Malware Analysis Report

2025-01-18 04:46

Sample ID 230611-klhe5sgh23
Target WWL.exe
SHA256 40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790
Tags
revengerat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790

Threat Level: Known bad

The file WWL.exe was found to be: Known bad.

Malicious Activity Summary

revengerat stealer trojan

Revengerat family

RevengeRat Executable

RevengeRAT

RevengeRat Executable

Drops startup file

Executes dropped EXE

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Enumerates system info in registry

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-11 08:41

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-11 08:41

Reported

2023-06-11 08:47

Platform

win10v2004-20230220-en

Max time kernel

299s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WWL.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4896 set thread context of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 set thread context of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2576 set thread context of 4384 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4384 set thread context of 4996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 3748 set thread context of 1732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 3872 set thread context of 4956 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4956 set thread context of 2992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4344 set thread context of 652 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 set thread context of 4460 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4644 set thread context of 4968 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4968 set thread context of 4396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4896 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\WWL.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4932 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 4752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4752 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4752 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4752 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4932 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2080 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2080 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2080 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4932 wrote to memory of 4696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 4696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 4696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4696 wrote to memory of 4456 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4696 wrote to memory of 4456 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4696 wrote to memory of 4456 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4932 wrote to memory of 4368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 4368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 4368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4368 wrote to memory of 1040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4368 wrote to memory of 1040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4368 wrote to memory of 1040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4932 wrote to memory of 764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 764 wrote to memory of 4700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 764 wrote to memory of 4700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 764 wrote to memory of 4700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4932 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 4264 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 4264 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 4264 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4932 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2336 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2336 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2336 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4932 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4932 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3256 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3256 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WWL.exe

"C:\Users\Admin\AppData\Local\Temp\WWL.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8okqviv2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CB705CA03D4C2C8FA90A19534995.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pcmmvyjf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE004.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A05677DE714C9D819DF3410AF886F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a31pgm81.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE18B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C4E2F81D0294278A06949CF88728FEB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j4umr7ej.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE246.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DA5B43B2254FEAA071CB11275868BB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_7o8-efk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE340.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc823B1FC66B34BA98C836A2CFD7961F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uynqep3_.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE40C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD95555CB893740448ED4B8CA2165CFF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gbwzfqan.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55EB051E61014F798C709927E8A0CA7C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t9wdtdvu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A182404E096427586DCAD49D73DC055.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uutyrb5x.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6B61455FE0450F99115C5CC04E878A.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ocrnywh-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9333841CF6E42D084EAAAC32E46A49.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\arpmb-vy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc694151F08F3F40AAA88E4A924726F85.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uik-xpi7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3D1AFB0232E49B5BD1CA445A5DEC0CA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3qcqn-zd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc471A50878C0E45198D53697B6DC81559.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\psc6z1fo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBBC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71D8E4322B1148818D5C54C51109AF8.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fg4gw885.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc349D41EE5DF34213A42595FA8E3B61D.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ltkgx38m.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4D4EED82F294D17B9B67E937AA95A74.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lpc9lgmg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc342D80E226744AA3BDDDB93FF1ED929.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n_duw-bg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc384C1276A1854FB396CF19C3A78C8C5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e2zu_qeh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CB4D58BE9314BB785EE459EEEDD7541.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wwj3omyc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF189.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6418ECD050F04F1C8FF6EA17D8848B6C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ykjubtny.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF263.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2F1E0E1328748C78F2D61F99638CAD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\97dxvfkk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF31F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0E3418D6CA04E46AB2CCD59B42992A7.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7lggsxxt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A51DE42F06A4253B9756F7CBF74D663.TMP"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1732 -ip 1732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 200

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x478 0x4c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 2772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3944055 /state1:0x41c64e6d

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

Network

Country Destination Domain Proto
US 52.152.110.14:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 181.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 126.128.241.8.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.128:443 assets.msn.com tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 128.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 8.238.21.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
NL 8.238.21.126:80 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp

Files

memory/4896-133-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

memory/4932-135-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4932-137-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4932-138-0x00000000016E0000-0x00000000016F0000-memory.dmp

memory/1904-139-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uUUgHRHX.txt

MD5 d54865fd2f606110dd7c985b4945fb41
SHA1 57b684dc649f58e80a0825824a6b43aa31c6a744
SHA256 0ce1f34086610c14d30ae3cfbbc34e5c343dce5d65c4d30d41807b8dd00b5a5c
SHA512 a7f5e5094935faf9a11522b1e9623ad93a10e2784655e11dc64c8e96df3604963ce09fd3f93c819ff382c5813d6990ef4e27231a7cef78ec5d78a32b3b14f448

memory/4932-142-0x00000000016E0000-0x00000000016F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8okqviv2.cmdline

