizqnfpi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc418930BF78BF470C882AB828DB1825D3.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y-xbe5yu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES394B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1853953DF95946AA88897699CB6666EA.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kz61m0l7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABDA5826FA9344F38D1388D065168B65.TMP"
C:\Windows\SysWOW64\xdwxsvc.exe
"C:\Windows\system32\xdwxsvc.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\boiadb1e.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF88BBEA870394E06BC899C4865DC67E.TMP"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Windows\SysWOW64\xdwxsvc.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-tjq6ibs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE191.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C0AAB4FF58D4FCAA14B9EA8578FD4F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzyxx0og.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE21E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9B252691CB7422384C1887BD8A79158.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bccygghf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE29B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17A80A4E97E04DCCA5B250DC8633FD51.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1bqjndnm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE308.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4172DC3A1D742CCB29CA53F4CD959BB.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmy53ax5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE375.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc341BD20022A849B0922DACA4B73B8846.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fl-mtz6u.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A3538A8A66C4F46B5FB4338B9699F4.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bhwthdx5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE47F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82E2FF46725440A39ACF77139FE117E.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxt4we7z.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5FCD6FD17AD543C193AABFCECF1F2DBE.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2rux2ym3.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE55A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc27304D567EAB41E7B8E5613FF72238A1.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yvz5vdit.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0603BDD72846A58F9DF4888E23475F.TMP"
C:\Windows\SysWOW64\xdwxsvc.exe
C:\Windows\SysWOW64\xdwxsvc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Pizd11337-26540.portmap.host | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3580-0-0x00007FFC374E5000-0x00007FFC374E6000-memory.dmp
memory/3580-1-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp
memory/3580-2-0x000000001B7B0000-0x000000001BC7E000-memory.dmp
