Malware Analysis Report

2025-01-18 04:55

Sample ID 241012-hhl8taydqa
Target Client.exe
SHA256 c9d1c9ef3a637ac66861d41a4c35e9be5cb2abf286c585e093b5ed281bea1c66
Tags
stealer guest revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9d1c9ef3a637ac66861d41a4c35e9be5cb2abf286c585e093b5ed281bea1c66

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

stealer guest revengerat trojan

RevengeRat Executable

Revengerat family

RevengeRAT

RevengeRat Executable

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 06:44

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 06:44

Reported

2024-10-12 06:45

Platform

win10-20240611-en

Max time kernel

53s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\xdwxsvc.exe N/A

Uses the VBS compiler for execution

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\xdwxsvc.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\system32\xdwxsvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\xdwxsvc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\xdwxsvc.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2996 wrote to memory of 4244 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2996 wrote to memory of 4244 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1424 wrote to memory of 4848 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1424 wrote to memory of 4848 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4648 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4648 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4164 wrote to memory of 4584 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4164 wrote to memory of 4584 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 4428 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4068 wrote to memory of 4428 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4400 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4400 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4368 wrote to memory of 3536 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4368 wrote to memory of 3536 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 388 wrote to memory of 3564 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 388 wrote to memory of 3564 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3528 wrote to memory of 3156 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3528 wrote to memory of 3156 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2704 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2704 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2076 wrote to memory of 4216 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2076 wrote to memory of 4216 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 708 wrote to memory of 32 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 708 wrote to memory of 32 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 660 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 660 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1216 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1216 wrote to memory of 1840 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1404 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1404 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4488 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4488 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3512 wrote to memory of 3688 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3512 wrote to memory of 3688 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\flgiex3l.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES466A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7985BFF909B4A3F92FC345C1FA81784.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b7s41t9v.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES484F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD552379E6A6C4E74B3533B8188D32394.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mdip9i41.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4978.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC58AB0F13FE944F190E99F0ED799412.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u0skwl12.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71597B7EB8F4B9F843A2372D43987C9.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a_90wjea.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED1ACF60D17B4A639AF992CA183D55A.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifcrw9zl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFEE9BAF70BE4E8A9CA33F596BC6331.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ggmd3tui.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95C4067ECE144871937E24BC876A523.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lik4p-c3.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc996D17AA4DBC4189B2F6A3A29C1D61E5.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yazntbry.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc734DEBFDFDC42C09248B8F55EE51E9D.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dymwbfeo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5196.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56983218EAFD423BAE1C51BBD4F13F9.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bvdvti_w.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES536A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAEDB8D78D9340C1A457D996FB3C8BB0.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khuthwts.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5484.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94E649A794DA49E7B2D1F1D4B1787B4.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rhmndzmq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B37D81AAFFB42D9B5752EB4534FC96.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\modjiasp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC40768DED81246CAA1FDD8D3933B57ED.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rjeketaw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13724569FCE4A7C8766AEA9C58665CD.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5i8xaxsw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5946.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc231C986470B342A78D59B9FB852BC51B.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i3c2mefp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17ECB50010FD48D3A27314F3922D3A0.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2mnjzefc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F5B53E7F6334B30BE2353B9B0BD2BF0.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ea8giy7y.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES605B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6D953A3CE3948669348B2BF69E99D41.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\67vgigp5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF436C961494E424F8EE8D336EB40FD62.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wd6iqlon.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES629D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E117584E49744EFBAE8689224BBBDC1.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\__bozwgp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1851F8AA8CF4F5792C9F8E765C4A8C8.TMP"

C:\Windows\system32\xdwxsvc.exe

"C:\Windows\system32\xdwxsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Pizd11337-26540.portmap.host udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp

Files

memory/4488-0-0x00007FF8C0905000-0x00007FF8C0906000-memory.dmp

memory/4488-1-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

memory/4488-2-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

memory/4488-3-0x000000001BB10000-0x000000001BFDE000-memory.dmp

memory/4488-4-0x000000001C090000-0x000000001C136000-memory.dmp

memory/4488-5-0x000000001C230000-0x000000001C292000-memory.dmp

memory/4488-8-0x00007FF8C0905000-0x00007FF8C0906000-memory.dmp

memory/4488-11-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

memory/4488-15-0x000000001D690000-0x000000001D72C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\flgiex3l.cmdline

MD5 fb8377d47a0e79e1effef791be3b3900
SHA1 4dce4aba805531ca4414b175cbf272cb12f280e0
SHA256 6297306c12a96fb291de5fe0cb23ee6c2a6df2263f9e64ba3eff268c71cd18a2
SHA512 054e1f67476838e9d30a502d07d9e7e6c67bc66092edf20dc83efab096f4aef6d29dda623540885a1943ca0f8d606a891a3cbfa7677718c067746f4748b4fa9d

C:\Users\Admin\AppData\Local\Temp\flgiex3l.0.vb

MD5 32fc2dc17b4f4ed3274fdf0037ade46e
SHA1 d0abeb10824fd2cea51385f24b8021c68006fe3b
SHA256 6a1ff970345ab58f1b7210703aa7e2bfcb48ee377bc5ad909de1d3604a3556fc
SHA512 63bb2a316dacd7b7e0ed58cbdd17b4fbe5ca8658d6bbb4c591231860e41eb68b122b3f8f711b38e938afa5021531d75cd0533a420f75ef19e3dcfda5d72bd75f

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c350868e60d3f85eb01b228b7e380daa
SHA1 6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e
SHA256 88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7
SHA512 47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

C:\Users\Admin\AppData\Local\Temp\vbcE7985BFF909B4A3F92FC345C1FA81784.TMP

MD5 29cf1ddf294ace351c66759f2e045229
SHA1 df4eae349cea36667585eedf3c109097be3d3eb9
SHA256 ae08a4ed0865b676688fcff9d5fc820854090d9b44bbdefacd5c5e26f4cd293e
SHA512 18c3a611a4433406f05b4a856909dfff513e81489d42f04871c2e2f8c05ca717476480ea6971ab52685011dfdfbeeff441c723295603fd9468f93f44b86f2727

C:\Users\Admin\AppData\Local\Temp\RES466A.tmp

MD5 abf56584d5d8a22043c6e62dc05ee982
SHA1 840d96e0ae2d6ca5a2f56f48f7899b6ae1452801
SHA256 775b524cd44b19d208042e595ca0c42011458a863010914935950dd6d78bf824
SHA512 69944785b02eb4df54989d341d6cf0cda4f190befd9096343c41ed9fc2554572c1a4b2e805ea798671178f224d1b12c17e2f54690e591ae598ed7c392718fff6

C:\Users\Admin\AppData\Local\Temp\b7s41t9v.cmdline

MD5 292fc245cbe8afbe7325bde01ed7e3af
SHA1 3c9aca1f52ea11ef069b4b6a633c0ce69ac8f71e
SHA256 e811ef1acc0e06ceb36b9605fee349e86c32f187250fe9edfd268dea44253c0c
SHA512 557ad5d23ffbd80feb7fcbcd0cf536165d0360d017282faa91445af22b2352069d55c672d7f4cfa403144a4a2790c1c5952785f9e45a072084cb03d1ab17eb01

C:\Users\Admin\AppData\Local\Temp\b7s41t9v.0.vb

MD5 806fbfa9a385be383e7f48a40407c4d7
SHA1 9cbca6dd912b3226e90efe8c7a1f59faf3afccd4
SHA256 973f507f758fecd75c861e89aa8c4993f2204486d87bfa1cc68eba5143d77f07
SHA512 e699fac4837a6439ea63b88eee886e315dd30a6b4cf86de767587e4d8f17a6e3e4a87be9c6a73b41134a16646ae7b34e8f54a300639525efcfb045215657413f

C:\ProgramData\xdwd\vcredist2010_x64.log.ico

MD5 d5997b8f3f9665fe1cd7defb29cff584
SHA1 7b281c8982b042d77e7a53ce282eab7f8417adc7
SHA256 ba40f96904ef649d30f9477d2e1b770b312832ba81e6345946645c15dd4ceabc
SHA512 88f66652b43ccdb551c9e876eab1e7f0bdbf2b8c19bb9b871402e94d1e826424b917495dd3b79c228724f49d1495cd3cea49fafb7a14f23e5e1eb6a29b68871c

C:\Users\Admin\AppData\Local\Temp\vbcD552379E6A6C4E74B3533B8188D32394.TMP

MD5 11ab4f6d3839dabf6022e05b0e3199af
SHA1 f70f743164c320004f39694d0f7135de828ee485
SHA256 86d0c7170a624e19fe010271241c2da9aebccd8ee584c264f43a07f67da7d0b6
SHA512 81c072139a61bb86061322a394f9a19ea42e671d6f1fcb2500ce544d05f98e8f519a16c9d60ad6f4510ae6fb7c5099caafd3fb71c6ce6ae14e57f79d9283194c

C:\Users\Admin\AppData\Local\Temp\RES484F.tmp

MD5 4fbd8aeb8f6d460320ebd60406561933
SHA1 8922dcc646d98fd6b20eed2d249b85cb74e8ceef
SHA256 ca4cd2be6d099f14aaaebb9a68dbc76555455ef7b2373123a52077009e1ceebc
SHA512 d1a6565d0e9d005a464efafb04f364dc3fe15cc28434178bff0ce43b52144d48c7dbee4ead44b49a2f350a31f654ffa331439b278b20412d0a7228e88cf35542

C:\Users\Admin\AppData\Local\Temp\mdip9i41.cmdline

MD5 972a426bd710cbc196e42ab38ec16562
SHA1 70a9b4cc37634969e527154cb75e93b4b126073e
SHA256 07e543453119895efde66356034504154e57d1a58c354308e5b794f139fa6629
SHA512 11ecc6074782000ed0abfc5a1fdaca3f36c1bbdfd4746f0d9ca0da4d45437a0377257a70e396aebcf663fa1775cd908a4a0766692afa65bd88f9d0be33021fec

C:\Users\Admin\AppData\Local\Temp\mdip9i41.0.vb

MD5 d8176c8dcdf8032b0177a9d0bd58e58f
SHA1 027c26e620508aaa5461a2bd020d5e1430bb2cb1
SHA256 95094a209dd5615c821706ec3cd5ca63f0ec1d9ec5db192e1d791a17a3660894
SHA512 382d09544c10eca698888a3d46600eb1aff5818650adb499fb3567caea0a789565a2f6dd250d6fb8e319fa1ffde4ada690fb9c99f80198d55b593d0b6321512e

C:\Users\Admin\AppData\Local\Temp\vbcC58AB0F13FE944F190E99F0ED799412.TMP

MD5 77b88684bc33b844f2eaf6d95ad8271a
SHA1 74642a86685375547ac078b85145b2a1acc8f2ae
SHA256 8ac43e5c156a3d8c687cee62e2d19d613cf3fa32c2701d8f11b02b1a274a0554
SHA512 7840ff496a6b1a20462d59d3d7898b9ca2e2db0f8871443059d21d18ab02edd36199d0e213e4bda6e1544e9325ac877cd608f079d92be7b1477c605f2ad74945

C:\Users\Admin\AppData\Local\Temp\RES4978.tmp

MD5 9804ab222bdcfd88ce3f4289546bdbef
SHA1 f0ea16f779bf1671a3d89461b697ed2a62781cf6
SHA256 43a8ba28946a602217b9fa0a3d0e9ba8d6fbf6ef340fc786864c967e562fb50f
SHA512 34f6054efddc8fdefaf2939aecce93af7d7e4bebf471377efd3b4b693e2082cce8c8e2eec9d3cc4ccf0861c3fd4ce6a5b59d117031ac6066279a53b95e50a790

C:\Users\Admin\AppData\Local\Temp\u0skwl12.cmdline

MD5 b8d54545a84fc80c912e5d4974b3a295
SHA1 29050bfb067e041aa9deae6cd9d7fe170526ea97
SHA256 bb4aadaee56c60aae9b984956025147f8cbc2aac20c5d49fb28a1411f5c0920c
SHA512 fee0f22f25e82b74fff9fe8872dceb5dcd3ed9fca18f8c577a5a7b6f56448712bae8784837dc4cc42aa9aae4be64c5924f685d2b48d7526f8ded0303766f8f7b

C:\Users\Admin\AppData\Local\Temp\u0skwl12.0.vb

MD5 d4a86815a673759078e816a6ef8c77bf
SHA1 31527dcb71c8ac1b0077778630b6c0d148cdd0e0
SHA256 a3bf981bc0ef42705a62444dafe8ee03f0172ab71350fa818e3003f7a0eadaab
SHA512 06b9214f337cbbbeea8e0cfcf4963634b9b035d7805d84c1806b74950c8a30374fec4ebcc9801689a90eec54643845473f90d8d4f8e9ab6244891d59f45bb9cd

C:\Users\Admin\AppData\Local\Temp\vbc71597B7EB8F4B9F843A2372D43987C9.TMP

MD5 cb33e098b48172a7716264425fb2c27b
SHA1 f3831b3ed71b2fe98de1d6f736382ebb457173d4
SHA256 ab4d166de9bec2a84b1cbdf17451099c3888e136e1b6f97eab3e730bb182cb5f
SHA512 52b3e602aa6cbc01812aaad38f57a815dc92ff04dd8f31ceac18c8865ea686eefb02e8c7350e7012a631890627d1e8e0922024a9291317acb6f83e3273a2effb

C:\Users\Admin\AppData\Local\Temp\RES4AC0.tmp

MD5 c2ebb14da1b6afe81d0d105feb068b1c
SHA1 aef5fd24109819d374e6cf7daac04fa013a4b227
SHA256 4dc0f87ac3db59adf4cc47fd155b6f5ed7189893a91b1a91e934bfd21e15be52
SHA512 4b77c34072c697af4e55d20a62ee0ca598b9a39f909460b05c4b65e323758a782aba169a6a5547da6bc450ea6eafc79b38915e7c6c3b720c3713369035f95cea

C:\Users\Admin\AppData\Local\Temp\a_90wjea.cmdline

MD5 75d015011dc97074f566927109e9b585
SHA1 f7bbc3bb4417f24b98b219c75cac6af8fbfd748c
SHA256 f8a312e11ae5c3c455dfada00ae1a2b63a1f2cb385d453583e1d9a9f143c9a56
SHA512 4fdff8fd1adc165eafd83a3169c7990e0e2267ab1353096553c8d0845faed88ba870789a8cdbe0425045aba8a139ca52a66f3595d44a922c3ed6d9cfb618a9b9

C:\Users\Admin\AppData\Local\Temp\a_90wjea.0.vb

MD5 70a76ddc934370916153a1b366b79b10
SHA1 15ba6ac072fb74aa005394477f396700656fdf28
SHA256 d6bebf1f9c2bd5eb2fb14e994a50f1213cff957682203897983a7fb18053b0b8
SHA512 792d18c0077fc714ffe490d34d99837aadcab60f063a261110f427ee936cd633ae3cb63f016363406f9b095f153b5d0853ca309bb42900210792cf6ca28996de

C:\Users\Admin\AppData\Local\Temp\vbcED1ACF60D17B4A639AF992CA183D55A.TMP

MD5 6ad70be08cfefa12479ffcfc0dd06233
SHA1 5aa6abb749fbeb732e149b0ac58de921eef1995e
SHA256 8e74037e57f80218ff3f2c0348f1c8c05dd169bb0e908fbbd050ad4fe4eaeece
SHA512 2496642194839bda2e7c05f129d438ca591c1aa8cdc6fd60d76a7465b1df128b3ab1b19fb09cf12b751c1fb22bd5f675d33079110678c095d30b076ccd39599f

C:\Users\Admin\AppData\Local\Temp\RES4BD9.tmp

MD5 a0476bfcb80519db89f88c6210b913e6
SHA1 da52ecd096c448dc0aeb82d006a0304ccd4c3d60
SHA256 dfd9c34f1200cb6bd8ad6b0776dace75b383ea59097182961c6a0027bff37345
SHA512 ba682e0d345456a6f321da29ac9cf6ef4353524a796a79562b6318fb436d190eb3c139d2f82f88a6d300734a21d2b88d30459a1adf7c631cefccc64c62a802f0

C:\Users\Admin\AppData\Local\Temp\ifcrw9zl.cmdline

MD5 6453847463bd80efd5a144fe81290a76
SHA1 6e8b530069871c05a735993cf19d6c801fc6d15a
SHA256 ec6520d1b17c572cfccfe3b851632f2e79de0069fe49e4a99b0483a4d32d560e
SHA512 fc5f300929554c396eaf8ff6c367f08b19c92728acf560fbb03f32f0591c41a5fe5ce7e8beafcf8201cac360c1200c9b7801d4e29e4a73c3ff15651e7c189a90

C:\Users\Admin\AppData\Local\Temp\ifcrw9zl.0.vb

MD5 7229f134ccbe86e214389cdcdf39cdd4
SHA1 59b5a9fc75fa7177bcacc9a5e7925b0addc32473
SHA256 f69790eb9ddc7fc4c9ebd02013a7f2077078dfe1fb04b019272399d81707d6a7
SHA512 cfffb14bcbf4e6674c9be8fabe8f98923f663f0b81824b0d2556e32a8eab266abb6af49278adf0fbcce1f507609846e570dccfa32ebe00b43cdcfdd250ab217b

C:\Users\Admin\AppData\Local\Temp\vbcAFEE9BAF70BE4E8A9CA33F596BC6331.TMP

MD5 9362f5038e83070f7a41ac898fae8195
SHA1 199808e30952b4df33dbfbde982d1471a226b97b
SHA256 85374d7934981bb47828ab0634f85ea3b41c6575ddd3438f553de82763a82f16
SHA512 b4cfa059a83f9aea9ef4e08055d9aebc8d378d6b79828592a1636c6144526388900d4eca9f2b98ac9faec8733343c8839f3848e6689f7aafdcf98f70b6526df3

C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp

MD5 4da35df21901483585884acba7360197
SHA1 fa1cb86caf9fa51035835256d7c9306f31a27414
SHA256 9a399209adc8b8846a47c8bf298c56f98234400a3740ac096f5a699e8dfad6e5
SHA512 3d290dfa63cb7898a69724bf28ad90b570f30c8297a8993cf89226eb1a1e789ded28420324d25c7a18522216bbd554171d12adea3222b02c5c45e3871a5b8977

C:\Users\Admin\AppData\Local\Temp\ggmd3tui.cmdline

MD5 92d7213a00b8ff674844f03baea7c1cb
SHA1 f7043d0dbac3cf38d893c4b3b6d4d97c356cb706
SHA256 08bc35d5eaac2728bcfdb814f09b3e575f7875f0ee46e41b69438f1fa757bed1
SHA512 c46fa3ddd869baeb57203c9deb3b4993f1aff611de468e495b3261c591c6f27bff26bbdd81001ba7b055ba4f0feb7a258b515b7e63492f48f1dac343c30ad4ea

C:\Users\Admin\AppData\Local\Temp\ggmd3tui.0.vb

MD5 9e7c484b328dd42af8d90cb87a61f533
SHA1 257866b6b63f209ee7973faeec6d3f342e081a3a
SHA256 4306ed60a490cc993558e7cc2131a6ac2ff9fff708e41798a68a6bb4d9800556
SHA512 ff712fcb9701d8c14cf7c237b117d05e81691ef303f2a4616324a81ad53be896f95b40c8ba32e1bb5e45d44329108131f0f5fe14dc8bc05a4c5903b4a41fd410

C:\Users\Admin\AppData\Local\Temp\vbc95C4067ECE144871937E24BC876A523.TMP

MD5 8c68e64c0221a6286dc6f9700a826fb6
SHA1 0f59117e506eca8d38e3f62e20c5fb4a7efe0d6c
SHA256 a471a498192580d6b3d50e5dddd94f18cbfb63c916c56788ee507aafa269a794
SHA512 ae026416ffd28b5dbf5c8bb29256be01e8dcb4fa6abb3c1459cdcc91a1aef19a18460f472dbed6256ccb38c015fd4281ad10f4be817fe22b98f12772934a4528

C:\Users\Admin\AppData\Local\Temp\RES4E3A.tmp

MD5 b1c093e49a1d45a75e52d44677d78797
SHA1 a9b068a3ca2d26672c526f89fb024c45672b085b
SHA256 5ea17f483ec0887e202f787ecadb557aae0e19141e936f129bbdb28d4a895112
SHA512 10c389b2c88726159560c50aa32e59d30b5311d9dc0158c5dad1f883fe705036b7409be88662b2529b642b5b6d9475e7d8334968b0ba1320f0c34e696b6cde15

C:\Users\Admin\AppData\Local\Temp\lik4p-c3.cmdline

MD5 ab7311e5231c427f16fb768f5d2e2b36
SHA1 1f21db33341c95cf37113a808c5d436ee12c43fe
SHA256 9d82abde198bd546bbf672b0e759a1f24cb863caa626b3db95b7379581c95aac
SHA512 cefe35ab1980dc1a13693ff1d67ae1615b80c739a71347ef40066886f5eaa90b7a8623f5972c89cc12b5502ccdbbed6bfd5f57964047c35d0652c0ceac95e919

C:\Users\Admin\AppData\Local\Temp\lik4p-c3.0.vb

MD5 ddef54241eec5d7f422a424cbca9408c
SHA1 34715db7608b6bec184db8d3b423a1fb4bacd07b
SHA256 11552b19c8792ee9999b3ca7c4ccc28eec91a3d8115868d221bfe6366b9a7321
SHA512 17e50a949d0328be9f0f7340ec82f932395c4b18c2e1903cf77d17015a4f756008cf5efade57d3b1ed0db1ab69b04558109775126a395d39f2a55fd0a2825583

C:\Users\Admin\AppData\Local\Temp\vbc996D17AA4DBC4189B2F6A3A29C1D61E5.TMP

MD5 84c0ddfd63352a3d8f410ee43c42ccf6
SHA1 51f33172e6dd6c4cbf19a71f6bf73f74c1677648
SHA256 2cc99b5ea16753b50f07e35314b4566958e10a473deb281d97ccba0a27400005
SHA512 27916028942da1bbfb19ae752d8527626831a7a9f13ea5022888618584a683431860e401b253d856503c6bbcb3e17a04d81649706cc5f822dee364a86aca2740

C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp

MD5 f7c19222fb4344c8c838bb44ca50ad88
SHA1 0e1f20573402202f2f4a9a43e21848675ec52653
SHA256 0997c2024c781b229b04b15d89e09e300fb05f36391384af2069c7716eb2c64a
SHA512 38ae9fd7e1f03a2635a60e6f2a32c8ef03ea1827c032cebb92f1cfa0483aef91b19ca4a1773728853e96895f617013b23c8fc2859eb38904359bb3adbd691985

C:\Users\Admin\AppData\Local\Temp\yazntbry.cmdline

MD5 818d678573ed9443bf4d2fd33e586213
SHA1 05ddd253e0780cd635c867e5621855f47653b216
SHA256 8368e328439c0eea87e930571ce2f2aaa94d16d83373e18a37c7a5199327d398
SHA512 9a932b30b3168ed34197add7e2f3f6928e37c49780bf86d3906dce5b79cd86fca0f216e958e2cb9eae369d55fa22e8c84c1e298b24db0478deb22429e0e805e6

C:\Users\Admin\AppData\Local\Temp\yazntbry.0.vb

MD5 90a41858c1ff095de02d92591729a3b7
SHA1 ccdf4fa9bcfd31c860b65b7bf6fbc08ed509daaa
SHA256 87cebb1f8df70782870d875a6ecdc1b705f6ddbf4bb9331d7499970be79208bd
SHA512 8675cdcd575ed0da0051040e9704cde2f285a2f028aace0b77bee6b5443bb50bb1db0898c8a78e6b89f8385bcb5f5d28cd611a0687a94a1f589ed2c9d62bd418

C:\Users\Admin\AppData\Local\Temp\vbc734DEBFDFDC42C09248B8F55EE51E9D.TMP

MD5 c7c9057383f1585d75f4157ffbf435ab
SHA1 9a6bd1069e7522e5369d4f42fe6807facb802899
SHA256 b21a8493c8d57dde7de652bdcfb5f961e54e2f0a72d4b5f840f022b7d5320f4b
SHA512 f77e11ec0a108ec6b3f32c240d301c02ae3740d8c4adc54cfc4353147d9dd3a125935cb81123f5888b21dbb7479164bd104b19f2e164c2bd0ad2b89fa9b39b89

C:\Users\Admin\AppData\Local\Temp\RES50AB.tmp

MD5 c0395393601bcde7185ea3b1302ed5e7
SHA1 346cbacde22948e0d5fe302d1d37ce2df7a5e1d0
SHA256 e690511e825b89235b8d4412d6e29ddaaafba3064f205adbfdd0d05bb9bd93d5
SHA512 19709cefcdccc36fd541821a7a6d30e4aab5c9086ea82fafd48a22227e73d0e37d9746f4321b089fa7a1c5a427a9379ad8e3737bfb72bbb40041de39c6f9bc8e

C:\Users\Admin\AppData\Local\Temp\dymwbfeo.cmdline

MD5 22adcc36700f832319784454dee2a420
SHA1 378bc877a9be636aa6eca4f49390ad94d76ac1c2
SHA256 1a97820984187b682096a24dd060ae5e3cf279208aebb43096fd4d35f0a221a5
SHA512 06d9c4e365456c5838e9a26368b3a923b1954817db2331df7e857c0512e2f5abe5cef4aef0544f177aa9c54c83477276e07194498757e1b108ae5e47bd34fe6e

C:\Users\Admin\AppData\Local\Temp\dymwbfeo.0.vb

MD5 166a9ac93a3971c49538ca4d170e394e
SHA1 1a8a2c8e903174098ef8d8e43ca04a2012c8f3f7
SHA256 365936ce4dbec81d6859e34540c2a2973c002220d750317145425784fcec792a
SHA512 9184b813e181cd0cda3ee62ee09818d097979ef4ac6e28f8a3937bb6fced2e8f5df5c15c53f5ed8851d10aec554a7e13e444297d6c2ded5297246e36abec4c87

C:\Users\Admin\AppData\Local\Temp\vbc56983218EAFD423BAE1C51BBD4F13F9.TMP

MD5 5201879a7e04332289f9d0322054e622
SHA1 ea4b0fb5f15d6b03ee2331529f48522b95cb3347
SHA256 b1b01b72827ccba25b2ee8082711ab16f15020e689feac3e83298e4a3c03219e
SHA512 1f14301b48bcab846b4488c4e67cf037872f92aac80558965342eca053eb3f945864a721b6287ebd6893753d3ce3fc7f266e69a4dc1ba69924949d7620641933

C:\Users\Admin\AppData\Local\Temp\RES5196.tmp

MD5 d7ed6201e9e061ea114f2b16d0760a35
SHA1 9a7cdcf35b9228e71aa0c9b1d0a21288a9ff20c1
SHA256 fb1dec465bc38def0cdd273f21815c2cf8f7eb66016d9a6918e9fa10a8db939c
SHA512 d9bf43b410f96180d9f70a93a066ea20f8b0b62b63861e2364fcf77b1a5fefdf2042b4f7cad95648b47760064ad158cf9d54784084bd276b8afaec9c30a62d42

C:\Users\Admin\AppData\Local\Temp\bvdvti_w.cmdline

MD5 c14353a7d7a26983b63c6efaca1232f3
SHA1 9208489b444fbc6093fa798484ddeab7150bacc6
SHA256 3d2d9fb309396a3d406aede49dd388ba41eff7cd37dac6b6eb1b450886683d24
SHA512 bee903f157a098630cef34dd925ca1f1a1fcc65fac0ae24929e5f5af73f8e696cd8e2cc6157ad5266416dd1351ddfc3906b4c1d61e9c6f553585374caad1986e

C:\Users\Admin\AppData\Local\Temp\bvdvti_w.0.vb

MD5 0b703601b0e80ef94b205ed801966b9e
SHA1 9bdeaf41dd0ddfe8c0a759cbdeb78392f6d12834
SHA256 8b32721cf83b79ea8cf67fe4eff6109bdf6dcf9caec4496db4387bf3deeb0649
SHA512 a075aa018fe6c2b3b885561f6788f6e566472a2d425bd85911fd9b7ca4a4dbc6dc3b324c83bc821a1627219fd224cc835adec64ddf26584f524144d7fb7874cc

C:\Users\Admin\AppData\Local\Temp\vbcEAEDB8D78D9340C1A457D996FB3C8BB0.TMP

MD5 a4b02be1be36d35d3f69b5e939ef6ae4
SHA1 adc51fc1cdc8b041d317e016dad681accf757ba3
SHA256 6956dacfa91390db2d07f8edd7c09b53d59463ab8811add4202977a635b6c563
SHA512 249e3683e35e0c423145632198aa7cbd351f7a4a1689a527f2473f081414dcc7c10f6ec9ccc9eddcc21449f1929af29756095cdd9b48dd17ef1f4cf83d982ae1

C:\Users\Admin\AppData\Local\Temp\RES536A.tmp

MD5 eef0a40e0fd5917141c62e69dd48c333
SHA1 dca013396266d0948efe4ecf63abbace54b2c114
SHA256 fbb261a904244d4c29397b1b75608b87d7e7757c4ff2a2d803487cbe10919d88
SHA512 2ee0de0648e323c785f448076d0ff252f7e5042d9ba49c169f68b81a5ac54b6fdcf948d421d5ee0643232d0da0ac2993a80da17669d128d31531832f676a859d

C:\Users\Admin\AppData\Local\Temp\khuthwts.cmdline

MD5 2bd98e0695cbace0291f97fdef158ad5
SHA1 ad26459411d67ba940729a025336393f85ab7066
SHA256 4caeb2eb89885ff451576771322553ed0cd443703f7fc686f08f4cf5ef484680
SHA512 2572fa9a5bea10137d611b6ea6a956a8f2fda4be625779783196f6beccd199726c8910ad2f412544ef51267c5e859e2331b51d146bcf2c573b53ceab2e298c99

C:\Users\Admin\AppData\Local\Temp\khuthwts.0.vb

MD5 03fe8241c9dcdbddcf309b44e99d3e52
SHA1 45fc83fe13cd36e9224ec727150715bb40bf4fef
SHA256 f30a7a5c7c64d7d3f96476a3f0f4a8fd02d25ca5aca6b564e7c0a58c438fadb1
SHA512 bb59031b6f6bd41fd25ce864cba4e04f108b7e0e7ff8959df37122b91d7311e0b7d6cb257c422cb90f3933a4d9f2e1885ed33f81c1680610df2234be417da162

C:\Users\Admin\AppData\Local\Temp\vbc94E649A794DA49E7B2D1F1D4B1787B4.TMP

MD5 8ade15ed1d80f56ac26d3e0320569426
SHA1 991f9dc672ab0eaaf0da3fbe67e361686bcdcbc0
SHA256 fe4161b8576af5854856e218fbda2511e57226285729d7799affe3ffa90b665b
SHA512 66f0939658ee3e7359ac4b4e8a58e5e179d3c6c8b41bc061a0f14e38560b156ffb367af5ccc492c0ad630e22d18de3148853271dc72b057f1ca461e230ec5f30

C:\Users\Admin\AppData\Local\Temp\RES5484.tmp

MD5 323d73690332a2ecc7693b9518c1ad71
SHA1 3ddae2163deb7b762035991fc90b627054468132
SHA256 043452e6a951553ac4c3d5ebd066c92ebfa38d6e4549414d42c85a098227a97c
SHA512 9ddf3fa9638bb18d4719a8de6675638a03ca2e9dcfe8931b1a2177d828afe98e8ec1b1cff2dc1d02052ce882d9a17b6c70d17e86351bbeed5886592035c1e52c

C:\Users\Admin\AppData\Local\Temp\rhmndzmq.cmdline

MD5 f7d2d5b122b0ccfde72ccb776b5d87f7
SHA1 7b5f0180e2a0851f5fd8215b8079593e1a835c2f
SHA256 c5450124d75849dedfca37324f9a6167c4e2ab921892655c7997b06ede6cbdb8
SHA512 d5059bf6adbf4591b4fdab69ee1e1453068869f9a9bc400277b06ba645fec2ebb5f4add14d3768ae82eff57fc4518ed3a90bc4a276dd8ebe3aa2eab844d6d2b8

C:\Users\Admin\AppData\Local\Temp\rhmndzmq.0.vb

MD5 1c44a8cbab99c328d5459b1480105369
SHA1 80159d2c209ac1fc827c3480faf365192d144d17
SHA256 3831cefa757fff48ac587ed7c1cdf606e8c8abce1a85a4e83d773c00330618f8
SHA512 052ce2adde6070990a030e4ea3c3f3353ec2d3da63fb4abb37412dfd7f37f3bd13e263bb3f159ac7138315024d041e8a6a11e7c026fc8ea82a1038419f1736ec

C:\Users\Admin\AppData\Local\Temp\vbc9B37D81AAFFB42D9B5752EB4534FC96.TMP

MD5 fc9f4d1d6165fba4d3d3eb3fbbc33430
SHA1 a6d34a51f4ba11c053d37e9792888d5cfcf69e6d
SHA256 4be29e04f0ea9295e215b0c044c6cd636e6690ecec92e794dc15c8a401b8c6f5
SHA512 48392289194cb356caef5dfeb769940d173c19247c5f1eb67fb399ca515c002f5168524501c034d81897808a3b15216f1092956b96d24a70cae8c471eb6dd77a

memory/4488-240-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

C:\Windows\System32\xdwxsvc.exe

MD5 f55c1e64f9428adef9ab57b608d01587
SHA1 c85960f54528f94ec839b6c2d125c7249815427f
SHA256 c9d1c9ef3a637ac66861d41a4c35e9be5cb2abf286c585e093b5ed281bea1c66
SHA512 26978fef89a5cdf7baf8ae04823c238e4db686fbcae5a5ee1dcc9acb9a4c06092289f4babf84d1cfe954fd67744e2cc5cfbe1b46668d807edd03632bfc083e80

memory/4488-302-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp