Malware Analysis Report

2025-01-18 04:47

Sample ID 241012-hgykfsshml
Target Client.exe
SHA256 4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9
Tags
stealer guest revengerat discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

stealer guest revengerat discovery persistence trojan

RevengeRat Executable

RevengeRAT

Revengerat family

RevengeRat Executable

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Drops startup file

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 06:43

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 06:43

Reported

2024-10-12 06:45

Platform

win7-20240903-en

Max time kernel

136s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xdwxsvc.exe N/A
N/A N/A C:\Windows\SysWOW64\xdwxsvc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Windows\\SysWOW64\\xdwxsvc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xdwxsvc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Windows\SysWOW64\xdwxsvc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\xdwxsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\xdwxsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2676 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2784 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 3016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3040 wrote to memory of 3016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3040 wrote to memory of 3016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3040 wrote to memory of 3016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2784 wrote to memory of 544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 544 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 544 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 544 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 544 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2784 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2292 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2292 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2292 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2292 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2784 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1928 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1928 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1928 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1928 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2784 wrote to memory of 668 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 668 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 668 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2784 wrote to memory of 668 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 668 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 668 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 668 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 668 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qubiz-jb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A3A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B04.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axpxq4fe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B72.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\chvgxcz8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BC0.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C1D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ztnntzbc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C5C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tzn9l15j.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C9A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CD8.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D26.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bs08pe6n.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D65.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftsuzobj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DA3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t83y_h18.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DE2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c_2vurs6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E20.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\su9ag85i.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E5E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irlqn-om.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EAC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsgr8oyq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\709u2uyi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F48.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g8o055_j.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F77.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0zxt_49g.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FB6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oflv9zwi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FF4.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqauhnad.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5043.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5032.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cbykn1jh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5072.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5071.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nli_wudf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50AF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xsfy6nxl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50EE.tmp"

C:\Windows\SysWOW64\xdwxsvc.exe

"C:\Windows\system32\xdwxsvc.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vkd-avtu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA85.tmp"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Windows\SysWOW64\xdwxsvc.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s4qmnjhb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAF2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wyogckhx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB40.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hhx9u9k.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB7E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\asgduvbq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBCC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\src9qfox.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3o_y6zg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC49.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2xiepvym.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCA7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\04pzcdfe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCF5.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o4ggnr-h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD33.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q_4_6ern.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD72.tmp"

C:\Windows\system32\taskeng.exe

taskeng.exe {9F64EF28-2C35-48AA-8FE5-C4BD04C256E6} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]

C:\Windows\SysWOW64\xdwxsvc.exe

C:\Windows\SysWOW64\xdwxsvc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Pizd11337-26540.portmap.host udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp

Files

memory/2676-0-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

memory/2784-2-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2784-15-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2784-14-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2784-11-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2784-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-8-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2784-6-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2784-4-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2676-16-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2784-17-0x0000000073FE2000-0x0000000073FE4000-memory.dmp

memory/2784-18-0x0000000073FE0000-0x000000007458B000-memory.dmp

memory/2784-19-0x0000000073FE0000-0x000000007458B000-memory.dmp

memory/2684-20-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2684-26-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PtYBxGg.txt

MD5 bfbee1ccbe6981fafb1c7bff99680882
SHA1 3866c915b8a7e0592f8728c89faf6bb4d5ecf002
SHA256 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235
SHA512 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e

memory/2684-30-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2684-22-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2684-24-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2684-35-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2684-33-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2684-36-0x0000000073FE0000-0x000000007458B000-memory.dmp

memory/2684-37-0x0000000073FE0000-0x000000007458B000-memory.dmp

memory/2784-38-0x0000000073FE2000-0x0000000073FE4000-memory.dmp

memory/2784-39-0x0000000073FE0000-0x000000007458B000-memory.dmp

memory/2684-40-0x0000000073FE0000-0x000000007458B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qubiz-jb.cmdline

MD5 348c70be41288cb87ec5f2001317611d
SHA1 a096e559336ca0370f3255add236da4a23b2fe3d
SHA256 5db9a82c9fa12da1eed274b712c86e5c6702e0a3feedb9d67c3e6bcb27bcf628
SHA512 03fa7bb9ecaa379c3fbff4725bc001125c138513ee19b6c73b5373252987a55f009d76a54908a58a4aa1002e08a1d12f475d85b3042f428a17e6cd56a3cfa023

C:\Users\Admin\AppData\Local\Temp\qubiz-jb.0.vb

MD5 28dbf7030dad11a54e1d95dd8eb45a98
SHA1 4927487b557da799c952ea1abad44b9525d63eba
SHA256 0e0c4d33367405357ea78d211caab35b4ff3319b1f446108623439affcb07069
SHA512 1c38394109665bd782863c5f45257d756187310a51ad430e280fc5cb506afae982d9cce31ed5e6f2e98fca0f2a87d30ec03cb435a985e6013e12bfbb974795d5

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc4A3A.tmp

MD5 f56ec8e7b27ab7433cb0c35ab2df265a
SHA1 ef1fece3dc9681f2b11a62101ef152b4e164b4b0
SHA256 407fc6c2b744b259474a155aec45b829c3bf0d8b5ddf59535ffcdbec6efcd219
SHA512 cafb3b9f7dff59f975bd49375750aaf15261be2ef4b9c9ccfe0795acacdfe2d7930908bc90375fa72154d79548cc0e61f216c9d0ba4a784f3e7e9fab50bfba04

C:\Users\Admin\AppData\Local\Temp\RES4A3B.tmp

MD5 caf89b10dee8f92c4c96032f61d61b97
SHA1 a3b3be544946d2b600c4968ba7e4627f273a2475
SHA256 d7f5e6041803e853a8a393618bb05b94406a75b6197ae6f38b24ef27680d4444
SHA512 263e45c17c9230462a2fb0b41a049930fad92cf68794e9e5d27483e72099460442d4a31aecc77f16a4af2699fdbf477b52c0cf5723c85ab6722f0669fa54ee00

C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.cmdline

MD5 a1430987517c8a53c2e43c71b5f57761
SHA1 2f90dc39a4d510a70fdacf3f61238ca9217e6a85
SHA256 5d3d8671752fb1c97a4dd031768ab63e4d0b077f3d5ea0e88981bda2149e0d2a
SHA512 4b57323f3d380d756bb642eede6da06d77edbcddbeca79192a3117858c5f8c11e35d7018b930b06c5d5239c4af116583bc493e6ea53727a837425553a2585010

C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.0.vb

MD5 499edc4bf130416dc86893476a708eed
SHA1 8a3b1172f2ea07a3adfe73d66cafb94856e75c89
SHA256 dc059da9a83a450a3483e04dfb48bc2e208ab4bc4d9ca99119da5f0ca2059e0c
SHA512 7488b5d4140aba56e2814b599e0c16964f3359c8a7dc84a853169efb0a92c8fcea97f51c9e5977e4168b8e1a8ec85e9010da3c7684f8a7d4b510075d49652e1d

C:\Users\Admin\AppData\Local\Temp\vbc4B04.tmp

MD5 f54e78018bff2fc0bc9629b248a209ca
SHA1 9ea9c37302a3f701ae4dea00a597ba3a6177cffd
SHA256 6fadcaf1b2bc54e4edc44c50341571c439f76bacee7545b9af51bdfcdd1b334b
SHA512 4e1a55bb988eddc4ffbb9ad568961701eea4e8a5f505562869a197daaea6e7b66b2f502b2ab99222e7ee57066de04cf7b12131c0e17247e94d157b29074353d0

C:\ProgramData\xdwd\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\RES4B15.tmp

MD5 94511ea5d02bcacb24980a5548ad2e7f
SHA1 1bc614d9ed8cd6d08ebdba01d25d7402fd5284e0
SHA256 71ff61a8315fcb1f3060b110f8e88a326adae5418e12760b6ab24c91a8b12d9c
SHA512 efc375550b19df467b81a0c4385c5143cdb4cb56137571169062f2ca8c624673f6debf6d1d995c2e07cb4cff2745d64edc8c619370b870259ba160ce5a5b1f6a