memory/3580-3-0x000000001BC80000-0x000000001BD26000-memory.dmp
memory/3580-4-0x000000001BDF0000-0x000000001BE52000-memory.dmp
memory/4968-6-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3580-7-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PtYBxGg.txt
| MD5 | bfbee1ccbe6981fafb1c7bff99680882 |
| SHA1 | 3866c915b8a7e0592f8728c89faf6bb4d5ecf002 |
| SHA256 | 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235 |
| SHA512 | 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e |
memory/2612-8-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4968-11-0x0000000074FE2000-0x0000000074FE4000-memory.dmp
memory/3580-10-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp
memory/4968-12-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/4968-13-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/2612-14-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/2612-15-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/2612-17-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/3580-18-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp
memory/4968-19-0x0000000074FE2000-0x0000000074FE4000-memory.dmp
memory/4968-20-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/2612-21-0x0000000074FE0000-0x0000000075591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ca7usmr3.cmdline
| MD5 | 2827db573f2c410fbe2d4c6aa6ccb455 |
| SHA1 | 206215ef99212e21f16caff5c0944b5288b357f7 |
| SHA256 | 7a2cef3fbe9294ae612a84e6df629ce97b00c770004455ebfd9b02b78bdd2db2 |
| SHA512 | e40ecf867851d3e124d7249e31d8a30c432766fafb0bf8fc086cee99b7bfd9e19138e0783726e17ad7a9b797c4078f0630da7fe6411406a8a71c18545a415fbf |
C:\Users\Admin\AppData\Local\Temp\ca7usmr3.0.vb
| MD5 | 28dbf7030dad11a54e1d95dd8eb45a98 |
| SHA1 | 4927487b557da799c952ea1abad44b9525d63eba |
| SHA256 | 0e0c4d33367405357ea78d211caab35b4ff3319b1f446108623439affcb07069 |
| SHA512 | 1c38394109665bd782863c5f45257d756187310a51ad430e280fc5cb506afae982d9cce31ed5e6f2e98fca0f2a87d30ec03cb435a985e6013e12bfbb974795d5 |
C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc64D4B2D7D9954D9B9E67B8F6BE937896.TMP
| MD5 | c7f6a41a3079bda4520d06472901e666 |
| SHA1 | 8243ac437fbfcfd2ab13c20ff038787ad771b649 |
| SHA256 | 72a7ef5911e3abdc3cfadf04c8796dd491602316ff42bafa8ca88461daa545bf |
| SHA512 | ece70e1febf2f9dafdc1ce6ba46c74a43065893f7284fc510298e69f42dc129170b1874687a27ad5a1b60b87af0b0d2f067c8284ca0386fece18ae8baae3eb64 |
C:\Users\Admin\AppData\Local\Temp\RES2F87.tmp
| MD5 | 3024c6550358972ccf85395868a18ed7 |
| SHA1 | 2555f90731b6e5b9b644e51aa63f91f809a2e9f4 |
| SHA256 | d265915a6f47eb41745f88f050fd25b9132d763add5143de2798461241ecc4b9 |
| SHA512 | ee1bb888f84f408c9f0afb4578291f15b7dce64f258c605455682ac3395ba9858e9afdd97bf977f34750d380612e0ecdb9149952588c91bbb2d55c68cce99e2c |
C:\Users\Admin\AppData\Local\Temp\8ivb6irl.cmdline
| MD5 | 905ba46d7948bedd3de916e9d49620ad |
| SHA1 | 3d7b543e9b8d7b30721f0c4c59f0eec5aa1ebed1 |
| SHA256 | e798f12dcab19e2239f056cb960c502110e634ffa559ffeb8aaf61b4a2844f55 |