MD5 626cdc33d923d3259c64d5fd93305f9b
SHA1 ca70362628336f93f58829cd83b14791c5d3112d
SHA256 f765dfa56a5726b999ce1eef4b7c993ac696a9fb7d2588f1656e25f74f233fa8
SHA512 e927c11900ef2942436f4d72e064eb7d6dc453c4a20f0931c5d57ac7981656cbfac27d99bad2a76f61e1ce75360cae4aa507fa39263b18190169341552c31b47

C:\Users\Admin\AppData\Local\Temp\8okqviv2.0.vb

MD5 a4e20aa77b5a3e0a9f761a525f4a4837
SHA1 3df6cbd065ec2ae8003129520fae1ab6ee44d55b
SHA256 8655eb0d27b6d2dfda9683384b739b392fe23dc939f19c7cc6fedfe41a7b98ad
SHA512 ef9c4d81911d5908f4369843e3f706fe6ebdb9c0b04b394d89f79b33596e616d37e712c69077c0ba9e548645ad6c4454eb8c8457e554ae395c77651728747bd0

C:\ProgramData\SystemNT\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

C:\Users\Admin\AppData\Local\Temp\vbc5CB705CA03D4C2C8FA90A19534995.TMP

MD5 cf5d89e63a979fae6a87015048f89bf6
SHA1 c42a88b41fab3213d14f838b68fed362bfa4d3e5
SHA256 cd9d0006ed529263fb5b321bb4d9b39158340e480d6535b9139af436f4a63518
SHA512 ef90170e9a3f605f1ff7b421b2e5b34c6023d5c7a72532aa04ac7bd1032d1a6c55d4aa2d11f6a0a0146e0978d675fa54c2de56d27bae87a0708125c1a31841c4

C:\Users\Admin\AppData\Local\Temp\RESDEEB.tmp

MD5 0d4fe514f645a1b3d139f76acce636ed
SHA1 13fe9746fc12dd6567e1b4014faa14cb75d6f072
SHA256 cdbc900a57bcba964a0af8f790e273c5af8c3961a1f7c205d6e043054c8720e7
SHA512 bcfe0374d19837e826e69e97e15bfa26edfc37a7577e4dbc8c382b97a3c547dd45a06f09f356baf8ff80e739678b438c751fda34dd9b7ddb6bc59ce1fb05ebb0

C:\Users\Admin\AppData\Local\Temp\pcmmvyjf.cmdline

MD5 c5a9670d0a3a26c6a6b2b141b33585f3
SHA1 8c8cba6ea3844f05d1f66594b01a6c7d22178766
SHA256 af0c79b0f9ea9a30fa5ae35f43c7f903fb32150621f6aa829cf7a525857f22df
SHA512 8c0e48e9da3f3a3382bd764c38dc5e139002d25cf997191074962f2deed0c41bc26912b0c2f37420ef1e9ae5595f830721c263b96c6d2cced35559fd38a485f3

C:\Users\Admin\AppData\Local\Temp\pcmmvyjf.0.vb

MD5 ae8eb6b25868950391265416771ed2f9
SHA1 c9c896e76d98d9b79b99fa46f22250829ac4fb81
SHA256 8f0ec724460841189bc388b37cdf45bf47cab57d331e20c599bb6cdaffff0122
SHA512 ae299a04f8f986690c691059e532dcfb71370f2e3c74098fbd1a3c3e4f8536d8293eff7cd4beddc5be6a754691b6a007f196d997dc77e81f8a1ad0689aa0c14d

C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc8A05677DE714C9D819DF3410AF886F.TMP

MD5 a7d4a5ae829469f0518aee79d6b5fa0a
SHA1 f670f426b6e98df955b7470801660ea524fedfd0
SHA256 b9d146373463b77ad2d77df73ab8394a962d6697d5fd431ae932c0588b1fb8ec
SHA512 b82064c6022f406cdf63ddb86777939acf0aa6faa220bd6dc1eac33b1e510d16c33f7cf2f1e4d9bade2d6de423505b75683dc6e79a7e9b1c74b14983578288e9

C:\Users\Admin\AppData\Local\Temp\RESE004.tmp

MD5 85800a695b73654c937459c4e16b9de3
SHA1 33cbb73ed723e7a27a56361ac4aca0e6a1763665
SHA256 cf7e7f9dc7dcc0b5d53d24fe624c3105d86f5e317e6b443d8e444af7dcb8f561
SHA512 9d1248cd76b12d3e2f8666b50ad92901d92823678b1436db314284296b0bda1a8f4ef279f346c4ad62d1b676a11a7e4b75f0bd3c479ab986226fef511129ce7f

C:\Users\Admin\AppData\Local\Temp\a31pgm81.cmdline

MD5 6581abc1af87dbe446b4ae78bda6f889
SHA1 9cae81f828f2ff56af98c40a3d477440425d6700
SHA256 e5e63f2de04ae1e6e615f788ac809749062f14349c3f9f24802369cd380e7451
SHA512 5b25e1060b12abfab9187598c970495df5286e00baa26d25e030a9d23d7b28cdc4b65ea511d83ca14699a48d6973ea810c4da40890de6f5fbc3b3b0dbb9521bc

C:\Users\Admin\AppData\Local\Temp\a31pgm81.0.vb

MD5 9fc1c2986a78e48303c69f262df98597
SHA1 9cb67d8927c71f03d6502a7b8899f223db773455
SHA256 fb34f1ab5e8e6f8c507f2ecba343c202faff530baff5c35e34af8632a03e535b
SHA512 38cff9bccf507bb11b9f7441a0446b94312da7b7b051f34d763a3dea84ba9561b043702678987f81a4464b621eefad53a211da6e7591b0417490807e787cff33

C:\ProgramData\SystemNT\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc1C4E2F81D0294278A06949CF88728FEB.TMP

MD5 506d756ef9ee3af1d1ff4d2802cb43d4
SHA1 04085ee08cd57df307c02443ae739060d0ae5000
SHA256 190840c65b42bc660897addc40f3286ac804db334800f04c59028aceb36ca6ed
SHA512 2e822c12858d51a4031239d778fa7513fe63cbc973f0555f8d858510a73d00d2cbdc5fd44bdf80de8d56d39e11f82e9f1c673568dad41b0d22baf0400aea5931

C:\Users\Admin\AppData\Local\Temp\RESE18B.tmp

MD5 aed31923a9139ee277b9e9776ca3ca79
SHA1 ed9489a995b98dfe619d3f1d01b4f1ccf22fcd0d
SHA256 bbdbc27982e3f320262beac51c7f7d20c9d527ed57061ca9a08ef30277e5bdfe
SHA512 402c541266f21e77d08868bb76cea5f9205d7cb5fa7200cfeb237a1f6b86395f82242222da96e9f7a7512a4ae8465449c08c984e409d84f664fc710cd4296de3

C:\Users\Admin\AppData\Local\Temp\j4umr7ej.cmdline

MD5 1da18e2348c946c42e13d17939c71260
SHA1 0667d92931cece4d134aa0b86ee1c6ed421d1ce1
SHA256 edfa8ddbfe96b80d8be089739f12a6985e49c73d2a6e2642c9bba1a4bb00b4d8
SHA512 ad84c85395f3e7a56a0a53c0272e8f1afa2e547b24eb28925c5aed0073274f650d9acee494dab57446759b073125f49242c367cb31dbef3b23e5561d40e51d66

C:\Users\Admin\AppData\Local\Temp\j4umr7ej.0.vb

MD5 6632b8e6623b67be6e47b7578982b4af
SHA1 0e3dbc159228c41b62c33fc1dd79ef16b1e75608
SHA256 16832bc9cd3e97005002bc7ff2f885e16f1931fc1906e54aecb0c9926d350257
SHA512 241f25665d841e5c783279177c97b55f40a53ae7e44739d64607ccf408a413c994cc6d110af37e46ffb08cfb3251da129c8ca35bf3b3d9c9ad0f899896ec3cd7

C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc1DA5B43B2254FEAA071CB11275868BB.TMP

MD5 3257a11829a1fd132f6ff644cffe623f
SHA1 c0f0fd2b796691184e391e5bbee897572556de33
SHA256 61f238a3b40b588282576c33b78ce0d4e61beb8c10a03ec5d96ce74e0913809f
SHA512 5fda46c1a643d6433fde99a877ba59439bc07e4097fd684e9c9456e13dccfef9cd156cf8f9eecb39ba3524f233f3e161b8f7570ccb51c874d8db5bd83f510fbd

C:\Users\Admin\AppData\Local\Temp\RESE246.tmp

MD5 cdc16b27935a55beafda48e03a5f4354
SHA1 23e536a919ee86dc6978d783eaff346ae270b183
SHA256 b03c21a9c1cff398ac2f2bb5896d1ddf404f7a98666036b12110269d2729fc12
SHA512 afcb50027f2536a9f10dafd95f934a6250fa7290d285e018681d57e5f3e546c9a5cbb8e557080bc85f4cbb522787d543f3c2765a5cff3ef0052f3dadae07ed0f

C:\Users\Admin\AppData\Local\Temp\_7o8-efk.cmdline

MD5 173acfe537827299fd3003d940e5250d
SHA1 a47d2e5e0385af20e80d5677aafe6f9a7294085a
SHA256 c79415c7e1754b0ca618e47efc56899f7519f43f9c78c3497341a2d5d3fc9428
SHA512 0171feac59ef4f6a4ed37a9066ce2b14779cadb9c26ae2ecf1fb053e92271bfa5a43389fe07ed7d0f9d911d6b338ccebadad528e87e6559aca57210ea4afae9d

C:\Users\Admin\AppData\Local\Temp\_7o8-efk.0.vb

MD5 b23bae69c4cd1679b6eaa5c338f78bf8
SHA1 c07d3a742abe9705f2917ab4e6494631ba278ee2
SHA256 6c725586f404da5b8e1514863a8016a82ad6ed12da153bb038ee2472d12b3a4f
SHA512 01d31d9ea0a59562df993f12c288ad63942d18ea0cab27e0e8c863839548eeeb0a26664ce497ef9ed68095bf96754efe2bbd735e60b1713f4fcef4e6b97d63a7

C:\ProgramData\SystemNT\vcredist2010_x86.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc823B1FC66B34BA98C836A2CFD7961F.TMP

MD5 64d92313519afe8c0854995a32474a96
SHA1 984e9efd70477eccf59a41ecb30fdd8ecb3e7faa
SHA256 d22e19b391b6f4a966cc994786a3f5ff8a8589f49825f941425fcd94e9a28496
SHA512 d60f1f35a39195d4101181a2568b2ab763448ddcf492a7899e9605813c2b44721fe1474b96d1ed921e00e9f4e6af2c1b5669e266c06aa557aa507597355cb4ee

C:\Users\Admin\AppData\Local\Temp\RESE340.tmp

MD5 f665264f71b4c54f1c7b6de68fe853bb
SHA1 6e516f655da41212e4b9b680d9810ebd9b5c9aca
SHA256 5426f383c33a6ed487b88be767bdd892bc4252a6728f36389b8e45f9952350fe
SHA512 76eb15007c4492cd67be23ee2445f26db94aa36a63adf058c9a73c0fa5d3abac9e3aa5c2091dafd1425fc9f2b5f3a10ebc2b8ec72d904e18de6de523c2feedb8

C:\Users\Admin\AppData\Local\Temp\uynqep3_.cmdline

MD5 8d029aa45a2b994e9599ecf742726931
SHA1 eab9b0d9d52b99c6ed949d093649eaf8dcfc9535
SHA256 6d15d5f3d9d2f2ce0119df985cc985a70ed815cb04e287119630d1720658cf47
SHA512 36a9f2a64c56e7badfc92bf22d5dbb39ae0c2f19c92e6543c67ddda8ae3c59d0ddf50b8a2decd9fc793c854b6806bfc5be5a42f25300be77a53d97269f2336f2

C:\Users\Admin\AppData\Local\Temp\uynqep3_.0.vb

MD5 eb62dd8b855a24369944d001d4c24b85
SHA1 a6793f997279ae1b59d1c7d5ec8643a3257eccc2
SHA256 d08cefb33628dc8316d3791b7f33384cf3106d9383547ce0a947bda69eb3010d
SHA512 bd120e3fba8f0738a12273680e37e5618907635e6b0c21559509b4870ac21238b12cd5c52db2504558b219c517db62b5a63b1b6c2d657c7c3048b1865fdb1ac0

C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcD95555CB893740448ED4B8CA2165CFF.TMP

MD5 7565dee9ba6fd50bbcdd048ad8d9b85f
SHA1 7d28bfc1f716af87fbe07e4355357f25362677e2
SHA256 aedf3bd9c37684c05bc91f1155b42a72ed24c348a16b3205836bb44ef878bc67
SHA512 96353c8ab995a05d48f400548896d5e04dadc917e6b9e5a1740f9392b87a045d60cb2420b12d9674722ff12ff96c6bc2e2cc1d9cbd348a530232fd188c9c114b

C:\Users\Admin\AppData\Local\Temp\RESE40C.tmp

MD5 2656db8c5dbb637607c90285e37cd444
SHA1 8a138e5f3a0ef609ccbff4e0fc0cf092f0189f21
SHA256 ca98bea4c5e3778c95cef44f6b24dd00197bb9e08bca02ea641338c824c458d9
SHA512 b010bda668dc248bdab7a15a146fe630ca169897cfc5408c679b81c8ba627615b41ef0d55de53b411794cfe12e03448cc472a219b270a7a62e1460ae00e8b712

C:\Users\Admin\AppData\Local\Temp\gbwzfqan.cmdline

MD5 43626a3bb80c8633ef477dc54b9a4d3e
SHA1 f8ba854a505999b37e10cfcdc268aa91f53aee67
SHA256 8f96c72b6cd9ede0e6597cf8a1af8c67e108dfd9a22e6f1d68689b69506e7fa9
SHA512 9cee8b973049d1bc2a70f901c7193af17ea1f1cbd66deb32b54ba8689255ac4147021f3d0a9e8fd17be446c3a969f5190498f432c499109422ba96b7fdadfb41

C:\Users\Admin\AppData\Local\Temp\gbwzfqan.0.vb

MD5 bebb2f77c5da61a9a0a2aefb983bd6aa
SHA1 a5d7aff92823b5b0dbbd67756ca135c3f6491892
SHA256 99a6596d1b483149a13368c4a4dcb9983d71e061ced2a82b11c3d3ca360c0446
SHA512 365102693d823c21e28d879ed3bc3e6b0872abb886f42a957b5719019f06d8c670b99fdeb37d9b9e47cd573c47aa5ccd08749e646ba990eb9196e42ad3ffdae9

memory/2336-241-0x0000000002560000-0x0000000002570000-memory.dmp

C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc55EB051E61014F798C709927E8A0CA7C.TMP

MD5 58f4a79de09bb9373c85aba22acad5f9
SHA1 347bf8014126146547b26f3c4cda4afee441245e
SHA256 e00c230d0655532bbf8092d0fd663417447b5a44955817e8bf4fbd09778faa3e
SHA512 6e8fe48474931c060ac14849e05c00990bd962119c63793bfbad82962c5cffe9c5b624e8a1c3e370bb6c7894ffd11543abc0adda8758d530d8fc833fd1e88c4e

C:\Users\Admin\AppData\Local\Temp\RESE4F6.tmp

MD5 7d2db8e0d71bdc3816f3d3c359c64085
SHA1 58697d3c3c390c87ae8acd22c8b55582a56bea33
SHA256 3d02822ef262803fc6aee65fb52337887b9826f7fc32990d5275be09663b9901
SHA512 97be04274d54ef4213f92bfb83e87b7080f216b42fd66cd54854507cacf539609fffcb6280abb6c580344ccff3ddd7f932e5aa41f180e6fb8b776b1b6211990a

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\t9wdtdvu.cmdline

MD5 cb1a8cbf2e4ca39dd48fd91188c0395e
SHA1 4ad8a647d7241ec9d7bcb8dfb91fc6f8154685d5
SHA256 e680f985e39af2579a9b7214e6cb50d7d9f1f278e0da629743990c336676b07f
SHA512 e0f564db2dfd2de9cf14be60e523d89a72f97f8cb9aee0c06fe6318cfa01112456f83bd348f4069b4ac9506fdd6698bfca08969a389eacccde5b1598f1c1715a

C:\Users\Admin\AppData\Local\Temp\t9wdtdvu.0.vb

MD5 6c33c1dc16de9a18f8fcd8ed77fbc525
SHA1 c2c1d8528db8cfae4db90cd4a4e3a253d749f250
SHA256 deaf8b916144f0f4fbc1862b5d1db11a9f1d3d62cb337b99accc1887b6b35a22
SHA512 ec82c3ed676fc74f4d3d58ec6a00dee0319b206ae5f9fb95c4049adaa5c08d7d6754a43c484fa23add1c7c666a370480b8d98b4e69c20f90f7657b3b09f96a95

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc2A182404E096427586DCAD49D73DC055.TMP

MD5 d2481a81163b082edeebe4f323a32b7a
SHA1 17c12804948d6b3c9a37dc4a5bc83522dd22f2df
SHA256 a984cada28d4b60ea896a916911db264f2a365c86dfb5154415ec2fc006879cf
SHA512 4977cb8097e2429326024b04f4d365f01ce0691bfd48182553cfceb288650ee274f34e58330f99dabcfae40f487472e2601b012186f06f66bb021b8bd023f8c1

C:\Users\Admin\AppData\Local\Temp\RESE5B1.tmp

MD5 32930191ff801bfd2f6b4b7399e61932
SHA1 46b8934c098be253ff1e1707082ba520e73851ea
SHA256 72e6b56269c5342783fea26a04fa94b8b3821e7533a607e53a6df6e4d7831f99
SHA512 047b76b8b6ba8b38e356d0d16ddf1f270e1a59ee7c68e87321fdda9f9fb0ae7d3c1036455e72b9b8a816ebdac10432e896234964e542a75c319927d557a4eab3

C:\Users\Admin\AppData\Local\Temp\uutyrb5x.cmdline

MD5 d15ad0209f2a9d0528fc51bbdfde9ee2
SHA1 2d6c672dc03eb6eca932f3f922ab140e79e1eb33
SHA256 f9a6bd7d5c4e9ac250f79799228029593db90b092d2141dc40bbd5be688cf3af
SHA512 8d91c524bf186084524c9947ed710199adcb35e1302c925f499aea91fc3ae70135051867e9f56575acf598c40026e041c3e0e7c856398495dd1229b74787b537

C:\Users\Admin\AppData\Local\Temp\uutyrb5x.0.vb

MD5 89b6dc723b152e03561de0fb538d6c0f
SHA1 f8bda82033ab5b1902cfa6391b05dc6dd6c1f58e
SHA256 1307ab55a59f7e00b4bd5028de6b5592d160fd0beeb4d79df3ef1ab563c01df5
SHA512 a7917740e6594cc5ccdcddc9aa56545fa40912d08e6a2fe3c3d427498b46e337a12bc85497b5668bd0add65c690a3ff0c0d0ae5f61574c454358da8deaa86f5b

C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcA6B61455FE0450F99115C5CC04E878A.TMP

MD5 9cae177db3cf54f21171914cfb3956a2
SHA1 8f141b266a354fb014bc99e4c60299b9b58c2556
SHA256 2f8ec8fa77d8ee06b821a12a37bb7fbe071eabfce60e1a336caf1bb1a368eed8
SHA512 87dc7384d0e76954161590e5d4a956706a7a83f76e34c13f4846f2ca6cf3daac50791a93b9694b56b02162ce19aecb571415a5748ed5b0c0f181bc9846713ba0

C:\Users\Admin\AppData\Local\Temp\RESE6EA.tmp

MD5 404a29d1a466a91779d0bb85db64b68b
SHA1 0a0a81d69f2e35032057ba457c74fd34801269cc
SHA256 6e7062c609a851b4f99adf2bad3116bd159a6f9f08db465d14986dc527102e30
SHA512 101b48569d965189764eddbd65df448f5c94c40ce5a79d5e10ca16191f4b3c26e94a7b0b3770b6a3a8b5b85d9ed652bf8e412157cc72c7132a3b0e1e92c26cca

C:\Users\Admin\AppData\Local\Temp\ocrnywh-.cmdline

MD5 ea563e916bde2cd5a0c5d35c9abb0f1b
SHA1 27771b5993eee74702e01af2138fa65ee74edefa
SHA256 7f897d5cce052f4f4daa5a4cfdc98a5a5308d20bcc422e61f0e841b4c0e8cb14
SHA512 c72f3dfec436afa5def230dd79797f7440b7d149a9b8ccebdf0e5300e1f43414bef054cc0fe1f1b1c41d78a43c683d641d2333b8fb7d336c9b1dfb8b888f144f

C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\ocrnywh-.0.vb

MD5 4ecc0d3873c865192b79be5a94fe4d63
SHA1 89220b757311564e4227f9fd4395bfe9f0408f4f
SHA256 5da4cdf3b60f9cb494723d69a453e06e568345348f4dba51f4f8aa042fdf00b2
SHA512 3108c43ba6ea9525dc6ffafe458b06d14441b39667121fa936f8bfa38309811be57a07ee7045279859d2e23c91d6abaa6fc6768550627268c7d7beb60a1e432a

C:\Users\Admin\AppData\Local\Temp\vbc9333841CF6E42D084EAAAC32E46A49.TMP

MD5 3836b35d64f2cf7981583961bc82aea5
SHA1 aa11f0a968f60d29365eec8160050089dff737a7
SHA256 410aa0919c98bfc8f7b28564d7afa59a4646361b2ea6f277d597007b14464408
SHA512 dc436cc5ec5bde83a646e550c8673e4ccc3687bfae8b0764c4c71977fe755bf2ccfc3304c5868b4076304a776a7c25fd54d5d5e08840bd93a98013a1747060f3

C:\Users\Admin\AppData\Local\Temp\RESE7D4.tmp

MD5 f11ce6f2e9a963716b65bd202c5da284
SHA1 41f45568861483385016f4aa7e144069a1f26f07
SHA256 cb106730f7e9c29c245c2396b052f9ff62a7c475dad8a534f43fcb36d937b404
SHA512 59a57c6f3ce0925a10ab85e474a98f0d9e4719ba969991bc8ba8728cb5c3a531d418a351b1823a1b86f25812e8a36b2f83fd518ff47da4a864a74da2659a4ad1

C:\Users\Admin\AppData\Local\Temp\arpmb-vy.cmdline

MD5 b1a04b794c4d64fe4cec585c390d0d02
SHA1 f4a13b0b09c1527d8d8c8bf3613624ae0ca87580
SHA256 beb4f9b0a4df75276e0c76e5a532800b64c902d3e3f6e43e11b8cdbd1c1e0edb
SHA512 a1b2b9d44c0c2e1548b608568f98f74c76d9e7cdeaf72552050efe8d1394cfe2e6e7ed2a4174bfc6768d4445a123a3ca0ee4fa794624c220ce47309a71a9469d

memory/3780-301-0x00000000022F0000-0x0000000002300000-memory.dmp

C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\arpmb-vy.0.vb

MD5 aa4759a2f16e274da63c66556a9bfaff
SHA1 47301d24dfe22eff3e6127d6aef39e29569b68ff
SHA256 66ae36ff98ae7035a2707e5cd07a5e8db7527ea8407f1b56023b4dcfc0fb776b
SHA512 aec075b88c400f991db2ed4c9c8dcc9a171f7128fdfdb9dbc048b21e1c69ea286e98ce0c3ce979761c775c1787440f0e6d3fa9b1e745f03d90ec5e681ba52b65

C:\Users\Admin\AppData\Local\Temp\vbc694151F08F3F40AAA88E4A924726F85.TMP

MD5 c50210246cd334c244efca51f02dde1a
SHA1 e665aa8437b5372fa123bed3f465127e15a229ac
SHA256 e94f815441464ed0c553e332fca76156aa995d5c6e08df225bb8e810dd63d609
SHA512 e06ba1f9ce5303daa99ad33a570b0dcd2aa46e28a2463ccb3778b8de50d5c1f44e33a040641efad8d13ef12ca70acdd2a840f62c31b00abcd1f0c1d94c7a2b96

C:\Users\Admin\AppData\Local\Temp\RESE8EE.tmp

MD5 134a84ecb6c229fe74d602e6eebfc66e
SHA1 390eb7e1d97339432973c0a31c54821f09c398a9
SHA256 50f7f1c98875aae7cd4d31c16615c85270d8a79f5410c803784af7ce9fee6365
SHA512 6ed1209f63d50370f24f8cf41de8ef0429abb5e91aa779c89106fd2ce35c317daf2c08cec7b6b01c23f8ea9f042c624303e54197e9ca4ff3a68329f90f7b354d

C:\Users\Admin\AppData\Local\Temp\uik-xpi7.cmdline

MD5 e190ede2ae34e6ec9f607bee236df144
SHA1 fd56efad56959ae12d3f716f58e00d7322e40847
SHA256 24b03f7364cc4dce503094dbc111e16d342991ad40a474b83bb26e99cd247e65
SHA512 693eac6f78a6aaee38a3d961f60167d5a83af33842ef36ff972030dc23721132b91e77a00d4083d787ec36eddff7cb6bb8bba85a9e64b9d915d6c2e05f6eda71

C:\Users\Admin\AppData\Local\Temp\uik-xpi7.0.vb

MD5 9d9dd2aae1451faa6b296ce2fc5f13a2
SHA1 6d6d39fb4fc80b4bf216a8edd884a91932ebf7f3
SHA256 e777028474493f4e41937e1df998a988a1c5c5cf5f364963ca10abc13d8c2c25
SHA512 ae2d6458871cd4352cfcd2e299b427e63c17f2f75d6ccfd44cb339eb4c5897ee048cb8785e54896724780ab3f1b426a32744a181b6063d019f03b150e02667df

C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcC3D1AFB0232E49B5BD1CA445A5DEC0CA.TMP

MD5 dfe580c621254b33c2371200646fad27
SHA1 650e29e19a849ec8d9760948ac119c81a7a97287
SHA256 4817c0d9f3fd90caa10904f3990ac9bab54c55f1d5b8afe1a9e9d8e2efb90320
SHA512 c14d7603d95c1e9f1dc564bfde2b18b67f294fe42c8a2ed7f666e477043a3edab0c6c3afd09cfa58e34cb92f6caf4b888ac459718cf7dcc094ad6656c0ba26df

C:\Users\Admin\AppData\Local\Temp\RESE9C8.tmp

MD5 9ded25030e116192bd8ab0d3df3b86c0
SHA1 5f0e36387d332625833ffdf173aeb71e46630887
SHA256 3f32639b07cb7cc32c32e720fe289405c3518b049297ac371c3c61525f722a73
SHA512 b38cfeb85af531fb41a848b246727ccbb1b519a26d34b746bd01516e6493ca917cde4d215f146c7207c6066e23ae16abfaf9edb191f81cca78c7436c71e6ba7c

C:\Users\Admin\AppData\Local\Temp\3qcqn-zd.cmdline

MD5 bc7c99618dee237b05ab7ac224e65cb8
SHA1 48c9b4f71f98a8a0b529fb1c6c856be212c943a8
SHA256 87bd3e63ac3fa2bad0dd909105590c1e20dfe8d1c6d81a352af90a706bed80a2
SHA512 8381d84d7e26efca1b8cff003af5f782edce6d3da923eeae4a74a4cb6eb97d8ab130e007202c8770f30714eed41900bd5d01f3265d2c27e2dbdcf7c19d31c7f6

C:\Users\Admin\AppData\Local\Temp\3qcqn-zd.0.vb

MD5 31713838be24004aa9b4c15004456de3
SHA1 41a586504ae3b70183e649ada59cf61ec3d6fa30
SHA256 c67a4ada1f2814dd08248f3f1973466ef2a8765b43e08dfe7f9f7cb5933bf7a9
SHA512 402b776be3d3c10ffd8872f2acd0dddac9dbf0ae9b1d351f20494797d675bdbe1b96f56f08d8dc6a3f2f5bfb179ebc490f8dd628cc1f5153d593c23341be261f

C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/4928-359-0x00000000009C0000-0x00000000009D0000-memory.dmp

memory/4932-394-0x00000000016E0000-0x00000000016F0000-memory.dmp

memory/2044-398-0x0000000002410000-0x0000000002420000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

MD5 ff621b3ec028ff34e6dd40649434e246
SHA1 2bf21078ee8f88b70291c41f7e41ab03fad0a27d
SHA256 40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790
SHA512 2bc1dcf4bb3cc887f8bd9188df7eb01eebe1516c7120a6b355af2a85790dcd3d9ffcd9cc529de5e5613178efe264dcb3c99730b1adb6f1d84b9e4afc0f4bb368

memory/2576-447-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

memory/4384-452-0x0000000001310000-0x0000000001320000-memory.dmp

memory/4928-454-0x00000000009C0000-0x00000000009D0000-memory.dmp

memory/4384-455-0x0000000001310000-0x0000000001320000-memory.dmp

memory/4384-456-0x0000000001310000-0x0000000001320000-memory.dmp

memory/4384-457-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3748-459-0x0000000000900000-0x0000000000910000-memory.dmp

memory/1732-465-0x0000000000170000-0x000000000019C000-memory.dmp

memory/1732-468-0x0000000000170000-0x000000000019C000-memory.dmp

memory/3872-469-0x0000000000B70000-0x0000000000B80000-memory.dmp

memory/4956-474-0x0000000001470000-0x0000000001480000-memory.dmp

memory/4344-482-0x00000000005B0000-0x00000000005C0000-memory.dmp

memory/652-486-0x0000000000400000-0x000000000042C000-memory.dmp

memory/652-487-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/652-489-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/4644-491-0x0000000000A40000-0x0000000000A50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uUUgHRHX.txt

MD5 9aacb846abbb848517ef7c9c7a514e02
SHA1 5a3deeb1dd9a25c03a5f0e308ba44a3cff9a04ec
SHA256 bab5ba56ade9397fbfc839b3d7ddb09b27bd3fe16362fc3c2d6be9394a5279f3
SHA512 2cd00e59add834f2864bc48ef3dae47233ccd605baf7283f5f583083a0c1f6a37cf63cb09355fc9fce3ce4d86f4ed0143e5b62c0398e7713f5b3026624e42043

memory/4968-496-0x0000000000D00000-0x0000000000D10000-memory.dmp