C:\Users\Admin\AppData\Local\Temp\axpxq4fe.cmdline

MD5 d106a10faab8e842023b83a502d66ba2
SHA1 8dc42848b0ca97d92b148c0f79721d17e052d16d
SHA256 7af7673857dc610cf052692d0b68c2cca3626bfccb5e0508843307f02532dea4
SHA512 ef62774e41e6e03580f34f95b2c1621ae94b1cf37c0c131d116e0ac7334e4eebc7803980fe4172b53a7df9dc060459e8390d1c630ece5b307c05312fcae0e4c6

C:\Users\Admin\AppData\Local\Temp\axpxq4fe.0.vb

MD5 6d6736464a399fb3f33dda2efd7833e5
SHA1 0fa9412d9f0586cf5e162b8335e08966b0439c4d
SHA256 60ad43b63d891185bc44b19b63c636dcffe24f11a5b982bddd78b7d4b36b01f7
SHA512 a0aa1b1e61358febc57bcd455b9dbf16199c2d18c2f43247f6c784b86d1b2e74b0b406339e49486156361d55fc96f5937de412ddf27016bc68da9fcd19ec50ef

C:\Users\Admin\AppData\Local\Temp\RES4B82.tmp

MD5 e7e8fcbcb342a446af66c708076c0a9e
SHA1 6288f5ab7b1bb4b15dbb37c838b256108cedb34b
SHA256 48e5da0c97dde3a15aeff275fc24118599ac2c08e4f6364a1beb18281941eacf
SHA512 4f526f7b25f138cb844d5bf493448d7a1603e6b6a7599a1a9d264f171900d0e6f91ab0abf76481680432b864427492e1405862a6a458488d826d609ed95d99c7

C:\Users\Admin\AppData\Local\Temp\vbc4B72.tmp

MD5 7d0b309b813eb9e157d49841eaf90e46
SHA1 cf12385a908b6830fc611d2ff66e22ad2e9331ef
SHA256 79c0c1ae5a7941637006b31a3e91ac04cac7f810e7960a466bc7d4ef5f72d268
SHA512 732dc5db7d74c62fd85e72ab22fee6f4f4113bcad44363e787a7f4b9bbd627d5caf83c4925d8937a5a6d41cf535aaa1d3ad50c3c004805342e8f0bc5160cc102

C:\Users\Admin\AppData\Local\Temp\chvgxcz8.cmdline

MD5 6bb1311cde344117b41ae1388e4af0d4
SHA1 2d5d78b1d885d27967d9fc096490ed05871edbd3
SHA256 7d720788f0983701a7cb5418713813bb581a2cd578c676895d95a671b09a0cdd
SHA512 16f2199b8aff5a0855c2e48ed0337bb1d860612a6bc8670d08a1b2a56568c4b85872eb431b4f51bc5585d6684aa6ddb87bacaff2daa9f6fab8c9f0f700b47047

C:\Users\Admin\AppData\Local\Temp\chvgxcz8.0.vb

MD5 853b3577984f8d9536757122cf3fe4c1
SHA1 99fa6df3e78b1edd2d3e8d4570e2049d8fdfc10b
SHA256 3097c64964242cbc2ecbc3313a0533b9eaaa17ee546fafae54a1c447410a0f15
SHA512 28782107e46a49430b9f8ed402d3c440847a6faafac8b0862c378bcce39bacea7eaf6ef0f61774ade52eaafd07e3f66c582bd80cfbd3d9b26bd2e08e0579b87d

C:\Users\Admin\AppData\Local\Temp\vbc4BC0.tmp

MD5 5fd6d1a9b0847da6b9838453b0fdc6b7
SHA1 8e3242d283c175d435aa6b02105088a02e9032d3
SHA256 de6c26880758f6c0963edcc3caccb180e551bb871189946450088212cb798cbc
SHA512 0317a7e7f9f5510036e8534199e448ad49cd48c83695c8a25d6b3549f37bf0611c56039aebf634aec2764f27f1d637d0c9eba4f781145fce7978d8a1f7003bb0

C:\Users\Admin\AppData\Local\Temp\RES4BC1.tmp

MD5 9e98088b9a30a3007fce446515b665d4
SHA1 fa0c73c1cb688dbdf9c92b1e3e7b4de026e712af
SHA256 974ce4345b4fec58735b4901382dd521f093f5ede099e8ca3765fc1bc0432069
SHA512 805e349be57c9a21f5e54a0f6b789bfcbeb8d7e98a20d43a6becfc3fcc6446da486e02c55670199a6a6f4ddb94dde4a39f250692f6ab8c88150db8a3a7120d24

C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.cmdline

MD5 662f48f87889148a40bfcd9521933a68
SHA1 a0d925c94f740a53046af107b522e494ffac4177
SHA256 a4818d61476dc4ebe6fb926e21a576bfd510d4a61ca71c2475820a0ec201c119
SHA512 74f6801ee146218559cb3504b807a41e631dc7e5b24230d13a85213a16ba07b30e853f3c4cc0f9e33e7425c4e0dccf7f132b027ca1c4f00882d88c1919b0b9c2

C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.0.vb

MD5 091b3615e797617cedc6807190f3da05
SHA1 eb4b5f559a401fda98716fec402b9e0fc782bb97
SHA256 82f18b95d25ba46269c7d55018d021dcd1f200fd7b44a543799cdfa70785aba3
SHA512 f50c40c9ffb3800b9c134ed10af8db4acb76d10b4c6090e3db340196c1edec862210bea72dc078ca9d3a9ddfabed0661058a8719690bb205cba4a86984f37275

C:\Users\Admin\AppData\Local\Temp\vbc4C1D.tmp

MD5 c2a1f93457194362fe4bf107160c6444
SHA1 8e5bdb11e19b0b86a80de288ba54640681ced4c2
SHA256 6e5bed38e821244cee51b71556e4667392b0a398dcdf30e7f58c281b2bbfc31f
SHA512 dec310d68906acc7cd8bc08d57d30440402f83996a75f5e38757c08b4a4967cdbfe23fce813a2ac5c75b36625e276ab3503473dbae212c24bd0eeeb89f6b2c83

C:\Users\Admin\AppData\Local\Temp\RES4C1E.tmp

MD5 7e4e02ae5156e672603ccc3093d5cc9a
SHA1 9006c350a8db9eb2dd3d6cdba5b1e9f4961eb61e
SHA256 bd6ee7089c6a9d53a92e8192fb2de990b3016982dac2d4dbc1d616d9a6deb337
SHA512 fc0e8b28d312ee0de857c63f14ead98d9f0163aebc9d00ee6646e9af3945e2f6b92e67e042a6566a229c2448120bac3867f94d2ef061f6aceaf33db3a8b6cdc5

C:\Users\Admin\AppData\Local\Temp\ztnntzbc.cmdline

MD5 18683cdea5015cbf49ae865dd829acb4
SHA1 77e124d1eda6e3cc2be4cfaefd7e50230256e5a9
SHA256 439cbad6785ffebc89a34164a949a1add4cd2d1597e758476d5b67ea86adb779
SHA512 e9f316d3aa0ad89dcf130b03fe5fb12bbab88fc97d5a0daf059a28cd02494b09339c99696f9592f10a75c8957916d8add33a32913d5c01560904d17d13875d9c

C:\Users\Admin\AppData\Local\Temp\ztnntzbc.0.vb

MD5 9106ed4276c3b384571c45cabfa628c9
SHA1 ec931a66b8adb01af8b1d95610bf2b2d2f115ffb
SHA256 459e3a5cd1e0a1c69fc3fa7e216bd024b6dda79c1faff1ffb2aa70bad0eb5b29
SHA512 108b2a6003d091ab855228b0d178ca0037fb10f7da4ec00a7ae381962476a1dc9be819c03eb7689677da59b9583cae39752f0a860c10729d75ab1182396267f5

C:\Users\Admin\AppData\Local\Temp\vbc4C5C.tmp

MD5 b378530cd26ba7d8b82d2d2d36586d7e
SHA1 4c77ec0a0ec88ae50a38e33142f9e6cbfadbfd34
SHA256 cb452c05710d2f19a69b02824389a0c0078ee2e7d8d797949f9684e09e8f238f
SHA512 b76e7e5890723c3a7890cc70c14240fb9db62eb5177a0c079b9ec3f7a594a44795cf054d35e9127204348442c2df1833fba638c7da2eba60434eda23991dcf0b

C:\Users\Admin\AppData\Local\Temp\RES4C5D.tmp

MD5 ef540f48ce5b165582929cfb91609697
SHA1 a3613dfc1cfd2253ed17c0befdeb04255f9ec4ac
SHA256 9c37e422cc8e11d991f3cbc09091947582f04d06f4a43cd2ace2e9dffe61a45d
SHA512 68d8dc5baa1a823370ef2833f89dd6867fd858c6b3ef32c1e85e6ad308a46326072a4f6b343f8c27c000f4dbc13b8c60ae4733b2e34b55850202488b9752dc65

C:\Users\Admin\AppData\Local\Temp\tzn9l15j.cmdline

MD5 b7d7dc70f3590e9fa2222d89da9ba6c0
SHA1 1874c1bcfd36d52e03eaf8f7e9e8bf3d4ba2b92c
SHA256 7a51a39bd347eb3b5ab0561d26ec7750f0774936f36319aa3dd8811e5f05273e
SHA512 c7e63d8df57fe77759331355135919084ab57303a37d471f5cae543e9c804454a001a38642f3ae8b9a770358857e7ba90dc4df66ad8b3f1ae2022670dd67a2cc

C:\Users\Admin\AppData\Local\Temp\tzn9l15j.0.vb

MD5 241d42a34175e7443e7787371469d3c6
SHA1 cd4ec5655235131bcf3e31da6822be8a154e006f
SHA256 c0621ca644e71002899bb4b19caaa81045234b73f1883bdd9a5a1be3ce033b1c
SHA512 6feae60ba972cb315b259b8b3e4e576b4d5c8b8d5fb383612630d2858a3a76ab896ba70ba951d26c04393861b4f986a1c13dcbea1d22776facf303a8c264077a

C:\Users\Admin\AppData\Local\Temp\RES4C9B.tmp

MD5 bfd3df4a8ffc807031bda118c89e9da3
SHA1 9f7c291b1f53f19699a67eb17e30381ab110cd0d
SHA256 f62a9ed36d2fc11042a4bca512b630887763aa5d97f7f5441e61899f596f5b98
SHA512 7921554407cf33f46eb6abb5e3f604ab02f0431923093f5b79883195f471f07b1cf112033effacbdcf3d5df303bc266f8d0850a9185cd3828a360b8322426aa5

C:\Users\Admin\AppData\Local\Temp\vbc4C9A.tmp

MD5 24012f4aedc51242dffddeb2c96fcec2
SHA1 786792a49e6e344ab2b983f62bcc84ced2e70b56
SHA256 33c1e2b5ffbf847ac72cc9a4e97551f24c42dfffeb03bf4b6f823fdd6e96cdcd
SHA512 f30ca575ef65cd0ce63429e4976fdfbcd353fa1567496db1634483f88c81667452862c65eed4930da3ba6cb509a089322f32ef1598e37347ea49c9aeb7408b56

C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.cmdline

MD5 5ada34c839b36da4cce49664b6dcee46
SHA1 e51ac222cf1b2863d4ae0bf9f353913b8bae1ba9
SHA256 6a85ad97002c37c99c48438d2f13c049392baf180b7d97ce6af908619c411d77
SHA512 c2ca3327615617a2ae2ab62f6621bbaa0e5484bd709a0ea604fd99c1a5d80b46ac8680cbb1bb752b10110879f7808a132299d59951492cd1cff8bb15bfd9e5d8

C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.0.vb

MD5 160882c653fbbe14f076e1a651dd6fa0
SHA1 041e85466ebb363cd5c272e048a114aed21e2011
SHA256 aa170cc9b3bb4c2e52a8dc55eefbec37403412ffea1a5ee560b10e3544804ef6
SHA512 e35c51b1738acb4a17c724ea192742a103291b085587bd626d41e010bb16c842b1719f4f627a35e278d8a4495dd72f050e9087d3cd6eddb7ab6be5cab250bd2c

C:\Users\Admin\AppData\Local\Temp\vbc4CD8.tmp

MD5 5af6523865462981381750361f7a5e8c
SHA1 5a3738e6b869adf8a8749b85b742edf39d52d6f7
SHA256 75424b06e7a5c9f070e7a7aececc60f2427892a0b78117bea3d0aba5f562cae8
SHA512 2bca9d858578fc4b6d605e68d6e398bbcf9940b110a08b0c6bd9a04e67861e69fcf174aeb4bdc2644bcca903713a6b4f3b65ac6960f8865655a2c1c88107f257

C:\Users\Admin\AppData\Local\Temp\RES4CD9.tmp

MD5 6268292e44cf59442dbb64af533944ef
SHA1 477b17ea478cf75263f706e0f415469d60493528
SHA256 8e504b854a097af24be6e41f9543f1abb384e0189fca3e57a0db8fec615281b1
SHA512 c9370903ee28a2e937d7546f00bfd16f69ec2b2c5f7b2d828d3053af2e7f900aef45ef21cfe7caed1ac496d2f9b4e5c59416057d68fc70dfda0e6412a514234a

C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.cmdline

MD5 04216f069c336d89d9eee54f07524c62
SHA1 e92e91284503b276a0a41c640e6c9baa3f70ffb1
SHA256 59b367e58a8f8e26444bb4a01e23f4453d4446123f54388501d8ca4b3ae2b391
SHA512 c1e9826aa0ff6f991e7cd11dda27669de2e12bfffbab83af80af4cd8557fd0e36f22c711fc6f16b1fa999156f460271c31cee3765ee17254cc0874aed486315f

C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.0.vb

MD5 0e8ec7f764a9193ecfc08556f5a9c683
SHA1 734c4b30944532856cbf0c6ca965a5ae049fffcc
SHA256 0afe1993d2e4eda96b079ac84939a828016669de8a47be15c895af2c1f563bbe
SHA512 72d0586fbceae3f47d4dfc4388acbdef930a589558f24ea6ef3a7f28591251ebdf45ea9199b57afafd7c2b9f2b7d667b42e8a1c81848268eb4d55c02709ac7c2

C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp

MD5 8129f7e2dca51d76041b78447695a304
SHA1 3f27b119efbbf865f2e452c4eb3b0fb2ef9f6f0a
SHA256 416c797937c243746ffd6e83311d30825488694764e01e62f8d84298c02275cb
SHA512 86e9dad3f194027a7ab4f121707574c9703e0664c216e92d0458393ed0a67b3aa12f8c09dc1594bf92a6e3fb42b13d4e0b6a26488d8e30b49e99b8d4746e37bd

C:\Users\Admin\AppData\Local\Temp\vbc4D26.tmp

MD5 c64bfe995d7fb0619132a5cf383e487e
SHA1 2fe80294a7c6dae11d86063dd9ab2166325901a4
SHA256 9db578d6f8282b675c8db2bf9446d21359234fc239b5973d8d7d0e68d86aec3c
SHA512 839e1a6913470c54232a1060c07ea95499c860015c5e894d9d9c002f9b2c6b6700d4c132b8003d91216c9ea64800a4cef9d4c9181e9317b97c98564016dd9687

C:\Users\Admin\AppData\Local\Temp\bs08pe6n.cmdline

MD5 ce9ecb159f202c97ee1974e6354f8acc
SHA1 c6a3b3d20402d8301f32b356fed1d5e231b63dc1
SHA256 8c3047622ec3ff3ce68be77b73669c6c3237ab0f0f05fc4c626698d0609f7d91
SHA512 fbb597e12284ebd67f3d8ba651da42f1bb11704e517a9fd8189c71884da0a7d6005344f74ffb3dcb076b03556ed937c1589cc04c1c64932172e0779efc88f889

C:\Users\Admin\AppData\Local\Temp\bs08pe6n.0.vb

MD5 ea34cab076d79a55441ff6b906866859
SHA1 89cc05547fbc2a1fa93a75ded89f22e8794111d0
SHA256 7741a03b237390f3fa340e8441ff8963032549365b32493d41de99616de22f50
SHA512 c92db99a3a4f001c6147d9ef96dee6da62abaa09effc0e4ee1399da5829647fb473f80abc0bce44ba4d304dbe05424bf52080acdf9d647d98380cf9bc52e1f25

C:\Users\Admin\AppData\Local\Temp\vbc4D65.tmp

MD5 78b2b0efd28d76fd21accc5df43260ba
SHA1 b67bee7224718c60826ca7cbcd230ca017613925
SHA256 bd4ad2a296b00df59d844704bfb0d313ded795641bdd4c6ddaf1fd62bdc7482b
SHA512 b60374331f47f44036062056ee43654f762a7a4f0a24ca242739fdc6ca8e3c0d5bd24d94326c8af1735137522565b5b77cde480ead7dbb7b4b6684a826e92926

C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp

MD5 71cc1477e3099675bf039f26d082bd90
SHA1 bc31247ea03a473890ebbdd9bd229ef1de211f2d
SHA256 40186ebc094300701573937661408c312e7a04eb5c800bfde4a64c2d1d6c5fdb
SHA512 2b741f08c273a202ef921a8b99f67167174bd0c8de8ee44bc5db93cc2f624b0163d1a95836e632a10358a68a5d865accfe08c24e87b7a466ad5b42f04b9b8629

C:\Users\Admin\AppData\Local\Temp\ftsuzobj.cmdline

MD5 f98b38334abe94d2b79b26e834c26cca
SHA1 b33ed4f58a5814305887d0c37ade1513704d9aab
SHA256 fa3700d9eb80b0638d0491f78f052d5489bb43b49868f229ada221c88d8d2074
SHA512 a02d2430a2c067245a800071b89da69f403bd669e04d5b05cc820e2667e6ce8201df0de142594f64a1c2c6d41ee53489d1d3209174a3721c398e0c9eb010d697

C:\Users\Admin\AppData\Local\Temp\ftsuzobj.0.vb

MD5 ed1d3589a4289178e047d233553d4426
SHA1 2ee6fae1e3f7226e01e2726b1ddaf5aa9d904d79
SHA256 956c6f9f4fcc5dda32e302bfa843558eaf219e78641d396ad787f9b291d70f5f
SHA512 40776729a7e875389dd4c6578c4d74451e39b08b28bb4ce117e3f7c89ed9952c11f9d9380fc787d889b3ddafe2f418cb975f0086c8467e37334dd8cc50c65bd2

C:\Users\Admin\AppData\Local\Temp\RES4DA4.tmp

MD5 52f1aa945efc91b825794118f24a3f77
SHA1 445d9469fce1faddcca0590ceea485009901e428
SHA256 1d8e25845f377e9aa818ebb5493a11dbd1743ce38594179c1ba0e3299783ce3d
SHA512 0eb6b510e2c49e115224ad0df16378d211f29472406f8882e62a20ffb279733d94fe6c2f9d2a049cd61437ed264ace55dc12997edb987694a4072799379ab101

C:\Users\Admin\AppData\Local\Temp\vbc4DA3.tmp

MD5 5d0b41994c1eed8db0edc5c7dc6326b5
SHA1 a4deffe9a8a153949ebd354f7c4e9fe916be6e04
SHA256 d7a014d773f92c9fdc5a0a61e9c595b2331170bbcfbad3f782653be266f28809
SHA512 dd7948ee2f1f022b7fe3d5fb368dc50a875ff16017a8edb077315cee74ec7a15343fe1adf7ff179e16be94b556d32db06cf3fee56e0e19f13478652458b5ad1b

C:\Users\Admin\AppData\Local\Temp\t83y_h18.cmdline

MD5 825289cc36aedcf811a04932eade8e80
SHA1 63819a63ccf60616af2051a07d8f87efcc9ee897
SHA256 e13569644731ad2d9d8c536ce97a482bcb1a5bd30462441d7c457e5272064163
SHA512 66c5b1a5a99865b2649fe0a7bdfa082d1613f9ee817d554352ca036502500d457a2051fea5e2bfe96a0843159bc2b1b3becf15dcd2c1ad28d496373f50ef4a26

C:\Users\Admin\AppData\Local\Temp\t83y_h18.0.vb

MD5 172c3ca11ccd13abc7d1e1d913aa9695
SHA1 54fe456714e8797aa6f8a4fe5256d1559a6b1faa
SHA256 1d3927c7c461e6c5df741e5747dd4ca7751a631ea7d2d1c16057dd4342cd9df8
SHA512 14e6fc57296139b7856891e1364aed3d7824624ab996f4df120ccb86c848fabb871b751285ff71484c8d0c44811f298ccd240e7b412b059325f0552bdcee96d0

C:\Users\Admin\AppData\Local\Temp\vbc4DE2.tmp

MD5 3e0e8bfe2f219da1eea600f4a0f466c7
SHA1 aceefc4c180dd34b21d82116aeebadfe728fef93
SHA256 cba9bb462cd314f80453e4647db5bc30568e1a3a8969e3c73195aed802154a82
SHA512 c130a29581651155ccd73b3a29a51edb7fb3f1a848622f22b2b7d9d93f4e6de1c6a605c83e09c9d5f9952af23424b55e64fb1c0643e74e0b9110a76f5aa46db5

C:\Users\Admin\AppData\Local\Temp\RES4DE3.tmp

MD5 492f8734a28884a60a3aa05286ecc223
SHA1 fee4383e9bc00dd3f8e17ac2d9624ec637f9e348
SHA256 818ebc942d6dc70f40679b4e49ca5dd6a82a0d38091eb3ab25031a78d3ca40a8
SHA512 6840d2f5a57ebabe7764f9e1d45d28a623fd7c1e698834424ff84ba1f9376c28a50b92bdf8573b95b9f1229669093d0c7039d2831ae372c994330a62301a5c92

C:\Users\Admin\AppData\Local\Temp\c_2vurs6.cmdline

MD5 6250f1661ee46be25c0db29d60625b37
SHA1 2af874872342d500ba2bcf7dbd89c32fdf6697d1
SHA256 0d90ca222be066f892420d37503f48275dd634b2878a5130c16cd92e315088b8
SHA512 edc8d1c3520e80f68b5c01d5c58672418a7d64eccf0d43e7bc5c12ee0e3e9563dd648f248542736c2725fb288a8e2dcd05e1483b434917f77d3ea864e7fc0a95

C:\Users\Admin\AppData\Local\Temp\c_2vurs6.0.vb

MD5 78a7170464fb3315b350530ce4cdee0a
SHA1 02a6ed0267c59c935cc7c5b56132ec72800aed7c
SHA256 363965758ea1c851aefc6d2ef2030fd201b2a246d37364720fb04a9756bcf80f
SHA512 810e0f2746ef44aa15a982d84f67da85ca31c8a94f0ca02d7b0774ce9c303ccce5f220835d809d9d08cdbcb6ff2276f5afe219f05dade8d879f30eb4271c8144

memory/2784-341-0x0000000070340000-0x000000007074B000-memory.dmp

memory/2784-342-0x000000006FF30000-0x000000007033F000-memory.dmp

memory/2784-343-0x000000006F6C0000-0x000000006FF24000-memory.dmp

C:\Windows\SysWOW64\xdwxsvc.exe

MD5 688a4cb70081d9edb63c1c1aa41487e1
SHA1 3efe438b2b4a44f2dc7f02c6e1afe980e2a116d8
SHA256 4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9
SHA512 4f5ef2d0538a3a38748d4c2378e15cd91bd0073ac28e093be7cb86a2d9ef29aaa667f07a516a169bd0e44ab09202914c8bdae9cf5cd1f5d543ebf3388222ad2b

memory/2784-348-0x0000000070340000-0x000000007074B000-memory.dmp

memory/2784-373-0x0000000073FE0000-0x000000007458B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 06:43

Reported

2024-10-12 06:45

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xdwxsvc.exe N/A
N/A N/A C:\Windows\SysWOW64\xdwxsvc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Windows\\SysWOW64\\xdwxsvc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xdwxsvc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Windows\SysWOW64\xdwxsvc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\xdwxsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\xdwxsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3580 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3580 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3580 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3580 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3580 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3580 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3580 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4968 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1468 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1468 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1468 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4968 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1416 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1416 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1416 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4968 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3068 wrote to memory of 5092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3068 wrote to memory of 5092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3068 wrote to memory of 5092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4968 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3652 wrote to memory of 4432 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3652 wrote to memory of 4432 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3652 wrote to memory of 4432 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4968 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1992 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1992 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1992 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4968 wrote to memory of 2376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 2376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 2376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2376 wrote to memory of 1020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2376 wrote to memory of 1020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2376 wrote to memory of 1020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4968 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4924 wrote to memory of 216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4924 wrote to memory of 216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4924 wrote to memory of 216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4968 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4968 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1740 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1740 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1740 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ca7usmr3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64D4B2D7D9954D9B9E67B8F6BE937896.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ivb6irl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3023.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AADB41FDB2486192B9B5911565877.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p8iw9tke.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5C749C08B35490582E96C74EA9D65B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yk2y4arh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES310E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C9147229E9B4EACB6BBF92076541C27.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1l8zvdck.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES319A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C59D9A1C09342A8B2B8E668DBF693AC.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-oubtxx3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3208.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F5356F5AA7D4A2CAA62AA27BC1E2746.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jpwbgctr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3285.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D5BEB4642784F57B9B55B67A752473D.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qchxndj9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD53DF87B9E7B4BD0B39817ABDB8AA68F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4i405wq4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES335F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2502806EA0440E89126D0D4C762FAF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9A112B6488C4A2E87449D45FE661AAF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_mk951-k.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES344A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FDFE2E9229A420B80B1BFE96CF4B337.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4ezresw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc136A19A8650A4FFB8725A1B14AEF71DB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3524.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11C423786C5480E90D28A5BFE3AF4FA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-sbn5t6h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3592.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB41A0FE21FC4AA9A2429ADDD33D968.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9v77c86w.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES360F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9EE33EAF4284062BB342E2A64D73E6B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p0ro9gve.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES366D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1012F5B7CA89403E8E27C25AC4BC78BE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hbxsmfne.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3776.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF987E76134A447C3841A7D66C6322A96.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2_t-u0ik.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3803.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70D80F347E2740CEAFC8E4ED59CBC786.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\epydxdwf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3870.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc378B500514EF4D20813C2F1E23FA60DB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iizqnfpi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc418930BF78BF470C882AB828DB1825D3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y-xbe5yu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES394B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1853953DF95946AA88897699CB6666EA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kz61m0l7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABDA5826FA9344F38D1388D065168B65.TMP"

C:\Windows\SysWOW64\xdwxsvc.exe

"C:\Windows\system32\xdwxsvc.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\boiadb1e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF88BBEA870394E06BC899C4865DC67E.TMP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Windows\SysWOW64\xdwxsvc.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-tjq6ibs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE191.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C0AAB4FF58D4FCAA14B9EA8578FD4F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzyxx0og.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE21E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9B252691CB7422384C1887BD8A79158.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bccygghf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE29B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17A80A4E97E04DCCA5B250DC8633FD51.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1bqjndnm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE308.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4172DC3A1D742CCB29CA53F4CD959BB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmy53ax5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE375.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc341BD20022A849B0922DACA4B73B8846.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fl-mtz6u.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A3538A8A66C4F46B5FB4338B9699F4.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bhwthdx5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE47F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82E2FF46725440A39ACF77139FE117E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxt4we7z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5FCD6FD17AD543C193AABFCECF1F2DBE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2rux2ym3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE55A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc27304D567EAB41E7B8E5613FF72238A1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yvz5vdit.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0603BDD72846A58F9DF4888E23475F.TMP"

C:\Windows\SysWOW64\xdwxsvc.exe

C:\Windows\SysWOW64\xdwxsvc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Pizd11337-26540.portmap.host udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3580-0-0x00007FFC374E5000-0x00007FFC374E6000-memory.dmp

memory/3580-1-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp

memory/3580-2-0x000000001B7B0000-0x000000001BC7E000-memory.dmp

memory/3580-3-0x000000001BC80000-0x000000001BD26000-memory.dmp

memory/3580-4-0x000000001BDF0000-0x000000001BE52000-memory.dmp

memory/4968-6-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3580-7-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PtYBxGg.txt

MD5 bfbee1ccbe6981fafb1c7bff99680882
SHA1 3866c915b8a7e0592f8728c89faf6bb4d5ecf002
SHA256 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235
SHA512 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e

memory/2612-8-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4968-11-0x0000000074FE2000-0x0000000074FE4000-memory.dmp

memory/3580-10-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp

memory/4968-12-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/4968-13-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/2612-14-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/2612-15-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/2612-17-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/3580-18-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp

memory/4968-19-0x0000000074FE2000-0x0000000074FE4000-memory.dmp

memory/4968-20-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/2612-21-0x0000000074FE0000-0x0000000075591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ca7usmr3.cmdline

MD5 2827db573f2c410fbe2d4c6aa6ccb455
SHA1 206215ef99212e21f16caff5c0944b5288b357f7
SHA256 7a2cef3fbe9294ae612a84e6df629ce97b00c770004455ebfd9b02b78bdd2db2
SHA512 e40ecf867851d3e124d7249e31d8a30c432766fafb0bf8fc086cee99b7bfd9e19138e0783726e17ad7a9b797c4078f0630da7fe6411406a8a71c18545a415fbf

C:\Users\Admin\AppData\Local\Temp\ca7usmr3.0.vb

MD5 28dbf7030dad11a54e1d95dd8eb45a98
SHA1 4927487b557da799c952ea1abad44b9525d63eba
SHA256 0e0c4d33367405357ea78d211caab35b4ff3319b1f446108623439affcb07069
SHA512 1c38394109665bd782863c5f45257d756187310a51ad430e280fc5cb506afae982d9cce31ed5e6f2e98fca0f2a87d30ec03cb435a985e6013e12bfbb974795d5

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc64D4B2D7D9954D9B9E67B8F6BE937896.TMP

MD5 c7f6a41a3079bda4520d06472901e666
SHA1 8243ac437fbfcfd2ab13c20ff038787ad771b649
SHA256 72a7ef5911e3abdc3cfadf04c8796dd491602316ff42bafa8ca88461daa545bf
SHA512 ece70e1febf2f9dafdc1ce6ba46c74a43065893f7284fc510298e69f42dc129170b1874687a27ad5a1b60b87af0b0d2f067c8284ca0386fece18ae8baae3eb64

C:\Users\Admin\AppData\Local\Temp\RES2F87.tmp

MD5 3024c6550358972ccf85395868a18ed7
SHA1 2555f90731b6e5b9b644e51aa63f91f809a2e9f4
SHA256 d265915a6f47eb41745f88f050fd25b9132d763add5143de2798461241ecc4b9
SHA512 ee1bb888f84f408c9f0afb4578291f15b7dce64f258c605455682ac3395ba9858e9afdd97bf977f34750d380612e0ecdb9149952588c91bbb2d55c68cce99e2c

C:\Users\Admin\AppData\Local\Temp\8ivb6irl.cmdline

MD5 905ba46d7948bedd3de916e9d49620ad
SHA1 3d7b543e9b8d7b30721f0c4c59f0eec5aa1ebed1
SHA256 e798f12dcab19e2239f056cb960c502110e634ffa559ffeb8aaf61b4a2844f55
SHA512 347a37f2f202e12b757e293e9f6f061a958c41105c879b2e46d6c46101c20ebcf0ddc6174b0d39d3469fe5990ffeb51a54410a2556803945a2510e85b8937f7e

C:\Users\Admin\AppData\Local\Temp\8ivb6irl.0.vb

MD5 499edc4bf130416dc86893476a708eed
SHA1 8a3b1172f2ea07a3adfe73d66cafb94856e75c89
SHA256 dc059da9a83a450a3483e04dfb48bc2e208ab4bc4d9ca99119da5f0ca2059e0c
SHA512 7488b5d4140aba56e2814b599e0c16964f3359c8a7dc84a853169efb0a92c8fcea97f51c9e5977e4168b8e1a8ec85e9010da3c7684f8a7d4b510075d49652e1d

C:\ProgramData\xdwd\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc8AADB41FDB2486192B9B5911565877.TMP

MD5 7401d50a9bc171ba9d6ecf6b30ecbc73
SHA1 1859b15305b11751bac9a8ca5da2997b9c6441ed
SHA256 6619ec9babf74ad74669c504b215c5789df1852c7ed14484369698f34bb6eac3
SHA512 16f0ac31a55dc905e99df489004236e0effee3637778f8a40b9ffd953719569fbb23736230b9521a9443e8d7e80d1135efc419762846616fdb2d90d4290743e8

C:\Users\Admin\AppData\Local\Temp\RES3023.tmp

MD5 f35f76b1fa0ca4163de1b6c2d3f72c4b
SHA1 05f7ecc08eba75acc5c51ac240bd19d9172c9cfd
SHA256 913c95486b079e3a095508a4421586ac52d246eae74d855ad29ed34847ad3050
SHA512 e6cc891753790029e04df24c6e963956d7d209f63561f3e5b56b11375cab9afe7b6bed151f7151a053a3a72ce1dbabbcd208a8b12e781b072b4a7b9479d714c2

C:\Users\Admin\AppData\Local\Temp\p8iw9tke.cmdline

MD5 e935fb65862a74f2a0073104b5126d16
SHA1 39db324b8a055d9ab41f982024305c37047545b2
SHA256 55287e5915b744f4af597861e15d1220bf128e614001518e282b8773af5442a7
SHA512 d839e6d74e97f3cd91ca1fba1ca209fe87e749134d7894a85aa588d2f4c37c81c2eeae09ace7037b0e69123c534c8bd65c8f9bb2391166214e7a64a232d4bbea

C:\Users\Admin\AppData\Local\Temp\p8iw9tke.0.vb

MD5 6d6736464a399fb3f33dda2efd7833e5
SHA1 0fa9412d9f0586cf5e162b8335e08966b0439c4d
SHA256 60ad43b63d891185bc44b19b63c636dcffe24f11a5b982bddd78b7d4b36b01f7
SHA512 a0aa1b1e61358febc57bcd455b9dbf16199c2d18c2f43247f6c784b86d1b2e74b0b406339e49486156361d55fc96f5937de412ddf27016bc68da9fcd19ec50ef

C:\Users\Admin\AppData\Local\Temp\vbcD5C749C08B35490582E96C74EA9D65B.TMP

MD5 bc63336cc64956ff90e86f9c0af58876
SHA1 68eb9c8ef6547c1daebac663c1c8e4982c862056
SHA256 b95f8cf19f59f1ecc0a5a783134c67f1389e36f162e2e36bb0c9e64f05e0f4f6
SHA512 940ca2bf5c36696396f7639cf995ffecdbb6fa9a1396a21db9356358fad030eac6b449b759911c0d5d0ab9aa460ea5e301027714a3440bcccdc719ce6b71b2fe

C:\Users\Admin\AppData\Local\Temp\RES30A0.tmp

MD5 76a07da06f5ad604f0e45e0676f5c1e4
SHA1 7462e813d343ebfe0ab64e07230df743fd75a41a
SHA256 6a4777c9f62df42535ac7d77fda175983265978eed0c337eb07bd7a17da01dc6
SHA512 4dc00e666064e1fb5ccbd066d8fede0de5774d8a66c63ddec842db01970fb46ad28c19db2594488f423bd7984d947fee8924c5a2915ad92643508ce36440b2fe

C:\Users\Admin\AppData\Local\Temp\yk2y4arh.cmdline

MD5 81ece723180216b1a8c3c3074a4024d6
SHA1 4f32417e74be3b031b3fb246d43468b1156421a3
SHA256 201c9f145259ce4072f53c89b8a72bbeb3fbe1c982761bee0b0253f2e276274d
SHA512 76ec7e274a8bbb8185287ca34061bd45dcc23fb5918a165f90bcc3ba520b1ae9226e57a0f37041873cc37a2249b6ca3f2ba9574934ca0a1aab22d81eb2a7eddc

C:\Users\Admin\AppData\Local\Temp\yk2y4arh.0.vb

MD5 853b3577984f8d9536757122cf3fe4c1
SHA1 99fa6df3e78b1edd2d3e8d4570e2049d8fdfc10b
SHA256 3097c64964242cbc2ecbc3313a0533b9eaaa17ee546fafae54a1c447410a0f15
SHA512 28782107e46a49430b9f8ed402d3c440847a6faafac8b0862c378bcce39bacea7eaf6ef0f61774ade52eaafd07e3f66c582bd80cfbd3d9b26bd2e08e0579b87d

C:\Users\Admin\AppData\Local\Temp\vbc6C9147229E9B4EACB6BBF92076541C27.TMP

MD5 1e60397d623965e2de3194329dfa9790
SHA1 39d9965924d629e128a96a2f76bfa62765642f2a
SHA256 b8c93609ad71aa5a86c55958f08bce2dfe7b0593f0cb9dc9f8d376b4f44a3754
SHA512 eaf9b213c2dca4923359c90b4bf4380b2e1c51ee366c7557f17a4964d8c8e016910f454d30a47679d1fa600d6a6d3104336583f1807e9a3e51540d6697ab2d2b

C:\Users\Admin\AppData\Local\Temp\RES310E.tmp

MD5 0eb878f1715384dccb8c0a2e587985ff
SHA1 48c9c419c22367d7aff3fd0b5f6c7b5c824d6749
SHA256 3787d6e0c0458f8e1114bf8399d8ae98487a1978b833c5f8527bddc96938f565
SHA512 480b3f0fdf29b9e239c7ba60c1336d29f15670147a89b9692d477da650229ffb570861755bbfe903fea85fb54b660ee1bad5c10e206eb02d27075056eff10238

C:\Users\Admin\AppData\Local\Temp\1l8zvdck.cmdline

MD5 f65e8128ef91494979d03f14bed536b2
SHA1 4a6bfa38450c7a4754194de0506026c948182b6e
SHA256 90d51fd0d4bc21a805783369f7476633d3457dabc7df2bd939972e80f2cc725f
SHA512 e2771c6b29c638ab82835c47e3ef7d604f8e28d77258d73edac624d47c0f79b73e84db4fbf5718b3ca4d8cee679dcee21c1a0ed921f642ed6b731895f801e62b

C:\Users\Admin\AppData\Local\Temp\1l8zvdck.0.vb

MD5 091b3615e797617cedc6807190f3da05
SHA1 eb4b5f559a401fda98716fec402b9e0fc782bb97
SHA256 82f18b95d25ba46269c7d55018d021dcd1f200fd7b44a543799cdfa70785aba3
SHA512 f50c40c9ffb3800b9c134ed10af8db4acb76d10b4c6090e3db340196c1edec862210bea72dc078ca9d3a9ddfabed0661058a8719690bb205cba4a86984f37275

C:\Users\Admin\AppData\Local\Temp\vbc3C59D9A1C09342A8B2B8E668DBF693AC.TMP

MD5 a72c31a1ca62be76c9d7b02d92588f5f
SHA1 bb3a0d6c1e97f3eb290b67782babe2e834bfdb1e
SHA256 f6c8be511e12001de07079a0700237b477f7cbd234cea74094a1f808cc3faba5
SHA512 130e144f07eea0383a87095f65738c0d97bc14f8abb746e5fef6b2c7c82ac27cd1070ddef5e8daeacfbd139b607f2b29c14bc3c834a7c1c0e7a04dfb5d658b24

C:\Users\Admin\AppData\Local\Temp\RES319A.tmp

MD5 1b5703976fc231c95d87c90095df78a0
SHA1 8ec96d047088c4cc7403642b4cc7b8da96af6e73
SHA256 c0406825a393d2ee650080c8689ac088778835b0f851765d32ba7fdf705ac790
SHA512 f1f110d5840820be3abbcd97c9fa7edb760353b4b8189f9e4e96f18e6e10c01f6a6957531db3685b6bd6831ee56f85a3fa30ec24e4436222d91c6ea187d8c116

C:\Users\Admin\AppData\Local\Temp\-oubtxx3.cmdline

MD5 984c7a073da18a7922de0bde29309a89
SHA1 14512228931e7d0a4348e3bf264bcbeca3e41b9d
SHA256 475a707237bb63e4f56436a247cfc41eec7ff2736aeba4e921a6b5f24a542b51
SHA512 9d500928f63f9e7e97a7e343a18d2a697a83f3d62fae29f14345e476ddcb34c60bdac1905dcfbf62a7aed0230f9f689c27081b94d3b049f4f1867d5b3c6365cc

C:\Users\Admin\AppData\Local\Temp\-oubtxx3.0.vb

MD5 9106ed4276c3b384571c45cabfa628c9
SHA1 ec931a66b8adb01af8b1d95610bf2b2d2f115ffb
SHA256 459e3a5cd1e0a1c69fc3fa7e216bd024b6dda79c1faff1ffb2aa70bad0eb5b29
SHA512 108b2a6003d091ab855228b0d178ca0037fb10f7da4ec00a7ae381962476a1dc9be819c03eb7689677da59b9583cae39752f0a860c10729d75ab1182396267f5

C:\Users\Admin\AppData\Local\Temp\vbc5F5356F5AA7D4A2CAA62AA27BC1E2746.TMP

MD5 34f465e372d29ce7c4f173d026264bd1
SHA1 96514003b0d434ce4f6fe368a04f93f95be2eb12
SHA256 c468bd7e8047b78f427e8b36916a84d7f89ac2fcfef230c394f6b87b576de8b7
SHA512 142e4f17dba9d12f7e49dc1fbae20fa912221f8afd8bd0d20e3d9e070c6513a11154bfdc2ba0bb2b7df84678676ea32b1ec3c4831bfcd709bd69b60b86ecd299

C:\Users\Admin\AppData\Local\Temp\RES3208.tmp

MD5 76311478813bee1b415b06429470e1c1
SHA1 6c932a1a7f22fab4df582ffa362ea25f14dd948d
SHA256 1d9cd6923f53cc24da83a927d5f624f57f8c99af1dab5a02723f6519de8aacdb
SHA512 6561d16a0e801464c5db6e6dbb24832672052b552bbb257a79601f4c5e716d9c9339298b3e65135e0869ae856475a9a844ca4967edec8949eeca0ac9334024cf

C:\Users\Admin\AppData\Local\Temp\jpwbgctr.cmdline

MD5 8028beb4432d724a69c8f5a0ab8b9db0
SHA1 f70b5ec8344ce4957b4f6b730fa0cea310dbdf45
SHA256 5bcbcc533463650d5dd24769f66bead5f997cef3f79160ecd5940a1f9a5d8c27
SHA512 cd648693c996052c7fa8931e2b5136cfc978b18f810f6e8a9632d00a09f22f7607f088039200ccd5fecba299b28614f11a37082b38fa2177d78affb32227fa85

C:\Users\Admin\AppData\Local\Temp\jpwbgctr.0.vb

MD5 241d42a34175e7443e7787371469d3c6
SHA1 cd4ec5655235131bcf3e31da6822be8a154e006f
SHA256 c0621ca644e71002899bb4b19caaa81045234b73f1883bdd9a5a1be3ce033b1c
SHA512 6feae60ba972cb315b259b8b3e4e576b4d5c8b8d5fb383612630d2858a3a76ab896ba70ba951d26c04393861b4f986a1c13dcbea1d22776facf303a8c264077a

C:\Users\Admin\AppData\Local\Temp\vbc8D5BEB4642784F57B9B55B67A752473D.TMP

MD5 26b170e6e5af1a9d03d4ede628313a76
SHA1 85dc4525f6f51fa393c18374366db1faf4ed56a1
SHA256 c6fedfc20e867ccd4aa0a25fbc8dd9c1a45639d285e205299de3871e014d7f45
SHA512 83d1ac654512662051698926af9c7da92325af4bc39ea787ddea6e5d47aa753ee034a677548c0936a6214f9b1be932c5678267a2344d2d392f3f15098e9c7670

C:\Users\Admin\AppData\Local\Temp\RES3285.tmp

MD5 e9e4b83778ee55c10cb62ffecda03a78
SHA1 cc56c6a7bdc80c49dfb31a32808d69dad171533b
SHA256 37c0912757da3fd448e02269ebefaa53fda3db2d1abdd64dbc172c8900ab66df
SHA512 49218763521acf6238f96fc56cffc4a60c465f84e32d7ee3eccae7b8c8e5af4774c7efa6fb8e460cb6664624308481004a5a4fb7e4aa46d58b3f3c6f0541c2de

C:\Users\Admin\AppData\Local\Temp\qchxndj9.cmdline

MD5 231edf6d61a0e09675c73a388d53a4e0
SHA1 1918de6109813679e11958d7762c6c7e9e358295
SHA256 a2eef08787450680210fb1a4b4ac8d5bb2e0d2d194bd356ada854abd5220e51e
SHA512 aa4737662e0a359706d31596e23e0244393ca77d96ffae5900f616c11a43f84c84401708ada627c85adbe763cadef8eb05d670f9aa033a243a4542873b6a996b

C:\Users\Admin\AppData\Local\Temp\qchxndj9.0.vb

MD5 160882c653fbbe14f076e1a651dd6fa0
SHA1 041e85466ebb363cd5c272e048a114aed21e2011
SHA256 aa170cc9b3bb4c2e52a8dc55eefbec37403412ffea1a5ee560b10e3544804ef6
SHA512 e35c51b1738acb4a17c724ea192742a103291b085587bd626d41e010bb16c842b1719f4f627a35e278d8a4495dd72f050e9087d3cd6eddb7ab6be5cab250bd2c

C:\Users\Admin\AppData\Local\Temp\vbcD53DF87B9E7B4BD0B39817ABDB8AA68F.TMP

MD5 d815557476ee712d81ff24c8b484e192
SHA1 e52a4b5da6dd467f7e454e5b09ead24985e6b2ae
SHA256 90f2041aac8a5d28943b45dd153c28311ad8808af65bd4fe8080bc2f1d2628fc
SHA512 62dad1a9ed42cd3ded025d487b59ceb47a2f2b9590cdcd60d0d93908cf37f5c02e70331124f0a76c18802fcea0225285704ce70f1e453c8a7b968ecc0d60e8dc

C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp

MD5 0b2680113456e56d097a086fb6c2c168
SHA1 03c4de58abce297830e7cbc2d3a0e61792f37c14
SHA256 659ce18559f16feb8da4ceeb9418b8506ae0078bd4e3efd9d1a7f5c6bf9bd79d
SHA512 e8d001bc27fdc15f1664a21f97f2ff0ec5693a0b01524ada9f3bf98f8cb51db3092206a30f0648b4be408577d9617c55f0c36a69594d947b42af1745fcb7f04b

C:\Users\Admin\AppData\Local\Temp\4i405wq4.cmdline

MD5 4bb51c1cf4ee7e1663ba96cf2c2ec362
SHA1 4ddc9033cf67ab8696e41935a717648d147db3f2
SHA256 e3607893db033ed29db8694f526fb3f7459699f817068ef5d9acc13e19bd7078
SHA512 06293e420f47294cdba562489440aa06c4d2529275b3dd7cb1d7eaa5d4f0b1d9644df3727ed02cd28556b7f0120e13b1d8aa939c159137f183c7e98791657183

C:\Users\Admin\AppData\Local\Temp\4i405wq4.0.vb

MD5 0e8ec7f764a9193ecfc08556f5a9c683
SHA1 734c4b30944532856cbf0c6ca965a5ae049fffcc
SHA256 0afe1993d2e4eda96b079ac84939a828016669de8a47be15c895af2c1f563bbe
SHA512 72d0586fbceae3f47d4dfc4388acbdef930a589558f24ea6ef3a7f28591251ebdf45ea9199b57afafd7c2b9f2b7d667b42e8a1c81848268eb4d55c02709ac7c2

C:\Users\Admin\AppData\Local\Temp\vbcE2502806EA0440E89126D0D4C762FAF.TMP

MD5 fe326f1b66407c3a799641be622ea3ac
SHA1 789ded78e04af1828a69d6bcc87eb5f025ffa14c
SHA256 68e5634a9350339c2f5cc8c6d1936dc0f207a5383bc3e7d85beeb16bc3a01421
SHA512 99f6f03a6712e7a6f93efc2c25dcd8ef1bdd3b3b8a9e693e11b66bcd5602f7b82201acf4c101803176128a5c99572fdbdaed39b91d39e359943198325dccf566

C:\Users\Admin\AppData\Local\Temp\RES335F.tmp

MD5 5025a9a407b87e875a60e0e33edac96e
SHA1 f04297f2c4afd564d7af0efcd328985cc9ef968d
SHA256 1f3126c8b8f8c57527f65c4c793c4ffebb3dddced5007df01134d855bbc8f5ba
SHA512 2069f1339d46d52d21895cfb27d5e93575f61efb05c081c7c064ad76390dc5ee0ffa5a3f274029c36f08fc266b26bed354dbfcce76cd57009c95ca09dbe8a46a

C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.cmdline

MD5 cb5b44c694a22837048bc7c578d7f054
SHA1 5ce34a5f7577efccd349c2a61f6538dbba2c3b34
SHA256 acb794afe7888786ccb07b29809613bab65c66827a5c10398d45b3c441f7eea9
SHA512 233c60c80aa92db8769834db4bfc5b28998c8d4c977efc738999ea2a68aa5772e011a1455aba5daba78fb3b5aa36cd3c06efb131cb9ff055606aa22eb582f857

C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.0.vb

MD5 ea34cab076d79a55441ff6b906866859
SHA1 89cc05547fbc2a1fa93a75ded89f22e8794111d0
SHA256 7741a03b237390f3fa340e8441ff8963032549365b32493d41de99616de22f50
SHA512 c92db99a3a4f001c6147d9ef96dee6da62abaa09effc0e4ee1399da5829647fb473f80abc0bce44ba4d304dbe05424bf52080acdf9d647d98380cf9bc52e1f25

C:\Users\Admin\AppData\Local\Temp\vbcF9A112B6488C4A2E87449D45FE661AAF.TMP

MD5 4975a74f4f88417c680514efcb6d0a5e
SHA1 58df3963b89a152ad132b11f04d5521a09876ac0
SHA256 7f6bd52ec9318c862de1608a79087b303182dd874e17c1e44619e304d9b1c13f
SHA512 6890e500f225c729b902ccc2740a7f6f5f3a51253fa898a2b1d0645fc089f63e62147cad1c3eb042a83910d2df0cefa491b2247df12dbd8ab8ac6e9e7ef14fca

C:\Users\Admin\AppData\Local\Temp\RES33DC.tmp

MD5 71695685b5e01cf9b3e4a864af3903cf
SHA1 92906e94f3e6d240cd5815231fa7307662cb8486
SHA256 4adf9e349604fef7ed09684ed51c42924331296a3bbc8fa201b41540e1d503fa
SHA512 3dbf5955c90313fd097e692a3ac8de15a890ec6fd2f8439d78aa0bffb199761a68fe22ea85230d35be2c34ff75928531f36cc3acb7fc7fcb8634528a27737b02

C:\Users\Admin\AppData\Local\Temp\_mk951-k.cmdline

MD5 4db655cc84ffcf67d53d91e87b16e0ca
SHA1 bc8d324dfafaff129b29688ac2dbace1d855ad75
SHA256 ecbcae7625cad77191354e67879617a9a09cbdf43f3e6a75a2f9f6a4db590614
SHA512 9b1a1e4b5b5721d6ef195ec8806dd15325aa5bdb3082f8a9a31e99717894c996e06802b8c42ff33f4342895e8dd8f90def43535d4005ab0e7970cd942283e788

C:\Users\Admin\AppData\Local\Temp\_mk951-k.0.vb

MD5 ed1d3589a4289178e047d233553d4426
SHA1 2ee6fae1e3f7226e01e2726b1ddaf5aa9d904d79
SHA256 956c6f9f4fcc5dda32e302bfa843558eaf219e78641d396ad787f9b291d70f5f
SHA512 40776729a7e875389dd4c6578c4d74451e39b08b28bb4ce117e3f7c89ed9952c11f9d9380fc787d889b3ddafe2f418cb975f0086c8467e37334dd8cc50c65bd2

C:\Users\Admin\AppData\Local\Temp\vbc6FDFE2E9229A420B80B1BFE96CF4B337.TMP

MD5 bffca92e69425506af0b626074e6f935
SHA1 a9645cdbf54b65f32fcb76a9a3afe311e9f7e989
SHA256 15a04a397d83512162d0e9f67f6ee4e7c53dd7d1ce12c260d35837081f049b86
SHA512 d98a1d6dc6e63082d74997597ca9db67433b367af0151f898e7ca3ba7c60cabb24c9cf3d40d726e8e7426c6a2980c8c55b64b25deb526dadf294c7e7235d8f87

C:\Users\Admin\AppData\Local\Temp\RES344A.tmp

MD5 86ec6e1d5fab8afe63ce1245c4d727d8
SHA1 a935bbed552d5a4dd915c22bda02d93919bc3afb
SHA256 42bd7fb69d2a36417cbd05a664ac1e905d9d8a369612baa291d86a92fbc4cbe1
SHA512 718794bd35e39c9890948d8376711eced98f066e62bc7944d62bda64e7e7ed380ece13a74d8c176147b16baecaf87664607f59d9ac7cc2ce619cecf76a496023

C:\Users\Admin\AppData\Local\Temp\p4ezresw.cmdline

MD5 f4b42bea62969df1c27f4bde35dbee08
SHA1 877bd38492a912758585379463eb65f1de235f8d
SHA256 17236c0d2a16a614183e0aed2d8d7fe617fa63b4827599e2df4e7791f314160e
SHA512 ab69b9cd7ae8f927668fc06fd59e5d7955f7e45d3a2eb3d21e352513ea214d9e06d910f457a1ad74f06988b988717da9847413fba8858d065e7954f19c9fdbb7

C:\Users\Admin\AppData\Local\Temp\p4ezresw.0.vb

MD5 172c3ca11ccd13abc7d1e1d913aa9695
SHA1 54fe456714e8797aa6f8a4fe5256d1559a6b1faa
SHA256 1d3927c7c461e6c5df741e5747dd4ca7751a631ea7d2d1c16057dd4342cd9df8
SHA512 14e6fc57296139b7856891e1364aed3d7824624ab996f4df120ccb86c848fabb871b751285ff71484c8d0c44811f298ccd240e7b412b059325f0552bdcee96d0

C:\Users\Admin\AppData\Local\Temp\vbc136A19A8650A4FFB8725A1B14AEF71DB.TMP

MD5 5dd6b9a1822b234a9f9352fd56efdd9a
SHA1 72c09759707ee22e9a4e892d783c2274e5981b15
SHA256 1be5173e3c35478ce7803974f98408204366c58f8bcc48c13e3da1747dd42237
SHA512 a80548408f574f57f770c51fecfa07ce1b549716f767b622834baf06b1ae8b4c2289811fc18c0fa437b0a1e0d3e9fef608d49a0e73fd9a2f985d8a0b93279a66

C:\Users\Admin\AppData\Local\Temp\RES34B7.tmp

MD5 484d3c770eb461f6f2d55935881d71bc
SHA1 d2b7a7daea4e9179106ecc388afca1830dd6cec6
SHA256 7f535b571ba7c5aa30a6f91adc96780288109ed8d6457c1712bc39b7204cd304
SHA512 4cc75d7c780ff3c520be13c0e30fb10ee939074229a7c32a666a12bbe431a8ee576d4514f7145c85d4e4092573845616cf03bea3655e2825ae07d84bb0cb0a8e

C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.cmdline

MD5 dd349c0f3f283bfb7599d39f1bec6da2
SHA1 a92dd78e6330326b569ca0ff68cf89f85c014d18
SHA256 a5af93088160d62b6f84406058ed080247addb437c7adb397b8a2d45ec30e694
SHA512 80fcd6610586faabb9561fcb3427c249f6b2d8b988d52b24ee7fc67be1208273fe6f56f5122f8c15d35720c296a9547fbddd43e5e885652ab90a066bd6e6b4ca

C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.0.vb

MD5 78a7170464fb3315b350530ce4cdee0a
SHA1 02a6ed0267c59c935cc7c5b56132ec72800aed7c
SHA256 363965758ea1c851aefc6d2ef2030fd201b2a246d37364720fb04a9756bcf80f
SHA512 810e0f2746ef44aa15a982d84f67da85ca31c8a94f0ca02d7b0774ce9c303ccce5f220835d809d9d08cdbcb6ff2276f5afe219f05dade8d879f30eb4271c8144

memory/4968-251-0x0000000074FE0000-0x0000000075591000-memory.dmp

C:\Windows\SysWOW64\xdwxsvc.exe

MD5 688a4cb70081d9edb63c1c1aa41487e1
SHA1 3efe438b2b4a44f2dc7f02c6e1afe980e2a116d8
SHA256 4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9
SHA512 4f5ef2d0538a3a38748d4c2378e15cd91bd0073ac28e093be7cb86a2d9ef29aaa667f07a516a169bd0e44ab09202914c8bdae9cf5cd1f5d543ebf3388222ad2b

memory/4968-311-0x0000000074FE0000-0x0000000075591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcE4172DC3A1D742CCB29CA53F4CD959BB.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\vbc341BD20022A849B0922DACA4B73B8846.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\vbc5FCD6FD17AD543C193AABFCECF1F2DBE.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084