| SHA512 | 347a37f2f202e12b757e293e9f6f061a958c41105c879b2e46d6c46101c20ebcf0ddc6174b0d39d3469fe5990ffeb51a54410a2556803945a2510e85b8937f7e |
C:\Users\Admin\AppData\Local\Temp\8ivb6irl.0.vb
| MD5 | 499edc4bf130416dc86893476a708eed |
| SHA1 | 8a3b1172f2ea07a3adfe73d66cafb94856e75c89 |
| SHA256 | dc059da9a83a450a3483e04dfb48bc2e208ab4bc4d9ca99119da5f0ca2059e0c |
| SHA512 | 7488b5d4140aba56e2814b599e0c16964f3359c8a7dc84a853169efb0a92c8fcea97f51c9e5977e4168b8e1a8ec85e9010da3c7684f8a7d4b510075d49652e1d |
C:\ProgramData\xdwd\vcredist2010_x64.log.ico
| MD5 | bb4ff6746434c51de221387a31a00910 |
| SHA1 | 43e764b72dc8de4f65d8cf15164fc7868aa76998 |
| SHA256 | 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506 |
| SHA512 | 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1 |
C:\Users\Admin\AppData\Local\Temp\vbc8AADB41FDB2486192B9B5911565877.TMP
| MD5 | 7401d50a9bc171ba9d6ecf6b30ecbc73 |
| SHA1 | 1859b15305b11751bac9a8ca5da2997b9c6441ed |
| SHA256 | 6619ec9babf74ad74669c504b215c5789df1852c7ed14484369698f34bb6eac3 |
| SHA512 | 16f0ac31a55dc905e99df489004236e0effee3637778f8a40b9ffd953719569fbb23736230b9521a9443e8d7e80d1135efc419762846616fdb2d90d4290743e8 |
C:\Users\Admin\AppData\Local\Temp\RES3023.tmp
| MD5 | f35f76b1fa0ca4163de1b6c2d3f72c4b |
| SHA1 | 05f7ecc08eba75acc5c51ac240bd19d9172c9cfd |
| SHA256 | 913c95486b079e3a095508a4421586ac52d246eae74d855ad29ed34847ad3050 |
| SHA512 | e6cc891753790029e04df24c6e963956d7d209f63561f3e5b56b11375cab9afe7b6bed151f7151a053a3a72ce1dbabbcd208a8b12e781b072b4a7b9479d714c2 |
C:\Users\Admin\AppData\Local\Temp\p8iw9tke.cmdline
| MD5 | e935fb65862a74f2a0073104b5126d16 |
| SHA1 | 39db324b8a055d9ab41f982024305c37047545b2 |
| SHA256 | 55287e5915b744f4af597861e15d1220bf128e614001518e282b8773af5442a7 |
| SHA512 | d839e6d74e97f3cd91ca1fba1ca209fe87e749134d7894a85aa588d2f4c37c81c2eeae09ace7037b0e69123c534c8bd65c8f9bb2391166214e7a64a232d4bbea |
C:\Users\Admin\AppData\Local\Temp\p8iw9tke.0.vb
| MD5 | 6d6736464a399fb3f33dda2efd7833e5 |
| SHA1 | 0fa9412d9f0586cf5e162b8335e08966b0439c4d |
| SHA256 | 60ad43b63d891185bc44b19b63c636dcffe24f11a5b982bddd78b7d4b36b01f7 |
| SHA512 | a0aa1b1e61358febc57bcd455b9dbf16199c2d18c2f43247f6c784b86d1b2e74b0b406339e49486156361d55fc96f5937de412ddf27016bc68da9fcd19ec50ef |
C:\Users\Admin\AppData\Local\Temp\vbcD5C749C08B35490582E96C74EA9D65B.TMP
| MD5 | bc63336cc64956ff90e86f9c0af58876 |
| SHA1 | 68eb9c8ef6547c1daebac663c1c8e4982c862056 |
| SHA256 | b95f8cf19f59f1ecc0a5a783134c67f1389e36f162e2e36bb0c9e64f05e0f4f6 |
| SHA512 | 940ca2bf5c36696396f7639cf995ffecdbb6fa9a1396a21db9356358fad030eac6b449b759911c0d5d0ab9aa460ea5e301027714a3440bcccdc719ce6b71b2fe |
C:\Users\Admin\AppData\Local\Temp\RES30A0.tmp
| MD5 | 76a07da06f5ad604f0e45e0676f5c1e4 |
| SHA1 | 7462e813d343ebfe0ab64e07230df743fd75a41a |
| SHA256 | 6a4777c9f62df42535ac7d77fda175983265978eed0c337eb07bd7a17da01dc6 |
| SHA512 | 4dc00e666064e1fb5ccbd066d8fede0de5774d8a66c63ddec842db01970fb46ad28c19db2594488f423bd7984d947fee8924c5a2915ad92643508ce36440b2fe |
C:\Users\Admin\AppData\Local\Temp\yk2y4arh.cmdline
| MD5 | 81ece723180216b1a8c3c3074a4024d6 |
| SHA1 | 4f32417e74be3b031b3fb246d43468b1156421a3 |
| SHA256 | 201c9f145259ce4072f53c89b8a72bbeb3fbe1c982761bee0b0253f2e276274d |
| SHA512 | 76ec7e274a8bbb8185287ca34061bd45dcc23fb5918a165f90bcc3ba520b1ae9226e57a0f37041873cc37a2249b6ca3f2ba9574934ca0a1aab22d81eb2a7eddc |
C:\Users\Admin\AppData\Local\Temp\yk2y4arh.0.vb
| MD5 | 853b3577984f8d9536757122cf3fe4c1 |
| SHA1 | 99fa6df3e78b1edd2d3e8d4570e2049d8fdfc10b |
| SHA256 | 3097c64964242cbc2ecbc3313a0533b9eaaa17ee546fafae54a1c447410a0f15 |
| SHA512 | 28782107e46a49430b9f8ed402d3c440847a6faafac8b0862c378bcce39bacea7eaf6ef0f61774ade52eaafd07e3f66c582bd80cfbd3d9b26bd2e08e0579b87d |
C:\Users\Admin\AppData\Local\Temp\vbc6C9147229E9B4EACB6BBF92076541C27.TMP
| MD5 | 1e60397d623965e2de3194329dfa9790 |
| SHA1 | 39d9965924d629e128a96a2f76bfa62765642f2a |
| SHA256 | b8c93609ad71aa5a86c55958f08bce2dfe7b0593f0cb9dc9f8d376b4f44a3754 |
| SHA512 | eaf9b213c2dca4923359c90b4bf4380b2e1c51ee366c7557f17a4964d8c8e016910f454d30a47679d1fa600d6a6d3104336583f1807e9a3e51540d6697ab2d2b |
C:\Users\Admin\AppData\Local\Temp\RES310E.tmp
| MD5 | 0eb878f1715384dccb8c0a2e587985ff |
| SHA1 | 48c9c419c22367d7aff3fd0b5f6c7b5c824d6749 |
| SHA256 | 3787d6e0c0458f8e1114bf8399d8ae98487a1978b833c5f8527bddc96938f565 |
| SHA512 | 480b3f0fdf29b9e239c7ba60c1336d29f15670147a89b9692d477da650229ffb570861755bbfe903fea85fb54b660ee1bad5c10e206eb02d27075056eff10238 |
C:\Users\Admin\AppData\Local\Temp\1l8zvdck.cmdline
| MD5 | f65e8128ef91494979d03f14bed536b2 |
| SHA1 | 4a6bfa38450c7a4754194de0506026c948182b6e |
| SHA256 | 90d51fd0d4bc21a805783369f7476633d3457dabc7df2bd939972e80f2cc725f |
| SHA512 | e2771c6b29c638ab82835c47e3ef7d604f8e28d77258d73edac624d47c0f79b73e84db4fbf5718b3ca4d8cee679dcee21c1a0ed921f642ed6b731895f801e62b |
C:\Users\Admin\AppData\Local\Temp\1l8zvdck.0.vb
| MD5 | 091b3615e797617cedc6807190f3da05 |
| SHA1 | eb4b5f559a401fda98716fec402b9e0fc782bb97 |
| SHA256 | 82f18b95d25ba46269c7d55018d021dcd1f200fd7b44a543799cdfa70785aba3 |
| SHA512 | f50c40c9ffb3800b9c134ed10af8db4acb76d10b4c6090e3db340196c1edec862210bea72dc078ca9d3a9ddfabed0661058a8719690bb205cba4a86984f37275 |
C:\Users\Admin\AppData\Local\Temp\vbc3C59D9A1C09342A8B2B8E668DBF693AC.TMP
| MD5 | a72c31a1ca62be76c9d7b02d92588f5f |
| SHA1 | bb3a0d6c1e97f3eb290b67782babe2e834bfdb1e |
| SHA256 | f6c8be511e12001de07079a0700237b477f7cbd234cea74094a1f808cc3faba5 |
| SHA512 | 130e144f07eea0383a87095f65738c0d97bc14f8abb746e5fef6b2c7c82ac27cd1070ddef5e8daeacfbd139b607f2b29c14bc3c834a7c1c0e7a04dfb5d658b24 |
C:\Users\Admin\AppData\Local\Temp\RES319A.tmp
| MD5 | 1b5703976fc231c95d87c90095df78a0 |
| SHA1 | 8ec96d047088c4cc7403642b4cc7b8da96af6e73 |
| SHA256 | c0406825a393d2ee650080c8689ac088778835b0f851765d32ba7fdf705ac790 |
| SHA512 | f1f110d5840820be3abbcd97c9fa7edb760353b4b8189f9e4e96f18e6e10c01f6a6957531db3685b6bd6831ee56f85a3fa30ec24e4436222d91c6ea187d8c116 |
C:\Users\Admin\AppData\Local\Temp\-oubtxx3.cmdline
| MD5 | 984c7a073da18a7922de0bde29309a89 |
| SHA1 | 14512228931e7d0a4348e3bf264bcbeca3e41b9d |
| SHA256 | 475a707237bb63e4f56436a247cfc41eec7ff2736aeba4e921a6b5f24a542b51 |
| SHA512 | 9d500928f63f9e7e97a7e343a18d2a697a83f3d62fae29f14345e476ddcb34c60bdac1905dcfbf62a7aed0230f9f689c27081b94d3b049f4f1867d5b3c6365cc |
C:\Users\Admin\AppData\Local\Temp\-oubtxx3.0.vb
| MD5 | 9106ed4276c3b384571c45cabfa628c9 |
| SHA1 | ec931a66b8adb01af8b1d95610bf2b2d2f115ffb |
| SHA256 | 459e3a5cd1e0a1c69fc3fa7e216bd024b6dda79c1faff1ffb2aa70bad0eb5b29 |
| SHA512 | 108b2a6003d091ab855228b0d178ca0037fb10f7da4ec00a7ae381962476a1dc9be819c03eb7689677da59b9583cae39752f0a860c10729d75ab1182396267f5 |
C:\Users\Admin\AppData\Local\Temp\vbc5F5356F5AA7D4A2CAA62AA27BC1E2746.TMP
| MD5 | 34f465e372d29ce7c4f173d026264bd1 |
| SHA1 | 96514003b0d434ce4f6fe368a04f93f95be2eb12 |
| SHA256 | c468bd7e8047b78f427e8b36916a84d7f89ac2fcfef230c394f6b87b576de8b7 |
| SHA512 | 142e4f17dba9d12f7e49dc1fbae20fa912221f8afd8bd0d20e3d9e070c6513a11154bfdc2ba0bb2b7df84678676ea32b1ec3c4831bfcd709bd69b60b86ecd299 |
C:\Users\Admin\AppData\Local\Temp\RES3208.tmp
| MD5 | 76311478813bee1b415b06429470e1c1 |
| SHA1 | 6c932a1a7f22fab4df582ffa362ea25f14dd948d |
| SHA256 | 1d9cd6923f53cc24da83a927d5f624f57f8c99af1dab5a02723f6519de8aacdb |
| SHA512 | 6561d16a0e801464c5db6e6dbb24832672052b552bbb257a79601f4c5e716d9c9339298b3e65135e0869ae856475a9a844ca4967edec8949eeca0ac9334024cf |
C:\Users\Admin\AppData\Local\Temp\jpwbgctr.cmdline
| MD5 | 8028beb4432d724a69c8f5a0ab8b9db0 |
| SHA1 | f70b5ec8344ce4957b4f6b730fa0cea310dbdf45 |
| SHA256 | 5bcbcc533463650d5dd24769f66bead5f997cef3f79160ecd5940a1f9a5d8c27 |
| SHA512 | cd648693c996052c7fa8931e2b5136cfc978b18f810f6e8a9632d00a09f22f7607f088039200ccd5fecba299b28614f11a37082b38fa2177d78affb32227fa85 |
C:\Users\Admin\AppData\Local\Temp\jpwbgctr.0.vb
| MD5 | 241d42a34175e7443e7787371469d3c6 |
| SHA1 | cd4ec5655235131bcf3e31da6822be8a154e006f |
| SHA256 | c0621ca644e71002899bb4b19caaa81045234b73f1883bdd9a5a1be3ce033b1c |
| SHA512 | 6feae60ba972cb315b259b8b3e4e576b4d5c8b8d5fb383612630d2858a3a76ab896ba70ba951d26c04393861b4f986a1c13dcbea1d22776facf303a8c264077a |
C:\Users\Admin\AppData\Local\Temp\vbc8D5BEB4642784F57B9B55B67A752473D.TMP
| MD5 | 26b170e6e5af1a9d03d4ede628313a76 |
| SHA1 | 85dc4525f6f51fa393c18374366db1faf4ed56a1 |
| SHA256 | c6fedfc20e867ccd4aa0a25fbc8dd9c1a45639d285e205299de3871e014d7f45 |
| SHA512 | 83d1ac654512662051698926af9c7da92325af4bc39ea787ddea6e5d47aa753ee034a677548c0936a6214f9b1be932c5678267a2344d2d392f3f15098e9c7670 |
C:\Users\Admin\AppData\Local\Temp\RES3285.tmp
| MD5 | e9e4b83778ee55c10cb62ffecda03a78 |
| SHA1 | cc56c6a7bdc80c49dfb31a32808d69dad171533b |
| SHA256 | 37c0912757da3fd448e02269ebefaa53fda3db2d1abdd64dbc172c8900ab66df |
| SHA512 | 49218763521acf6238f96fc56cffc4a60c465f84e32d7ee3eccae7b8c8e5af4774c7efa6fb8e460cb6664624308481004a5a4fb7e4aa46d58b3f3c6f0541c2de |
C:\Users\Admin\AppData\Local\Temp\qchxndj9.cmdline
| MD5 | 231edf6d61a0e09675c73a388d53a4e0 |
| SHA1 | 1918de6109813679e11958d7762c6c7e9e358295 |
| SHA256 | a2eef08787450680210fb1a4b4ac8d5bb2e0d2d194bd356ada854abd5220e51e |
| SHA512 | aa4737662e0a359706d31596e23e0244393ca77d96ffae5900f616c11a43f84c84401708ada627c85adbe763cadef8eb05d670f9aa033a243a4542873b6a996b |
C:\Users\Admin\AppData\Local\Temp\qchxndj9.0.vb
| MD5 | 160882c653fbbe14f076e1a651dd6fa0 |
| SHA1 | 041e85466ebb363cd5c272e048a114aed21e2011 |
| SHA256 | aa170cc9b3bb4c2e52a8dc55eefbec37403412ffea1a5ee560b10e3544804ef6 |
| SHA512 | e35c51b1738acb4a17c724ea192742a103291b085587bd626d41e010bb16c842b1719f4f627a35e278d8a4495dd72f050e9087d3cd6eddb7ab6be5cab250bd2c |
C:\Users\Admin\AppData\Local\Temp\vbcD53DF87B9E7B4BD0B39817ABDB8AA68F.TMP
| MD5 | d815557476ee712d81ff24c8b484e192 |
| SHA1 | e52a4b5da6dd467f7e454e5b09ead24985e6b2ae |
| SHA256 | 90f2041aac8a5d28943b45dd153c28311ad8808af65bd4fe8080bc2f1d2628fc |
| SHA512 | 62dad1a9ed42cd3ded025d487b59ceb47a2f2b9590cdcd60d0d93908cf37f5c02e70331124f0a76c18802fcea0225285704ce70f1e453c8a7b968ecc0d60e8dc |
C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp
| MD5 | 0b2680113456e56d097a086fb6c2c168 |
| SHA1 | 03c4de58abce297830e7cbc2d3a0e61792f37c14 |
| SHA256 | 659ce18559f16feb8da4ceeb9418b8506ae0078bd4e3efd9d1a7f5c6bf9bd79d |
| SHA512 | e8d001bc27fdc15f1664a21f97f2ff0ec5693a0b01524ada9f3bf98f8cb51db3092206a30f0648b4be408577d9617c55f0c36a69594d947b42af1745fcb7f04b |
C:\Users\Admin\AppData\Local\Temp\4i405wq4.cmdline
| MD5 | 4bb51c1cf4ee7e1663ba96cf2c2ec362 |
| SHA1 | 4ddc9033cf67ab8696e41935a717648d147db3f2 |
| SHA256 | e3607893db033ed29db8694f526fb3f7459699f817068ef5d9acc13e19bd7078 |
| SHA512 | 06293e420f47294cdba562489440aa06c4d2529275b3dd7cb1d7eaa5d4f0b1d9644df3727ed02cd28556b7f0120e13b1d8aa939c159137f183c7e98791657183 |
C:\Users\Admin\AppData\Local\Temp\4i405wq4.0.vb
| MD5 | 0e8ec7f764a9193ecfc08556f5a9c683 |
| SHA1 | 734c4b30944532856cbf0c6ca965a5ae049fffcc |
| SHA256 | 0afe1993d2e4eda96b079ac84939a828016669de8a47be15c895af2c1f563bbe |
| SHA512 | 72d0586fbceae3f47d4dfc4388acbdef930a589558f24ea6ef3a7f28591251ebdf45ea9199b57afafd7c2b9f2b7d667b42e8a1c81848268eb4d55c02709ac7c2 |
C:\Users\Admin\AppData\Local\Temp\vbcE2502806EA0440E89126D0D4C762FAF.TMP
| MD5 | fe326f1b66407c3a799641be622ea3ac |
| SHA1 | 789ded78e04af1828a69d6bcc87eb5f025ffa14c |
| SHA256 | 68e5634a9350339c2f5cc8c6d1936dc0f207a5383bc3e7d85beeb16bc3a01421 |
| SHA512 | 99f6f03a6712e7a6f93efc2c25dcd8ef1bdd3b3b8a9e693e11b66bcd5602f7b82201acf4c101803176128a5c99572fdbdaed39b91d39e359943198325dccf566 |
C:\Users\Admin\AppData\Local\Temp\RES335F.tmp
| MD5 | 5025a9a407b87e875a60e0e33edac96e |
| SHA1 | f04297f2c4afd564d7af0efcd328985cc9ef968d |
| SHA256 | 1f3126c8b8f8c57527f65c4c793c4ffebb3dddced5007df01134d855bbc8f5ba |
| SHA512 | 2069f1339d46d52d21895cfb27d5e93575f61efb05c081c7c064ad76390dc5ee0ffa5a3f274029c36f08fc266b26bed354dbfcce76cd57009c95ca09dbe8a46a |
C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.cmdline
| MD5 | cb5b44c694a22837048bc7c578d7f054 |
| SHA1 | 5ce34a5f7577efccd349c2a61f6538dbba2c3b34 |
| SHA256 | acb794afe7888786ccb07b29809613bab65c66827a5c10398d45b3c441f7eea9 |
| SHA512 | 233c60c80aa92db8769834db4bfc5b28998c8d4c977efc738999ea2a68aa5772e011a1455aba5daba78fb3b5aa36cd3c06efb131cb9ff055606aa22eb582f857 |
C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.0.vb
| MD5 | ea34cab076d79a55441ff6b906866859 |
| SHA1 | 89cc05547fbc2a1fa93a75ded89f22e8794111d0 |
| SHA256 | 7741a03b237390f3fa340e8441ff8963032549365b32493d41de99616de22f50 |
| SHA512 | c92db99a3a4f001c6147d9ef96dee6da62abaa09effc0e4ee1399da5829647fb473f80abc0bce44ba4d304dbe05424bf52080acdf9d647d98380cf9bc52e1f25 |
C:\Users\Admin\AppData\Local\Temp\vbcF9A112B6488C4A2E87449D45FE661AAF.TMP
| MD5 | 4975a74f4f88417c680514efcb6d0a5e |
| SHA1 | 58df3963b89a152ad132b11f04d5521a09876ac0 |
| SHA256 | 7f6bd52ec9318c862de1608a79087b303182dd874e17c1e44619e304d9b1c13f |
| SHA512 | 6890e500f225c729b902ccc2740a7f6f5f3a51253fa898a2b1d0645fc089f63e62147cad1c3eb042a83910d2df0cefa491b2247df12dbd8ab8ac6e9e7ef14fca |
C:\Users\Admin\AppData\Local\Temp\RES33DC.tmp
| MD5 | 71695685b5e01cf9b3e4a864af3903cf |
| SHA1 | 92906e94f3e6d240cd5815231fa7307662cb8486 |
| SHA256 | 4adf9e349604fef7ed09684ed51c42924331296a3bbc8fa201b41540e1d503fa |
| SHA512 | 3dbf5955c90313fd097e692a3ac8de15a890ec6fd2f8439d78aa0bffb199761a68fe22ea85230d35be2c34ff75928531f36cc3acb7fc7fcb8634528a27737b02 |
C:\Users\Admin\AppData\Local\Temp\_mk951-k.cmdline
| MD5 | 4db655cc84ffcf67d53d91e87b16e0ca |
| SHA1 | bc8d324dfafaff129b29688ac2dbace1d855ad75 |
| SHA256 | ecbcae7625cad77191354e67879617a9a09cbdf43f3e6a75a2f9f6a4db590614 |
| SHA512 | 9b1a1e4b5b5721d6ef195ec8806dd15325aa5bdb3082f8a9a31e99717894c996e06802b8c42ff33f4342895e8dd8f90def43535d4005ab0e7970cd942283e788 |
C:\Users\Admin\AppData\Local\Temp\_mk951-k.0.vb
| MD5 | ed1d3589a4289178e047d233553d4426 |
| SHA1 | 2ee6fae1e3f7226e01e2726b1ddaf5aa9d904d79 |
| SHA256 | 956c6f9f4fcc5dda32e302bfa843558eaf219e78641d396ad787f9b291d70f5f |
| SHA512 | 40776729a7e875389dd4c6578c4d74451e39b08b28bb4ce117e3f7c89ed9952c11f9d9380fc787d889b3ddafe2f418cb975f0086c8467e37334dd8cc50c65bd2 |
C:\Users\Admin\AppData\Local\Temp\vbc6FDFE2E9229A420B80B1BFE96CF4B337.TMP
| MD5 | bffca92e69425506af0b626074e6f935 |
| SHA1 | a9645cdbf54b65f32fcb76a9a3afe311e9f7e989 |
| SHA256 | 15a04a397d83512162d0e9f67f6ee4e7c53dd7d1ce12c260d35837081f049b86 |
| SHA512 | d98a1d6dc6e63082d74997597ca9db67433b367af0151f898e7ca3ba7c60cabb24c9cf3d40d726e8e7426c6a2980c8c55b64b25deb526dadf294c7e7235d8f87 |
C:\Users\Admin\AppData\Local\Temp\RES344A.tmp
| MD5 | 86ec6e1d5fab8afe63ce1245c4d727d8 |
| SHA1 | a935bbed552d5a4dd915c22bda02d93919bc3afb |
| SHA256 | 42bd7fb69d2a36417cbd05a664ac1e905d9d8a369612baa291d86a92fbc4cbe1 |
| SHA512 | 718794bd35e39c9890948d8376711eced98f066e62bc7944d62bda64e7e7ed380ece13a74d8c176147b16baecaf87664607f59d9ac7cc2ce619cecf76a496023 |
C:\Users\Admin\AppData\Local\Temp\p4ezresw.cmdline
| MD5 | f4b42bea62969df1c27f4bde35dbee08 |
| SHA1 | 877bd38492a912758585379463eb65f1de235f8d |
| SHA256 | 17236c0d2a16a614183e0aed2d8d7fe617fa63b4827599e2df4e7791f314160e |
| SHA512 | ab69b9cd7ae8f927668fc06fd59e5d7955f7e45d3a2eb3d21e352513ea214d9e06d910f457a1ad74f06988b988717da9847413fba8858d065e7954f19c9fdbb7 |
C:\Users\Admin\AppData\Local\Temp\p4ezresw.0.vb
| MD5 | 172c3ca11ccd13abc7d1e1d913aa9695 |
| SHA1 | 54fe456714e8797aa6f8a4fe5256d1559a6b1faa |
| SHA256 | 1d3927c7c461e6c5df741e5747dd4ca7751a631ea7d2d1c16057dd4342cd9df8 |
| SHA512 | 14e6fc57296139b7856891e1364aed3d7824624ab996f4df120ccb86c848fabb871b751285ff71484c8d0c44811f298ccd240e7b412b059325f0552bdcee96d0 |
C:\Users\Admin\AppData\Local\Temp\vbc136A19A8650A4FFB8725A1B14AEF71DB.TMP
| MD5 | 5dd6b9a1822b234a9f9352fd56efdd9a |
| SHA1 | 72c09759707ee22e9a4e892d783c2274e5981b15 |
| SHA256 | 1be5173e3c35478ce7803974f98408204366c58f8bcc48c13e3da1747dd42237 |
| SHA512 | a80548408f574f57f770c51fecfa07ce1b549716f767b622834baf06b1ae8b4c2289811fc18c0fa437b0a1e0d3e9fef608d49a0e73fd9a2f985d8a0b93279a66 |
C:\Users\Admin\AppData\Local\Temp\RES34B7.tmp
| MD5 | 484d3c770eb461f6f2d55935881d71bc |
| SHA1 | d2b7a7daea4e9179106ecc388afca1830dd6cec6 |
| SHA256 | 7f535b571ba7c5aa30a6f91adc96780288109ed8d6457c1712bc39b7204cd304 |
| SHA512 | 4cc75d7c780ff3c520be13c0e30fb10ee939074229a7c32a666a12bbe431a8ee576d4514f7145c85d4e4092573845616cf03bea3655e2825ae07d84bb0cb0a8e |
C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.cmdline
| MD5 | dd349c0f3f283bfb7599d39f1bec6da2 |
| SHA1 | a92dd78e6330326b569ca0ff68cf89f85c014d18 |
| SHA256 | a5af93088160d62b6f84406058ed080247addb437c7adb397b8a2d45ec30e694 |
| SHA512 | 80fcd6610586faabb9561fcb3427c249f6b2d8b988d52b24ee7fc67be1208273fe6f56f5122f8c15d35720c296a9547fbddd43e5e885652ab90a066bd6e6b4ca |
C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.0.vb
| MD5 | 78a7170464fb3315b350530ce4cdee0a |
| SHA1 | 02a6ed0267c59c935cc7c5b56132ec72800aed7c |
| SHA256 | 363965758ea1c851aefc6d2ef2030fd201b2a246d37364720fb04a9756bcf80f |
| SHA512 | 810e0f2746ef44aa15a982d84f67da85ca31c8a94f0ca02d7b0774ce9c303ccce5f220835d809d9d08cdbcb6ff2276f5afe219f05dade8d879f30eb4271c8144 |
memory/4968-251-0x0000000074FE0000-0x0000000075591000-memory.dmp
C:\Windows\SysWOW64\xdwxsvc.exe
| MD5 | 688a4cb70081d9edb63c1c1aa41487e1 |
| SHA1 | 3efe438b2b4a44f2dc7f02c6e1afe980e2a116d8 |
| SHA256 | 4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9 |
| SHA512 | 4f5ef2d0538a3a38748d4c2378e15cd91bd0073ac28e093be7cb86a2d9ef29aaa667f07a516a169bd0e44ab09202914c8bdae9cf5cd1f5d543ebf3388222ad2b |
memory/4968-311-0x0000000074FE0000-0x0000000075591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbcE4172DC3A1D742CCB29CA53F4CD959BB.TMP
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\vbc341BD20022A849B0922DACA4B73B8846.TMP
| MD5 | 85c61c03055878407f9433e0cc278eb7 |
| SHA1 | 15a60f1519aefb81cb63c5993400dd7d31b1202f |
| SHA256 | f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b |
| SHA512 | 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756 |
C:\Users\Admin\AppData\Local\Temp\vbc5FCD6FD17AD543C193AABFCECF1F2DBE.TMP
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |