Malware Analysis Report

2025-01-18 04:46

Sample ID 230611-jgkh9sgf93
Target WWL.exe
SHA256 40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790
Tags
stealer revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790

Threat Level: Known bad

The file WWL.exe was found to be: Known bad.

Malicious Activity Summary

stealer revengerat trojan

RevengeRAT

RevengeRat Executable

Revengerat family

RevengeRat Executable

Drops startup file

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-11 07:38

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-11 07:38

Reported

2023-06-11 08:38

Platform

win7-20230220-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WWL.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Uses the VBS compiler for execution

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1720 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1212 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 648 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 648 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 648 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 648 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1212 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 632 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 632 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 632 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 632 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1212 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1164 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1212 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 936 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 936 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 936 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 936 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 936 wrote to memory of 1528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1212 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 376 wrote to memory of 1800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 376 wrote to memory of 1800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 376 wrote to memory of 1800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WWL.exe

"C:\Users\Admin\AppData\Local\Temp\WWL.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qd7slr9e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7947.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7946.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oeileqox.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B68.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hzyf6ghv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C13.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1cjgj6wr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CD0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CBF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e-qudist.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DF7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mpaxfdq6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F2F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjd7zkfq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7FEA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gzbcigl8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8142.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8141.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twjixn0m.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81FD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kvtiujal.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES829A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8299.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ef7uuigk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8364.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8354.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yuzgfs2s.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8400.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83FF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wrwfgo2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES849C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc849B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\decqpyj2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8567.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8566.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gmxbhxgr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8642.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8641.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\btqb6bgg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86EC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o52lbvvs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87E6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lw_pgks2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8891.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ndpclfzx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES896D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc896C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mh15bixw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A08.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oj0eq7tq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AB3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmrck3rh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B5F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t10ugdri.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C59.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {7CB6D978-F05D-4323-B9EC-61FA1CB2D15D} S-1-5-21-2961826002-3968192592-354541192-1000:HVMHZIYD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp

Files

memory/1720-54-0x0000000001EF0000-0x0000000001F30000-memory.dmp

memory/1212-56-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1212-57-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1212-58-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1212-59-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1212-60-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1212-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1212-63-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1212-66-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1212-69-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1212-70-0x0000000000200000-0x0000000000240000-memory.dmp

memory/736-73-0x0000000000400000-0x000000000040A000-memory.dmp

memory/736-74-0x0000000000400000-0x000000000040A000-memory.dmp

memory/736-72-0x0000000000400000-0x000000000040A000-memory.dmp

memory/736-71-0x0000000000400000-0x000000000040A000-memory.dmp

memory/736-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/736-76-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uUUgHRHX.txt

MD5 d54865fd2f606110dd7c985b4945fb41
SHA1 57b684dc649f58e80a0825824a6b43aa31c6a744
SHA256 0ce1f34086610c14d30ae3cfbbc34e5c343dce5d65c4d30d41807b8dd00b5a5c
SHA512 a7f5e5094935faf9a11522b1e9623ad93a10e2784655e11dc64c8e96df3604963ce09fd3f93c819ff382c5813d6990ef4e27231a7cef78ec5d78a32b3b14f448

memory/736-79-0x0000000000400000-0x000000000040A000-memory.dmp

memory/736-81-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1212-82-0x0000000000200000-0x0000000000240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qd7slr9e.cmdline

MD5 7cce5d24ffc22b8e14b1cb95b533757b
SHA1 6b24b14fd6280b9a2a75fb7a4ac291bb264d1d73
SHA256 ee87c94c8cd7a9027b10f92dc4e14749c7e861f43fc6bc079973e088727beff0
SHA512 ad2b2d59bbfdaaa440c3cf41aedb55d0201becf08422109e756d35ddb6ee1c66cc4db22320a82cea83ccbe2220d3e631590cf27c2669d913976ddce45060e7f8

C:\Users\Admin\AppData\Local\Temp\qd7slr9e.0.vb

MD5 ae8eb6b25868950391265416771ed2f9
SHA1 c9c896e76d98d9b79b99fa46f22250829ac4fb81
SHA256 8f0ec724460841189bc388b37cdf45bf47cab57d331e20c599bb6cdaffff0122
SHA512 ae299a04f8f986690c691059e532dcfb71370f2e3c74098fbd1a3c3e4f8536d8293eff7cd4beddc5be6a754691b6a007f196d997dc77e81f8a1ad0689aa0c14d

C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc7946.tmp

MD5 9ae78ecfdf937b28dbb9b96227ff85cc
SHA1 21024b898ac029d2bf8137828afb9bd839e7309f
SHA256 45b8c28e62cc130b42c141f596e57d3664f1ed8af512ad97af34f68078cee9ae
SHA512 a32ec49d1391b6c057f60a2da8f9da761e585dac9328ef58c8b7e4710175b803a01f4ffc4ff4f6815a6fcbf2b8c0f294251c409aca91f06091165358faf88309

C:\Users\Admin\AppData\Local\Temp\RES7947.tmp

MD5 ea8a768216fb03eecc17982bc72a0109
SHA1 99e5af32ad7590fdd73a16fc098ecb564a75bd00
SHA256 5c80de7bb26750dc94565336ec9bba64096b43c87a22c0e52bf23feb44d7c20f
SHA512 bbad3d0e5a4d58069b4034e278dfcd5842d7991652981cbb43bc258a11e4c83dcb6003699d8a7987193e0da5ebaf14c063a7da753ca79efa898fcb7e529edbf2

C:\Users\Admin\AppData\Local\Temp\oeileqox.cmdline

MD5 4dd6c9eb22126fe8d7106f1b8174b451
SHA1 38a321e2f66c7cdd5ca28ac1cfe1db1be10d47e2
SHA256 fcf44d8731f429a6476f9860b5aa0ee25e3fedaabda9f05b1dbf84ecc22bcca2
SHA512 7df5cd6d12721051b8a50051eb1bc086d5c7fe9909d76d735365e87fe4c91d8a4fe845925a010c4cee02c74f1ce293cfee36c31e390aeb20ecc0660658a0ef50

C:\Users\Admin\AppData\Local\Temp\oeileqox.0.vb

MD5 9fc1c2986a78e48303c69f262df98597
SHA1 9cb67d8927c71f03d6502a7b8899f223db773455
SHA256 fb34f1ab5e8e6f8c507f2ecba343c202faff530baff5c35e34af8632a03e535b
SHA512 38cff9bccf507bb11b9f7441a0446b94312da7b7b051f34d763a3dea84ba9561b043702678987f81a4464b621eefad53a211da6e7591b0417490807e787cff33

C:\ProgramData\SystemNT\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc7B68.tmp

MD5 8b22eaf0ea82c634745ab2667b7da0bd
SHA1 437eea3eeedf63b3ec546bdc07754fe94b2dbd1a
SHA256 d7262f2989e2a5b42dee6ea1bbd984131bc2b545d74e4e0a849a4e51d7666a30
SHA512 37ef16608767ba7c792641dce711c631606b844ffe4b0c99d0d4c521ad867d07d34f1ed0af16ff7f45638d759feea8d1593599c14003c6580275c698ea553ab9

C:\Users\Admin\AppData\Local\Temp\RES7B69.tmp

MD5 eb3b239be83b6573de577125dc6974f3
SHA1 99ba5e7b566194f706ec7cf0d46c698eca6f0b35
SHA256 19c36991e6dc6c61d264568f07667bf0fb5d6a2897e7c6fc630760c14cb00dfc
SHA512 83cf2d2de57a155f06ebaa7438c3b25673c4ac539d6254c33b5ec5ea3b689a284e542af72efe083055fd5e39586e4e693a3396c1160cacd2d3055211d9003d6e

C:\Users\Admin\AppData\Local\Temp\hzyf6ghv.cmdline

MD5 5aa74102719392d586c3e347eab376eb
SHA1 3b62c06023ed4f853e26411547dac5b149ac686a
SHA256 e35ced3d9c9cdd54601ce9912aa79993fdf6211f1fd21f89d41038925c82f2b5
SHA512 890d74ea5d62607240388d0a98c581452573ba2677cd3303e1e44ba1c829cdf9d0a333337ce7ff84fc683b80d30ec6a241528231fdcd09dce9bdf9c707f5d79c

C:\Users\Admin\AppData\Local\Temp\hzyf6ghv.0.vb

MD5 6632b8e6623b67be6e47b7578982b4af
SHA1 0e3dbc159228c41b62c33fc1dd79ef16b1e75608
SHA256 16832bc9cd3e97005002bc7ff2f885e16f1931fc1906e54aecb0c9926d350257
SHA512 241f25665d841e5c783279177c97b55f40a53ae7e44739d64607ccf408a413c994cc6d110af37e46ffb08cfb3251da129c8ca35bf3b3d9c9ad0f899896ec3cd7

C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc7C13.tmp

MD5 a8c081c6d047bb6165d0fdf66a36ebd1
SHA1 a300354f1df45af4479695fc9b0f4590e7400dd6
SHA256 7af8406a57f05be4831bd3b1980a27432f1d4a86407597a78a7318663a255743
SHA512 e042461b706c638587b9d5bf5bd3c4b6f6dbb3a8e4dfcf24e0f41ee3066c2d510a4af360b2630c822188c64b74bcf3aeec902c692b3d505ebd13110182281594

C:\Users\Admin\AppData\Local\Temp\RES7C14.tmp

MD5 39a0358fc0173f6c64a29055fc65acee
SHA1 add70bcd3b8279869a64f49f80f1eec52ffc59e7
SHA256 f33c25db0b01a69ccea807a4ff5f2a027390a6931d0618d30d34dead9b95a099
SHA512 8ec688f3ab69f838b11b3b00c8750258eb5507269eca3d551da777c9eba1adb4ec20a96984500e13acdb454356d6f409c808125384b536746178590abc8db116

C:\Users\Admin\AppData\Local\Temp\1cjgj6wr.cmdline

MD5 d55f26f069283fe76fa7f786420cd6af
SHA1 c34270d1f38ce248612e333d7b054406a7cca63f
SHA256 c4109441cdcb080df89cd9fde93a359655eb90464ccc975de741eab1e35518a2
SHA512 045298517490528db252515a96afee469102a0933fd416c8ec8909ccec4b7a4adf97cb28e39b66a4dae26b7ae22175b8fadef4127e68aa635fdd5dc38339dedf

C:\Users\Admin\AppData\Local\Temp\1cjgj6wr.0.vb

MD5 b23bae69c4cd1679b6eaa5c338f78bf8
SHA1 c07d3a742abe9705f2917ab4e6494631ba278ee2
SHA256 6c725586f404da5b8e1514863a8016a82ad6ed12da153bb038ee2472d12b3a4f
SHA512 01d31d9ea0a59562df993f12c288ad63942d18ea0cab27e0e8c863839548eeeb0a26664ce497ef9ed68095bf96754efe2bbd735e60b1713f4fcef4e6b97d63a7

C:\ProgramData\SystemNT\vcredist2010_x86.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc7CBF.tmp

MD5 a13e69eb27da69c109562df4278229a1
SHA1 502c47db9c9a136551fa38a9170c3684ec818af6
SHA256 0b7f493a6f10b10bf0ba8fe811e178f477856e8f85d9af104deb9eb0d0948ca7
SHA512 fef6f2d4eaaf3d5074beb7a9ed535c8314a4c867295f7fa3f55c792f048dc3abde54d9ad8bd1f3762e9b705014f80d69ccdcb1e64a47b63b71a9f6de04b9fd5f

C:\Users\Admin\AppData\Local\Temp\RES7CD0.tmp

MD5 84a7d309b777f027a990f457303441f7
SHA1 5af26a25e8d833c7f70768167df74fb06fe45d9f
SHA256 f24941d9dac87004e560996f8c594c17dd9005af3f810e217dd6367feaca0983
SHA512 1b3f95edb55381f86b38e297eae4f3b415c73a8924a5b739c9e617997fb5fa2bcc2f3a703605d1cc09208d629234de40772e1ebf37d3bcaf3fb3477035ef226d

C:\Users\Admin\AppData\Local\Temp\e-qudist.cmdline

MD5 330d997e4aa205d8e418907220530d4d
SHA1 9dc9ad5568c5932f49e261588fbce4714a2cebdf
SHA256 28642cdadb85a84d2f9e8667440716161bfdd91af4c893b24ec5f3cfb05b6c82
SHA512 28cf73cc4af500b81f32e2558ffc3d3158aa527817a1a17324ef09ba75ad1d0e6cc4c924eba23d0896805d0090b86c6736cf4a3a7d9235e7296a24c4ff4de813

C:\Users\Admin\AppData\Local\Temp\e-qudist.0.vb

MD5 eb62dd8b855a24369944d001d4c24b85
SHA1 a6793f997279ae1b59d1c7d5ec8643a3257eccc2
SHA256 d08cefb33628dc8316d3791b7f33384cf3106d9383547ce0a947bda69eb3010d
SHA512 bd120e3fba8f0738a12273680e37e5618907635e6b0c21559509b4870ac21238b12cd5c52db2504558b219c517db62b5a63b1b6c2d657c7c3048b1865fdb1ac0

C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc7DF7.tmp

MD5 1b9ca5e9cc04d067d4e76384bdf1c9b5
SHA1 8f1669ecd0ed1a9a66b837be9dfa2a179c5dbf0a
SHA256 2121529af0684faddb5f6dd4fdbf254321adf0d15e469c4d4d08b5b8518fb37c
SHA512 fa79781f9b68f795ac6d94ae4390a0507905d4a18f9d8b064d07701b12ee7050baca28820340ff29ab65c8d595541ee9121f5467293259aa8eef15908ce8b9d9

C:\Users\Admin\AppData\Local\Temp\RES7DF8.tmp

MD5 f5b6fbc9e1832a2236abd63ab3141b35
SHA1 78efc6b2126e5cb773f5d2f4416450203e55f7ef
SHA256 9c6c63ec8e57c32da7912ecb63231d8d0489fd548b608ae7f5f9b5f028ea11aa
SHA512 f303297e9d7217a56431bc1defcdebeed62be05e91d80c20cea8e2a631bee8f3d2c083e01b8c5af31e2f53ff5da06df009fb30d10fa0b57207b6f9c3a50fe094

C:\Users\Admin\AppData\Local\Temp\mpaxfdq6.cmdline

MD5 1683ad75553eca06ca769291b26224cf
SHA1 19abaaa8544e4813f99a487db15c0d6d565dca53
SHA256 5ebaee4f7abd05850f2a8b9069cb5407252eab38cad73234e9fa37e1e9ed7d51
SHA512 24351449ff42e5bd09436482494971f2841c661f9ab0dec22c19ac67b9fed5606d1cf65dba6489a6c0ec1423c4bb791d9e68850c02eac763fb645d6d1b29989a

C:\Users\Admin\AppData\Local\Temp\mpaxfdq6.0.vb

MD5 bebb2f77c5da61a9a0a2aefb983bd6aa
SHA1 a5d7aff92823b5b0dbbd67756ca135c3f6491892
SHA256 99a6596d1b483149a13368c4a4dcb9983d71e061ced2a82b11c3d3ca360c0446
SHA512 365102693d823c21e28d879ed3bc3e6b0872abb886f42a957b5719019f06d8c670b99fdeb37d9b9e47cd573c47aa5ccd08749e646ba990eb9196e42ad3ffdae9

C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc7F2F.tmp

MD5 8d46467da78225ef8cac2ffefbdea55d
SHA1 906b53235804784b1e79cf6e6885946ce0cc6185
SHA256 e5f84996c710290a41148a1951d14de4dab8f56f27936fadb39e0a3a27200544
SHA512 ea024b4d4e15143df2e16a4319a5a7ed29e821718a221708f1cb667a59411a62ce954d615fba92b0b747b926dbfb2970a6db8435cf8f93d596bb5724a71e98a6

C:\Users\Admin\AppData\Local\Temp\RES7F30.tmp

MD5 c56cb5248cdc4f750fc51ef4899473df
SHA1 ed074b8cd97b0bd74d969fa2464c762898149345
SHA256 4eb796b72baef601d9fcf077ad62d8b87a186843494001ce2c9175eeadd105bc
SHA512 575e80df8067bfa19444063797791eb0e3e7deadc169edf7ad545233564a1a488bc736743672c167c7df2665abf26213115ed1010810e59cb10e3060a51a9f1d

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\qjd7zkfq.cmdline

MD5 752fdd1f71f6c30ab5e52e7a897d1e20
SHA1 01d0ee5e76a1b8aad747f6a8b932b4cef56d8e1b
SHA256 85e5387056f96f5c5bb9c64f55d91b75a79d9238f64ddd33fb70e934758c660f
SHA512 df27bb419634ced022eda202ef4d11885a77a6567400e7f54db817565dfb26096f021960fa21b7123115fd750ba4751caee1f875ee75d714d9e97485384158a7

C:\Users\Admin\AppData\Local\Temp\qjd7zkfq.0.vb

MD5 6c33c1dc16de9a18f8fcd8ed77fbc525
SHA1 c2c1d8528db8cfae4db90cd4a4e3a253d749f250
SHA256 deaf8b916144f0f4fbc1862b5d1db11a9f1d3d62cb337b99accc1887b6b35a22
SHA512 ec82c3ed676fc74f4d3d58ec6a00dee0319b206ae5f9fb95c4049adaa5c08d7d6754a43c484fa23add1c7c666a370480b8d98b4e69c20f90f7657b3b09f96a95

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc7FEA.tmp

MD5 509f85557a8d50560035821226adc597
SHA1 d1b38045eb9484ea80cb7df0467bf2d9a5c0e87f
SHA256 0d0b4b368db81dac85e76bff8c086a2ec7b1fa6707ede1099a426bfb9e8ac4bf
SHA512 391559121d6a3d9f9891d334a21cc6af579851e1f1aeb2251a2ea807e2c2ba26b41bc5d57481a2930f609a75c2a421310aa4282be6883497586fd29b973ba4a1

C:\Users\Admin\AppData\Local\Temp\RES7FEB.tmp

MD5 3e82141755aee561612b82a713ced2db
SHA1 52c646b4a6338b51b6c74f47d3aa48cce91bac62
SHA256 1641bf5852af9ca2583cb7f8cadb62ae7458736c50b5821b39b5cfba88d1b478
SHA512 e5cc870d3b1cde836369079ae9e939b0b8fe965f12dbd435f5e631f876b15469d3ca64e0411b1bc3d091e7ca16e73e059afc752bb0993f0aea662cd1965a5a69

C:\Users\Admin\AppData\Local\Temp\gzbcigl8.cmdline

MD5 e19d24d576ea7e8f1d78c34d6eef06f9
SHA1 6d696d54464836c4f7d9d2b2694083c34c07cf23
SHA256 9e668c817536f7f8f704936e99b4fb0a83810e78d38beb0e90e3f8426205ae7b
SHA512 8261831454f1152f79455817eaeec3a399e43c13d3454197b729c205e538f1156253f594cfc53f8d043045047b504bc0a9ce48a10a0c2079e9de1d940006bfc9

C:\Users\Admin\AppData\Local\Temp\gzbcigl8.0.vb

MD5 89b6dc723b152e03561de0fb538d6c0f
SHA1 f8bda82033ab5b1902cfa6391b05dc6dd6c1f58e
SHA256 1307ab55a59f7e00b4bd5028de6b5592d160fd0beeb4d79df3ef1ab563c01df5
SHA512 a7917740e6594cc5ccdcddc9aa56545fa40912d08e6a2fe3c3d427498b46e337a12bc85497b5668bd0add65c690a3ff0c0d0ae5f61574c454358da8deaa86f5b

C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8141.tmp

MD5 bf0a5dbca8832f8bdee0dfcac44b38b3
SHA1 f313e9fcc94700c4ca4e18077fee1ad6dc67ea4f
SHA256 e717074e76195fd902a55c32b4109c6d1beb98c6bb1e60c4ab0ef9466ca47544
SHA512 d0280aac30357d39f2d8589399ebcbb03b6e81f14e018711b5f1e5c8c2f020617bd52e4128531f5b986408c61ac9e8ff0d92483b8c837d77adb10019c3bfe8e6

C:\Users\Admin\AppData\Local\Temp\RES8142.tmp

MD5 d535d9fd3afcf22d0141bf7a55d92fa8
SHA1 f4d592c10d0e4a854b47644e55999baab5acefe1
SHA256 554de8a3009db293ee4e843fec441b3bd28c36bfc3b17392de2cca326470ac73
SHA512 0300afc69eb29d200d90528786d262a1580f78309a4328fe3baf129678636653118be671012c1cda9b3fb55bf4622d8698c03e8029d6b96fdb690b988b38411a

C:\Users\Admin\AppData\Local\Temp\twjixn0m.cmdline

MD5 539f64658018d07b58b32a7689676625
SHA1 fa56a7f12e52aa517749d7b41cb0c43516789505
SHA256 5123d0fa1c960270a26df993cdd9c6e4b31652cba473de33364f6dcd9387d8b6
SHA512 b9951cfc37f793c5065cb72f471496f9377987ca9502c48841037ff4d832672338dd66892caea37334f67a0729bbf2559f392a4a422ed69cfd82d34b42d8f1e1

C:\Users\Admin\AppData\Local\Temp\twjixn0m.0.vb

MD5 4ecc0d3873c865192b79be5a94fe4d63
SHA1 89220b757311564e4227f9fd4395bfe9f0408f4f
SHA256 5da4cdf3b60f9cb494723d69a453e06e568345348f4dba51f4f8aa042fdf00b2
SHA512 3108c43ba6ea9525dc6ffafe458b06d14441b39667121fa936f8bfa38309811be57a07ee7045279859d2e23c91d6abaa6fc6768550627268c7d7beb60a1e432a

C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc81FD.tmp

MD5 6f992bed3a2901b21bfd501badfba965
SHA1 f8866d1ede5e9a6e0365b469b4c575f03a82743a
SHA256 5bbe05e98a5e73d4d3be198ec97fcffe5fe0a52481056333e19f7b26597238a6
SHA512 42227d71f2843e7b1fedfdc808d45ea6fbccb2020f324b61ee7859bbbdd6669851f3f2caf82968b47f3bc1f0dd6943d477075754a0d76873faff117b9acef818

C:\Users\Admin\AppData\Local\Temp\RES81FE.tmp

MD5 5ac82d2051f0ea81317d1a58cdac49c4
SHA1 83fcb16f4df67ca2c432c1017334f92d92326b83
SHA256 1d92126571328ff4fdf40fb29e2eee075182874b7786f211b0c6ee84664c3fb6
SHA512 82f06b9a3c2bdf45954a14d0e3b855d2ee95867a317d158e2a8930ad7531b3608b405f09bc9223e4b90a3bd6257686da80d49b800898850cd6072dbcc2d45ce2

C:\Users\Admin\AppData\Local\Temp\kvtiujal.cmdline

MD5 4e890101b5a9aa3fb9d1ab839e05e224
SHA1 36c70cd069d582b88bcf5808640922121497e7ec
SHA256 1d4967c0f48852652abee33fbb934e6bcc8a864947c65e9004b6f4421e7f6d98
SHA512 8c0403e857536fcdb23a0e60b019fc184010d653810f5a87bdb2edfacdd4658238a0ac53466937c1c313801fdd8929cfe72271f0f2cc74a948e45fdfed63dcde

C:\Users\Admin\AppData\Local\Temp\kvtiujal.0.vb

MD5 aa4759a2f16e274da63c66556a9bfaff
SHA1 47301d24dfe22eff3e6127d6aef39e29569b68ff
SHA256 66ae36ff98ae7035a2707e5cd07a5e8db7527ea8407f1b56023b4dcfc0fb776b
SHA512 aec075b88c400f991db2ed4c9c8dcc9a171f7128fdfdb9dbc048b21e1c69ea286e98ce0c3ce979761c775c1787440f0e6d3fa9b1e745f03d90ec5e681ba52b65

C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8299.tmp

MD5 8abf5b360979aa751e6ebe125e7eec74
SHA1 3e38e73b73086479aad82bff4c582e7323b0158c
SHA256 d1a9432b33821a329365379bacc7161a81c0ea5c0477d3063174dc27720f4241
SHA512 b92669d5172b4ebc2f9c018596fc4c1b5db0d73be05cc896166d221784f39b78ce73420f62a6d9763cf084cac6d7c21c98f2c0f0c068f6f99cfa524896529ddc

C:\Users\Admin\AppData\Local\Temp\RES829A.tmp

MD5 58be3793c2579b0429c1951a5ee15da2
SHA1 a040f2f84238012a4e6e92661250d0ec6047bf74
SHA256 615bcdaebdec29a5ff2c8c05fa14cc2c7c60c48434b89b64f57fb7c812bb306b
SHA512 1f1f2f6f5bedec8807f7c0424b2898ac8273ed750976802cde3eaca324e9fdc77141b71693621e3f44a0379b5901f56469a4a169116eed0bb66234fc71e8938b

C:\Users\Admin\AppData\Local\Temp\ef7uuigk.0.vb

MD5 9d9dd2aae1451faa6b296ce2fc5f13a2
SHA1 6d6d39fb4fc80b4bf216a8edd884a91932ebf7f3
SHA256 e777028474493f4e41937e1df998a988a1c5c5cf5f364963ca10abc13d8c2c25
SHA512 ae2d6458871cd4352cfcd2e299b427e63c17f2f75d6ccfd44cb339eb4c5897ee048cb8785e54896724780ab3f1b426a32744a181b6063d019f03b150e02667df

C:\Users\Admin\AppData\Local\Temp\ef7uuigk.cmdline

MD5 da535dc0d56ee9d72e3da56b46616215
SHA1 4422624774ef4c5148d9cd295d5c74f88ed5c141
SHA256 ec00b1cdcb9e0a0e9aec9c52b028dea5890bafc7620c4a459ac41a2b60ead12f
SHA512 d8a710dc56b2e0d3b9718a3708002846308a703891c68a5314529759492dfa6eb1b1122b9aead49f6577f1d47e33df7f1ad18dd72e3f0b7c1e7fd7c2be4451eb

memory/1828-241-0x0000000001FE0000-0x0000000002020000-memory.dmp

C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\RES8364.tmp

MD5 1b3b062771313e9660dea4dcb74eddc2
SHA1 ab6601acf0203c48af39d2e7a62190ed3bb13be0
SHA256 d95373912aa3afcaebb58ab133084e26aad5ec19a66eaefe7b854cd96124cc5a
SHA512 5b4fb31d27402380c5f138e87acf47d77f1a129232adfad60466dc49b5dc7ef39293aecb36751f7a9fd5c26853dafe668a4d0be591cfbbce23b4018fd2fa80e6

C:\Users\Admin\AppData\Local\Temp\vbc8354.tmp

MD5 1980caee5a9dbe47894dce7fe6d595b9
SHA1 a4506e026f074669942d7684c407da5fe4a5c9f6
SHA256 2815749082e90ee4f3092fad8342f2043bebc22758e3e96bf120c9b647b779eb
SHA512 4e2b51f2f29d0006dd700cc42c81fd4e67173e7e380f248b2b3dce1c84266a656efceb0a3a212e673f96a7f9fc5cf4f8ef68210596895d67c3e6a1055ea9178b

C:\Users\Admin\AppData\Local\Temp\yuzgfs2s.cmdline

MD5 976506f11cb287351d38b73f0bca4a8b
SHA1 d87a65bede426f693065a6b39e0354ba56d16aa9
SHA256 fbd9f5d25a915d7dd4a277c5c63c83eb8539b6b38e8e7522ecc93fa8934bf48a
SHA512 4f22859a80db67ef01b195df48a32ce8eb7bc614e2d65a357b16574bd12ccce8055661dc8b999c3bc3b0733abdde279d9c2c089780b2035555157ccfb1669dbe

C:\Users\Admin\AppData\Local\Temp\yuzgfs2s.0.vb

MD5 31713838be24004aa9b4c15004456de3
SHA1 41a586504ae3b70183e649ada59cf61ec3d6fa30
SHA256 c67a4ada1f2814dd08248f3f1973466ef2a8765b43e08dfe7f9f7cb5933bf7a9
SHA512 402b776be3d3c10ffd8872f2acd0dddac9dbf0ae9b1d351f20494797d675bdbe1b96f56f08d8dc6a3f2f5bfb179ebc490f8dd628cc1f5153d593c23341be261f

C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc83FF.tmp

MD5 ce51a6ec8f6807d5fb37746ab1c08f79
SHA1 5e9e5de9f25b732079f2c0d06c6b2daab946b088
SHA256 8b9fa2f1b8783d8464c0a93941556893903be517e264667bc43406b7d8f07c4c
SHA512 fb99545a98bcddb35a8bcfb82cf2b96fbd6703f52a3c9fd318414f6765e8b9569b2018e831a47837488215ba7157ecd57f81961bd5bec3a1fcd8e3c570b2e60f

C:\Users\Admin\AppData\Local\Temp\RES8400.tmp

MD5 36a813b8a929860061b64fb0bd14e605
SHA1 689828f38b1fa22c4fc28ddbcdbcf9de5271dc10
SHA256 f90e5eebfb2fdcb04dc83b24f152890ae0645f389028cba595a3fbaf4afc40e2
SHA512 38cba4f23b8577f22bd6cbbff960b0f7c504af9fb52f4c46adf887998293ba964d8669cd88c201182b6a6295c440719b4002e80e158b5fda288aec4e8d2c9702

C:\Users\Admin\AppData\Local\Temp\2wrwfgo2.cmdline

MD5 5cccf86ffbc242949ae158c45821d2ff
SHA1 5c2560bca33cccb007779ec89dac466a32718cae
SHA256 beeb588d47d21367002772c42bee75aa7050bf60c8b9450922f2e4df2f2c9208
SHA512 93bb3abbd5b393a89a2d33770b2a67528ca059af777011bbab4a9667d8b263b443a84386e41318d64938080f0f8ac801ae329d1e827539f23b640d3dec791b96

C:\Users\Admin\AppData\Local\Temp\2wrwfgo2.0.vb

MD5 48f3a9fe52baaef55aa0dea1b91c342a
SHA1 7b16df02e505b03d64771554fe302e785e4b17da
SHA256 509ac0d813c62ace2473462ac1ed5b3d0904e318f50b8b9e9c9bfb5feb1e7f66
SHA512 5079a6a9b53c02d4c8414c5e790b621e597c47730a1f9bd5d61d1bae3ea1ddfffb088c01f946c43e0e6ef7f1d4e25540ea8b9621ec2bcab3e8439a7fe1827a08

C:\ProgramData\SystemNT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1212-375-0x0000000000200000-0x0000000000240000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

MD5 ff621b3ec028ff34e6dd40649434e246
SHA1 2bf21078ee8f88b70291c41f7e41ab03fad0a27d
SHA256 40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790
SHA512 2bc1dcf4bb3cc887f8bd9188df7eb01eebe1516c7120a6b355af2a85790dcd3d9ffcd9cc529de5e5613178efe264dcb3c99730b1adb6f1d84b9e4afc0f4bb368

memory/1628-382-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1736-389-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1736-392-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1736-393-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/1716-401-0x0000000000090000-0x000000000009A000-memory.dmp

memory/1716-405-0x0000000000090000-0x000000000009A000-memory.dmp

memory/1716-408-0x0000000000090000-0x000000000009A000-memory.dmp

memory/1736-409-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/1736-410-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/1736-412-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/2032-413-0x00000000005B0000-0x00000000005F0000-memory.dmp

memory/1536-420-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1536-424-0x0000000000630000-0x0000000000670000-memory.dmp

memory/1932-432-0x0000000000400000-0x000000000040A000-memory.dmp