Malware Analysis Report

2025-01-18 04:46

Sample ID 230611-m8faeaha32
Target 01474899.exe
SHA256 40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790
Tags
stealer revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790

Threat Level: Known bad

The file 01474899.exe was found to be: Known bad.

Malicious Activity Summary

stealer revengerat trojan

RevengeRat Executable

Revengerat family

RevengeRAT

RevengeRat Executable

Executes dropped EXE

Drops startup file

Uses the VBS compiler for execution

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Creates scheduled task(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-11 11:07

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-11 11:07

Reported

2023-06-11 11:10

Platform

win7-20230220-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01474899.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Uses the VBS compiler for execution

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1144 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1988 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2012 wrote to memory of 1356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2012 wrote to memory of 1356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2012 wrote to memory of 1356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2012 wrote to memory of 1356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1988 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1640 wrote to memory of 1964 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 1964 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 1964 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 1964 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1988 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1096 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1096 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1096 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1096 wrote to memory of 1316 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1988 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1628 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1628 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1628 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1628 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1988 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 592 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 592 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 592 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01474899.exe

"C:\Users\Admin\AppData\Local\Temp\01474899.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ekhs_nxl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9188.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9187.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvsvhkdv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES936B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc936A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hnwaphva.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9417.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9416.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqltbj4y.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94C2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5e0dxoxg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95BB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-xkoza_x.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9668.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9667.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qby08oyt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9771.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9770.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5mkupdnn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98A8.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t-dqmllw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9964.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9963.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9cll3vjs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A1E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j5wbd1nz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ADB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9ADA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pyoohqwz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B95.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nfgqyebu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C40.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\glpcj5iu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9CEC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hu12kzpr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DA7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxfg4kwy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E44.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E43.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r4vwemr4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FAA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wqpxr5tk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA057.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA056.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q3b13bor.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA112.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA111.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axnaq1rq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1BC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dtpsffmn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA269.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA268.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rsa8yghj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA324.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA323.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9qoqytpw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3DE.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {441F11A0-8950-4EE8-AFFA-ACBAFE0D519C} S-1-5-21-2961826002-3968192592-354541192-1000:HVMHZIYD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp

Files

memory/1144-54-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

memory/1988-56-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1988-57-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1988-58-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1988-59-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1988-60-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1988-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1988-62-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1988-64-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1988-65-0x0000000000910000-0x0000000000950000-memory.dmp

memory/516-68-0x0000000000400000-0x000000000040A000-memory.dmp

memory/516-69-0x0000000000400000-0x000000000040A000-memory.dmp

memory/516-67-0x0000000000400000-0x000000000040A000-memory.dmp

memory/516-66-0x0000000000400000-0x000000000040A000-memory.dmp

memory/516-71-0x0000000000400000-0x000000000040A000-memory.dmp

memory/516-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uUUgHRHX.txt

MD5 648c96743656a09f128dda6f0d353f54
SHA1 8aac85991244ad39e28693bcf5916effa91e3772
SHA256 3e941b6cf879079b8443e6ed30502aef6a000774b5e0d4bc653cea60ac734370
SHA512 f9493bdd2dbd5efc934089d87af92c358788238cbce2dd5f4330f6221df7af0124645e24ec563821dbca7138aeeafe061ae2d3757d0e746d93b0a9b18ec3e90b

memory/516-74-0x0000000000400000-0x000000000040A000-memory.dmp

memory/516-76-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1988-77-0x0000000000910000-0x0000000000950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ekhs_nxl.cmdline

MD5 9310656c4f8f03fd9c2688f205ee9832
SHA1 4227e98a55ae972db3c09461c013d4af9a2cd01a
SHA256 ec9e7d924b2242a307e35a3f94d074951bdf92c2d8f2774d3c4322048b9e1544
SHA512 5d9df934b610dcfcc6cc6f447469004e0f515f66f77d1b6dbf32aba2ee78ae9ace387d8a9db86627fe45e80d78a674161e81e2a05e73d7128f456d2cfc1e2525

C:\Users\Admin\AppData\Local\Temp\ekhs_nxl.0.vb

MD5 ae8eb6b25868950391265416771ed2f9
SHA1 c9c896e76d98d9b79b99fa46f22250829ac4fb81
SHA256 8f0ec724460841189bc388b37cdf45bf47cab57d331e20c599bb6cdaffff0122
SHA512 ae299a04f8f986690c691059e532dcfb71370f2e3c74098fbd1a3c3e4f8536d8293eff7cd4beddc5be6a754691b6a007f196d997dc77e81f8a1ad0689aa0c14d

C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9187.tmp

MD5 9ae78ecfdf937b28dbb9b96227ff85cc
SHA1 21024b898ac029d2bf8137828afb9bd839e7309f
SHA256 45b8c28e62cc130b42c141f596e57d3664f1ed8af512ad97af34f68078cee9ae
SHA512 a32ec49d1391b6c057f60a2da8f9da761e585dac9328ef58c8b7e4710175b803a01f4ffc4ff4f6815a6fcbf2b8c0f294251c409aca91f06091165358faf88309

C:\Users\Admin\AppData\Local\Temp\RES9188.tmp

MD5 f28706c927bd29bef78d36e6125251b5
SHA1 fc5030f05c2a466158656cc5d70311fe194cc9e0
SHA256 a3a79e88e8efb0260114c0e6184def297e4fc3ad9cbca19b7c02bf5224230b10
SHA512 d8a65fb85350881a525056b3aaa1e0244d64e2c32b05e62bb900908b39f2e50dc36966345451a7f1f487702bff8b3e4fe97396b6e7e99b8073800a4ac1b77e4a

C:\Users\Admin\AppData\Local\Temp\tvsvhkdv.cmdline

MD5 270bd1d7aad8d75a8ec428b7e40ecca0
SHA1 a1ae797d3dc53ddca8d99a63677e2c64b470920c
SHA256 9b9a6dd3c3210274fbbd715c5409b1d294af01ac72da47130d6cd6d1423a542e
SHA512 597851c1329dc72f7bef7a5100655da0506fc8c322a0943c82f2a9a111eae94c89d1ad39bcbb7786ab75c8b1d4e3772f61dc6197cb33a7c214b28da405b2005a

C:\Users\Admin\AppData\Local\Temp\tvsvhkdv.0.vb

MD5 9fc1c2986a78e48303c69f262df98597
SHA1 9cb67d8927c71f03d6502a7b8899f223db773455
SHA256 fb34f1ab5e8e6f8c507f2ecba343c202faff530baff5c35e34af8632a03e535b
SHA512 38cff9bccf507bb11b9f7441a0446b94312da7b7b051f34d763a3dea84ba9561b043702678987f81a4464b621eefad53a211da6e7591b0417490807e787cff33

C:\ProgramData\SystemNT\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc936A.tmp

MD5 8b22eaf0ea82c634745ab2667b7da0bd
SHA1 437eea3eeedf63b3ec546bdc07754fe94b2dbd1a
SHA256 d7262f2989e2a5b42dee6ea1bbd984131bc2b545d74e4e0a849a4e51d7666a30
SHA512 37ef16608767ba7c792641dce711c631606b844ffe4b0c99d0d4c521ad867d07d34f1ed0af16ff7f45638d759feea8d1593599c14003c6580275c698ea553ab9

C:\Users\Admin\AppData\Local\Temp\RES936B.tmp

MD5 d707461f50906a9e282ddcb4a8966046
SHA1 2784edbd733e07390813d71b18839964efaaa511
SHA256 4943e5567808cb5ffaaa35e12344eea22512dc2cfadb93bdcf2f789fbe86b208
SHA512 1b3a3b2c66b8f9b89c025cbdb3e493e566309cdc636e46205bd3115220d38d573192d4b5d0775f99b07aa8e5ea60efaf7c034f7bdbc13ce321fddd87c9b80b61

C:\Users\Admin\AppData\Local\Temp\hnwaphva.cmdline

MD5 17f97c4bf2fb79e8cd38da9cc52958d4
SHA1 22dbf4cf5c83f6052283459e24c8b48cf5630c95
SHA256 1f88de0fd41c5c7fc4cba786a6faf21321a0577c2f3721957c2faa42dcd51f12
SHA512 c3cc9958e9f6de9175c095c94861158b4755a67d68555316e7cfce4b211999dd84781bf6928c8c6a87a3981d12d3050d5cbfba940f5e4c380327733ffa49ea24

C:\Users\Admin\AppData\Local\Temp\hnwaphva.0.vb

MD5 6632b8e6623b67be6e47b7578982b4af
SHA1 0e3dbc159228c41b62c33fc1dd79ef16b1e75608
SHA256 16832bc9cd3e97005002bc7ff2f885e16f1931fc1906e54aecb0c9926d350257
SHA512 241f25665d841e5c783279177c97b55f40a53ae7e44739d64607ccf408a413c994cc6d110af37e46ffb08cfb3251da129c8ca35bf3b3d9c9ad0f899896ec3cd7

C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9416.tmp

MD5 a8c081c6d047bb6165d0fdf66a36ebd1
SHA1 a300354f1df45af4479695fc9b0f4590e7400dd6
SHA256 7af8406a57f05be4831bd3b1980a27432f1d4a86407597a78a7318663a255743
SHA512 e042461b706c638587b9d5bf5bd3c4b6f6dbb3a8e4dfcf24e0f41ee3066c2d510a4af360b2630c822188c64b74bcf3aeec902c692b3d505ebd13110182281594

C:\Users\Admin\AppData\Local\Temp\RES9417.tmp

MD5 14ff3d11330baa247e2bcc6115870deb
SHA1 b76c84c7e3ddd24c48439b298fc9742c05808ddc
SHA256 cad694d393163ced996ddd5b92f9c56e5836b161462ad3524c98fc16b24d2d27
SHA512 8c99ef5daaf861f01dbaa056e28aa0722481acd83717835c2f035efcbab9fee3526e20a50b6596598fbeec7aca2d21950d7bd502a8c98baa6fcf7a75fd720561

C:\Users\Admin\AppData\Local\Temp\hqltbj4y.cmdline

MD5 56b6b7acd8dff9e78326005b2adc01bd
SHA1 bc013dce2c253c63a2ca4a2cbe323e814b4cdf98
SHA256 e7371dce46fc20b1503f1e0a055274c14bebdf0349eef7ac4cbc58eef263a760
SHA512 d0d129701770f3fc6dfeaef176e4af8424cc811597e36bce88e42d134343b855831c8937b5215738ec970474bc4519a973d67dce8e844fa415f5d1ca21de8a8c

C:\Users\Admin\AppData\Local\Temp\hqltbj4y.0.vb

MD5 b23bae69c4cd1679b6eaa5c338f78bf8
SHA1 c07d3a742abe9705f2917ab4e6494631ba278ee2
SHA256 6c725586f404da5b8e1514863a8016a82ad6ed12da153bb038ee2472d12b3a4f
SHA512 01d31d9ea0a59562df993f12c288ad63942d18ea0cab27e0e8c863839548eeeb0a26664ce497ef9ed68095bf96754efe2bbd735e60b1713f4fcef4e6b97d63a7

C:\ProgramData\SystemNT\vcredist2010_x86.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc94C2.tmp

MD5 a13e69eb27da69c109562df4278229a1
SHA1 502c47db9c9a136551fa38a9170c3684ec818af6
SHA256 0b7f493a6f10b10bf0ba8fe811e178f477856e8f85d9af104deb9eb0d0948ca7
SHA512 fef6f2d4eaaf3d5074beb7a9ed535c8314a4c867295f7fa3f55c792f048dc3abde54d9ad8bd1f3762e9b705014f80d69ccdcb1e64a47b63b71a9f6de04b9fd5f

C:\Users\Admin\AppData\Local\Temp\RES94C3.tmp

MD5 051e31c18e195aa57d187001e960c8c0
SHA1 559d7f8e3bb65ceb756f732ad38f58c83663e7f6
SHA256 dc253140b9c5d372bd48bd5ed81aea7f3b5870f31eb7b1a497c4840a64d1ff54
SHA512 025a9287d274025f2a66bfc68517be89cc55ea42523f490c16e3f969e7dd458208adda09ef86cfbe035edf99bbe38257a267db3a88ee9e1767bfb412dfe87ee6

C:\Users\Admin\AppData\Local\Temp\5e0dxoxg.cmdline

MD5 cf0f4fb1f4398fc3480c18fe181a6737
SHA1 165bd012426004eb5fcf1d1e3754144a8858e93a
SHA256 d5b45c7fc95d0a38f3d24d35e0bf809a5a04384546cb1bcbc8b5284b60f99c3b
SHA512 e167dfd13b28025829bc37bb118670cfe405250658643a85c179c9166fbb227866fbe41daecf6254dd454dae4eea44276d50af568b25afa70ec9ee704aff2115

C:\Users\Admin\AppData\Local\Temp\5e0dxoxg.0.vb

MD5 eb62dd8b855a24369944d001d4c24b85
SHA1 a6793f997279ae1b59d1c7d5ec8643a3257eccc2
SHA256 d08cefb33628dc8316d3791b7f33384cf3106d9383547ce0a947bda69eb3010d
SHA512 bd120e3fba8f0738a12273680e37e5618907635e6b0c21559509b4870ac21238b12cd5c52db2504558b219c517db62b5a63b1b6c2d657c7c3048b1865fdb1ac0

C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\RES95BC.tmp

MD5 3128f6a20eacb485728b50bea0374c44
SHA1 b8cd10e7507f99a0d34d98d34e5b7c279a76b006
SHA256 62a95f9f979f0635eb1970da3e56fcfd8609945cae1d6622e90ae98a10a01195
SHA512 1899eff831b06d104b1ab298b044f32326abfd6bd10dc4a6d799354a28c42ded9796673e101ccdda5e23e1e74d2357cb6d7669d40d26cfd44f7ebc8de5714a73

C:\Users\Admin\AppData\Local\Temp\vbc95BB.tmp

MD5 1b9ca5e9cc04d067d4e76384bdf1c9b5
SHA1 8f1669ecd0ed1a9a66b837be9dfa2a179c5dbf0a
SHA256 2121529af0684faddb5f6dd4fdbf254321adf0d15e469c4d4d08b5b8518fb37c
SHA512 fa79781f9b68f795ac6d94ae4390a0507905d4a18f9d8b064d07701b12ee7050baca28820340ff29ab65c8d595541ee9121f5467293259aa8eef15908ce8b9d9

C:\Users\Admin\AppData\Local\Temp\-xkoza_x.cmdline

MD5 827c8539dd9cfc284171cf60cab18e04
SHA1 92f9e0a5f108aaf2552ee33148d70c0452d69013
SHA256 07784d61a349301befec0c651e1502c431a3dc599f746c450c7668279c106771
SHA512 ae2b76e90468cbd095dee0fb37253de21d1e41c2ccfa1d12c436170eb7409a710d886f9a43273bae22d3b85d67122af24a24d011e82fd72cb714ce865ad509f7

C:\Users\Admin\AppData\Local\Temp\-xkoza_x.0.vb

MD5 bebb2f77c5da61a9a0a2aefb983bd6aa
SHA1 a5d7aff92823b5b0dbbd67756ca135c3f6491892
SHA256 99a6596d1b483149a13368c4a4dcb9983d71e061ced2a82b11c3d3ca360c0446
SHA512 365102693d823c21e28d879ed3bc3e6b0872abb886f42a957b5719019f06d8c670b99fdeb37d9b9e47cd573c47aa5ccd08749e646ba990eb9196e42ad3ffdae9

C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9667.tmp

MD5 8d46467da78225ef8cac2ffefbdea55d
SHA1 906b53235804784b1e79cf6e6885946ce0cc6185
SHA256 e5f84996c710290a41148a1951d14de4dab8f56f27936fadb39e0a3a27200544
SHA512 ea024b4d4e15143df2e16a4319a5a7ed29e821718a221708f1cb667a59411a62ce954d615fba92b0b747b926dbfb2970a6db8435cf8f93d596bb5724a71e98a6

C:\Users\Admin\AppData\Local\Temp\RES9668.tmp

MD5 87db824b6b320e902b7f516b0cca857b
SHA1 b9239096278f086a58611710996d80d06f3fdac7
SHA256 935906efa7bfd0aa9e30bac14e99af4a2306fbfa8ae565904cbbe9a3ebbdbe4c
SHA512 91d3479b636881baa896dab5d5a5b33da7d12b76e4932643cec467dd7acc6263c2ec78840f2cbab45242b8ac6853c68545ef0c76981606a8305f83343d64d761

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\qby08oyt.cmdline

MD5 26bafe456616992e608b92c87e407384
SHA1 f8cd92e6d73f2109e182525798b1c81f56b14524
SHA256 251040af0de9439441b5db76a687ec22f0fb295e461c115c3dce96bc6b07142b
SHA512 a6ecf7ed53ec72ab7433a1c2e2b30c35273f11b3da1a4ec447fd03831c8fea60acfb8053b2f531d97911693a27d88dd9db35976512000b01ad8524eeff2855b7

C:\Users\Admin\AppData\Local\Temp\qby08oyt.0.vb

MD5 6c33c1dc16de9a18f8fcd8ed77fbc525
SHA1 c2c1d8528db8cfae4db90cd4a4e3a253d749f250
SHA256 deaf8b916144f0f4fbc1862b5d1db11a9f1d3d62cb337b99accc1887b6b35a22
SHA512 ec82c3ed676fc74f4d3d58ec6a00dee0319b206ae5f9fb95c4049adaa5c08d7d6754a43c484fa23add1c7c666a370480b8d98b4e69c20f90f7657b3b09f96a95

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9770.tmp

MD5 509f85557a8d50560035821226adc597
SHA1 d1b38045eb9484ea80cb7df0467bf2d9a5c0e87f
SHA256 0d0b4b368db81dac85e76bff8c086a2ec7b1fa6707ede1099a426bfb9e8ac4bf
SHA512 391559121d6a3d9f9891d334a21cc6af579851e1f1aeb2251a2ea807e2c2ba26b41bc5d57481a2930f609a75c2a421310aa4282be6883497586fd29b973ba4a1

C:\Users\Admin\AppData\Local\Temp\RES9771.tmp

MD5 22152022d9176d04260170b74426cda8
SHA1 36fd15d4eda0eb13f01ab06052eea0278873ddfc
SHA256 0fb9f27c6034f8a4fc46db4e835e7f7cd9356a54ef0ec3f2e9912c0edbf421bf
SHA512 ec3d8dd80050800b9c0c4f8b0cdb4cd098b5025b2ed2a91d5702b7657adee77d50cd7cc9185e83ea19b92c9bc1cfa7770a41509583acaa8926cfafb417ab1f91

C:\Users\Admin\AppData\Local\Temp\5mkupdnn.cmdline

MD5 3212881840694636b047676b8c07c079
SHA1 e1536da3a24fa7b23a3a18ec5acc3a68d28822b5
SHA256 25832cac429b86c3918733d979e17cf3d8174e13ffe57905fa1cc6b545589368
SHA512 e348e5c607da9685d08d410e0092d86da006cb1911721cc855e732ce6ad196ef38ecc55c295ede4383dc75af886848c54d81973c1883f362e40170e7948f80c8

C:\Users\Admin\AppData\Local\Temp\5mkupdnn.0.vb

MD5 89b6dc723b152e03561de0fb538d6c0f
SHA1 f8bda82033ab5b1902cfa6391b05dc6dd6c1f58e
SHA256 1307ab55a59f7e00b4bd5028de6b5592d160fd0beeb4d79df3ef1ab563c01df5
SHA512 a7917740e6594cc5ccdcddc9aa56545fa40912d08e6a2fe3c3d427498b46e337a12bc85497b5668bd0add65c690a3ff0c0d0ae5f61574c454358da8deaa86f5b

C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc98A8.tmp

MD5 bf0a5dbca8832f8bdee0dfcac44b38b3
SHA1 f313e9fcc94700c4ca4e18077fee1ad6dc67ea4f
SHA256 e717074e76195fd902a55c32b4109c6d1beb98c6bb1e60c4ab0ef9466ca47544
SHA512 d0280aac30357d39f2d8589399ebcbb03b6e81f14e018711b5f1e5c8c2f020617bd52e4128531f5b986408c61ac9e8ff0d92483b8c837d77adb10019c3bfe8e6

C:\Users\Admin\AppData\Local\Temp\RES98A9.tmp

MD5 de1666b9820edff8f415a6eeb65d114a
SHA1 be3b705925f5bf0256b9ae629fa8270062c3cdd4
SHA256 2accbb0937206ff8580a7a02c1dea335967683665ba502227bd6541baefef091
SHA512 975c423933594acd2a98e00f1f009a12a2287cbce48681e74a88baf252b13d81d94d3f6bfa33742658b9330bddce42339cf74748b31ec7bb312f8efc8c0417be

C:\Users\Admin\AppData\Local\Temp\t-dqmllw.cmdline

MD5 5ca78c563340bce894fd6fdb97e3e1f5
SHA1 bb5490c02119a7fcd3e05a2920c8ed5b0bac24e9
SHA256 5d42e95db4ea57a2d8ebc99c4072fb7cccfaeab4fd8ed548a818d261b41716d7
SHA512 93d342fe4a2082f5fd806538cd699f2e3565caf01e5876ed41b1225f78718f28f59de6236ba029e9175192ef3b11ebbdc051e89868f809ff537c9c8d305f7e83

C:\Users\Admin\AppData\Local\Temp\t-dqmllw.0.vb

MD5 4ecc0d3873c865192b79be5a94fe4d63
SHA1 89220b757311564e4227f9fd4395bfe9f0408f4f
SHA256 5da4cdf3b60f9cb494723d69a453e06e568345348f4dba51f4f8aa042fdf00b2
SHA512 3108c43ba6ea9525dc6ffafe458b06d14441b39667121fa936f8bfa38309811be57a07ee7045279859d2e23c91d6abaa6fc6768550627268c7d7beb60a1e432a

C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9963.tmp

MD5 6f992bed3a2901b21bfd501badfba965
SHA1 f8866d1ede5e9a6e0365b469b4c575f03a82743a
SHA256 5bbe05e98a5e73d4d3be198ec97fcffe5fe0a52481056333e19f7b26597238a6
SHA512 42227d71f2843e7b1fedfdc808d45ea6fbccb2020f324b61ee7859bbbdd6669851f3f2caf82968b47f3bc1f0dd6943d477075754a0d76873faff117b9acef818

C:\Users\Admin\AppData\Local\Temp\RES9964.tmp

MD5 f1896fba93b5892d0b5f48fa25eb1ed1
SHA1 6b19b9cdf68fdd4d98e3a8a7e42d7d0d2e838bcf
SHA256 2292ef98ef1f7fff22a94a23c6b04ecabcc0b865a1984b712164e144cd479744
SHA512 35f1f4fc77a945b4572ea01113c8a7c087e6ed38d995856ac3cbe7d2f17e4d7e9d074fec966b2f93bfdb1aec468e099e1f5892eb7bdc8d78b59ce91e422a34cf

C:\Users\Admin\AppData\Local\Temp\9cll3vjs.cmdline

MD5 f12f4eb03e7c7838ee9224f9e8bd7797
SHA1 18503a009c081a4dadd176c7baf77ce5ba01b94d
SHA256 b7f9a3ef7e205b50aacb6761e7c2694c5b000af797386ae82f5d225a718dd2e5
SHA512 f7bdfabc5eb8135fc951acafd86dc2469fae13dddc2107d7a8862ee1b004571eb263ef6ccb7ca574a9014c06d3f3ae2a548094bee27a5b09a5c4fde578b8f130

C:\Users\Admin\AppData\Local\Temp\9cll3vjs.0.vb

MD5 aa4759a2f16e274da63c66556a9bfaff
SHA1 47301d24dfe22eff3e6127d6aef39e29569b68ff
SHA256 66ae36ff98ae7035a2707e5cd07a5e8db7527ea8407f1b56023b4dcfc0fb776b
SHA512 aec075b88c400f991db2ed4c9c8dcc9a171f7128fdfdb9dbc048b21e1c69ea286e98ce0c3ce979761c775c1787440f0e6d3fa9b1e745f03d90ec5e681ba52b65

C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9A1E.tmp

MD5 8abf5b360979aa751e6ebe125e7eec74
SHA1 3e38e73b73086479aad82bff4c582e7323b0158c
SHA256 d1a9432b33821a329365379bacc7161a81c0ea5c0477d3063174dc27720f4241
SHA512 b92669d5172b4ebc2f9c018596fc4c1b5db0d73be05cc896166d221784f39b78ce73420f62a6d9763cf084cac6d7c21c98f2c0f0c068f6f99cfa524896529ddc

C:\Users\Admin\AppData\Local\Temp\RES9A1F.tmp

MD5 2759d2a4181f8ffd302dd376349fdd48
SHA1 a21615d601fb3f5018975dcccf2944ff4dfdde69
SHA256 07d22f87498c8a430ac70247edc11a01cc04dacd187bc4d2025873b3a86cb988
SHA512 12f743db719a43b21d1cc0898bf6a24a24d3e0bb4a473e4f55d23f7218afced17e0b2c5937f49b233d5033cc7f80a7f73d638b2f3514fdae7203391b54eea6eb

C:\Users\Admin\AppData\Local\Temp\j5wbd1nz.cmdline

MD5 0bf79ad7bf7e4f0134442ef5c6b000b2
SHA1 9aa1c86ed299685bc967651486bf18b572c0357b
SHA256 f5dea1c643a29646a7d280e3dab8633ec17142c3d2eeadf01ea2950447b4a449
SHA512 a4f92d2d0520ffaf4dd64348ed92e88807ba6b2b56ec5ed43d8de9581a155209719e5f3c63f56f9caa89772e1daf7b58c06ef093ef4601672219e55ae1e3b0d7

memory/568-235-0x00000000021E0000-0x0000000002220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j5wbd1nz.0.vb

MD5 9d9dd2aae1451faa6b296ce2fc5f13a2
SHA1 6d6d39fb4fc80b4bf216a8edd884a91932ebf7f3
SHA256 e777028474493f4e41937e1df998a988a1c5c5cf5f364963ca10abc13d8c2c25
SHA512 ae2d6458871cd4352cfcd2e299b427e63c17f2f75d6ccfd44cb339eb4c5897ee048cb8785e54896724780ab3f1b426a32744a181b6063d019f03b150e02667df

C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9ADA.tmp

MD5 1980caee5a9dbe47894dce7fe6d595b9
SHA1 a4506e026f074669942d7684c407da5fe4a5c9f6
SHA256 2815749082e90ee4f3092fad8342f2043bebc22758e3e96bf120c9b647b779eb
SHA512 4e2b51f2f29d0006dd700cc42c81fd4e67173e7e380f248b2b3dce1c84266a656efceb0a3a212e673f96a7f9fc5cf4f8ef68210596895d67c3e6a1055ea9178b

C:\Users\Admin\AppData\Local\Temp\RES9ADB.tmp

MD5 5eed6135a40693c6c331e5806a1ebf82
SHA1 ed84f4e9ef0480c02ef28c6657dca3b264b34082
SHA256 091b02f752b940dc4ab2f6ffbf4d43f10a98d6cdf917444f93a078793da98b97
SHA512 63f7583a1fb71a67ee10a5513306e21b5a76b8886915d57d3b5026f2a845fa47229d70adf9b364f05ff2e767d14880442c05e59450fb50ed6481e8371221cbc5

C:\Users\Admin\AppData\Local\Temp\pyoohqwz.cmdline

MD5 4f27b5ff04594b735ae852857def9d9f
SHA1 d436696a69e66ddda4dfffbb7900c049a87a1853
SHA256 a41f378243df37e03cf45df755eb29b71466c08d6ec11d8236f09f912d18ddcd
SHA512 65f14973ed3fc16ebbe0025aaad619dd029b74bd933c9cdc97a39eb2efa307ab468ca2b0157e040ab03ba22157f2a2cf964f5ac3489345c31f27204d0ced1d5c

C:\Users\Admin\AppData\Local\Temp\pyoohqwz.0.vb

MD5 31713838be24004aa9b4c15004456de3
SHA1 41a586504ae3b70183e649ada59cf61ec3d6fa30
SHA256 c67a4ada1f2814dd08248f3f1973466ef2a8765b43e08dfe7f9f7cb5933bf7a9
SHA512 402b776be3d3c10ffd8872f2acd0dddac9dbf0ae9b1d351f20494797d675bdbe1b96f56f08d8dc6a3f2f5bfb179ebc490f8dd628cc1f5153d593c23341be261f

C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9B95.tmp

MD5 ce51a6ec8f6807d5fb37746ab1c08f79
SHA1 5e9e5de9f25b732079f2c0d06c6b2daab946b088
SHA256 8b9fa2f1b8783d8464c0a93941556893903be517e264667bc43406b7d8f07c4c
SHA512 fb99545a98bcddb35a8bcfb82cf2b96fbd6703f52a3c9fd318414f6765e8b9569b2018e831a47837488215ba7157ecd57f81961bd5bec3a1fcd8e3c570b2e60f

C:\Users\Admin\AppData\Local\Temp\RES9B96.tmp

MD5 79f2d3c0012a64c881198eb880f9c2c6
SHA1 451b8eb9a154a70a946f593b470fee2b7cbbe2ac
SHA256 63b648bd71cabeb9f551aae172f82de3e44def16eadacb709f42d0b5442ec441
SHA512 27cbf1355e1d6a2ef5b9c26356856a5b64fb352befa8e2b524234dcb05eb6c20f7e679f4227fbda538b681fa7d482ad64b508d684079c9776f4af153c750d3cd

C:\Users\Admin\AppData\Local\Temp\nfgqyebu.cmdline

MD5 7d5161d55dbc166c692b592cac719cde
SHA1 fb0f5f3865ef80d32a5943492f597d45b19d34f8
SHA256 f0a080eea3efecd7ca264d6c3148e4f22c9c9df612863f945451b95eeb48415e
SHA512 af9456ab28640a92e732ddc661aee6e04acbf2f0161f97a2ce1209250a9aab428010a4a61ccd6dd6c9168d4e0fb6c5371d1cfe74ffbf5689a461f04be32b9c18

C:\Users\Admin\AppData\Local\Temp\nfgqyebu.0.vb

MD5 48f3a9fe52baaef55aa0dea1b91c342a
SHA1 7b16df02e505b03d64771554fe302e785e4b17da
SHA256 509ac0d813c62ace2473462ac1ed5b3d0904e318f50b8b9e9c9bfb5feb1e7f66
SHA512 5079a6a9b53c02d4c8414c5e790b621e597c47730a1f9bd5d61d1bae3ea1ddfffb088c01f946c43e0e6ef7f1d4e25540ea8b9621ec2bcab3e8439a7fe1827a08

C:\ProgramData\SystemNT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1768-326-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

MD5 ff621b3ec028ff34e6dd40649434e246
SHA1 2bf21078ee8f88b70291c41f7e41ab03fad0a27d
SHA256 40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790
SHA512 2bc1dcf4bb3cc887f8bd9188df7eb01eebe1516c7120a6b355af2a85790dcd3d9ffcd9cc529de5e5613178efe264dcb3c99730b1adb6f1d84b9e4afc0f4bb368

memory/924-375-0x0000000001DC0000-0x0000000001E00000-memory.dmp

memory/1336-382-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1336-385-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1336-386-0x0000000000170000-0x00000000001B0000-memory.dmp

memory/1816-391-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1816-396-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1816-394-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1336-397-0x0000000000170000-0x00000000001B0000-memory.dmp

memory/1680-399-0x0000000001E30000-0x0000000001E70000-memory.dmp

memory/1952-410-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-11 11:07

Reported

2023-06-11 11:10

Platform

win10v2004-20230221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01474899.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Uses the VBS compiler for execution

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2224 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\01474899.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 4828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 4828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 4828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 4828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 4828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 4828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 4828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 4828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4352 wrote to memory of 3056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 3056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 3056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3056 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3056 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3056 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4352 wrote to memory of 3308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 3308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 3308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3308 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3308 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3308 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4352 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1632 wrote to memory of 4596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1632 wrote to memory of 4596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1632 wrote to memory of 4596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4352 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4352 wrote to memory of 3832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 3832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 3832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3832 wrote to memory of 4796 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3832 wrote to memory of 4796 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3832 wrote to memory of 4796 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4352 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2392 wrote to memory of 676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2392 wrote to memory of 676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2392 wrote to memory of 676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4352 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 380 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 380 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 380 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4352 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4352 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5060 wrote to memory of 488 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5060 wrote to memory of 488 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01474899.exe

"C:\Users\Admin\AppData\Local\Temp\01474899.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfknuhjo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA83B488DCB94E7DA4447E95A4669A89.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i2-ncy1r.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6B9C47F448A40AE852756F2AFB2EE8B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wiukm3lj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F08F10370240AFBA2C665896AB1C65.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\td2_mqj3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES106B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE26927205441497C8E533D541D64AF1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zef0c3xe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1146.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0992C3FDC84E8D8DC2F0AE33DBD4D2.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y8o0o3zf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES126F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc539D0B05D5374E598E776E89CDA421A0.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ohy5olyk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1349.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc936158ECB4F1413589E824238B5CA527.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m0uz-omc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1463.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF989FD1BE8004B1A97105E3A8397A01A.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zzdvh5ms.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES155D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5FD2F9DDE32428FA176FA4B908C363.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j6vzjehx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1685.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B9446FB18EC492E8E9482FB1282D431.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tlgrew6p.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0037A5B339C4E1BA3634DE057A0D6C1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z0ipjh09.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc475010E44304DE1B25B5D2A7D551018.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbmfw_im.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE34FAC94504B369EE29F4113E4A64.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ocfqvnlg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2387858A658A43AA8E5369C8E7D7B032.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmxkiajz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CB0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D21119CB174F96B155B2B358AE766.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y4zh_ii3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E8626EDCAD4834B91ECF6985601324.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dgg2lgkq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA70B16F31EB4BBAB72BE929F77EE4B8.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hhjxfotn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES201B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc198BC1FD7ECA4FDB9E472C9CB4A9831F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ex20vwkt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2105.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC03168742CE44C318EEBD7E972644FA6.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\liqqavg8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52BD5E496EEB4C198B9F814DC173BE8.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\csmfqej1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC556DE2E48F540B78B369BC4A9CAFD3F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ymt6q1uc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74A9AEE93F75406D92DE75EB62B83F7.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avswslhv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40C3464FC9C14756AC3D1EF2203C74BA.TMP"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 52.137.108.250:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 181.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 126.155.241.8.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 52.182.141.63:443 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.197.3.8:80 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.197.3.8:80 tcp
US 209.25.141.181:28050 tcp
NL 173.223.113.164:443 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp

Files

memory/2224-133-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/4352-135-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4352-137-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4352-138-0x0000000001400000-0x0000000001410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uUUgHRHX.txt

MD5 648c96743656a09f128dda6f0d353f54
SHA1 8aac85991244ad39e28693bcf5916effa91e3772
SHA256 3e941b6cf879079b8443e6ed30502aef6a000774b5e0d4bc653cea60ac734370
SHA512 f9493bdd2dbd5efc934089d87af92c358788238cbce2dd5f4330f6221df7af0124645e24ec563821dbca7138aeeafe061ae2d3757d0e746d93b0a9b18ec3e90b

memory/4352-142-0x0000000001400000-0x0000000001410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wfknuhjo.cmdline

MD5 5a5f12bc444585b47270492eb1a370a0
SHA1 826b8044812491e81ee8e9bf2810a067668ff73e
SHA256 4cf9b6a99840deae9e50903b4d912c43d8a72d7c8b9d1f31bac17789acc26ad0
SHA512 cce4523f6578e3e3753a5ad14842842852a906c7592a20a33aa951bf5c31151566548e3a173b612ab384352ae3edc2f8607c301ac74e010874d3e4c3adf2de63

C:\Users\Admin\AppData\Local\Temp\wfknuhjo.0.vb

MD5 a4e20aa77b5a3e0a9f761a525f4a4837
SHA1 3df6cbd065ec2ae8003129520fae1ab6ee44d55b
SHA256 8655eb0d27b6d2dfda9683384b739b392fe23dc939f19c7cc6fedfe41a7b98ad
SHA512 ef9c4d81911d5908f4369843e3f706fe6ebdb9c0b04b394d89f79b33596e616d37e712c69077c0ba9e548645ad6c4454eb8c8457e554ae395c77651728747bd0

C:\ProgramData\SystemNT\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

C:\Users\Admin\AppData\Local\Temp\vbcDA83B488DCB94E7DA4447E95A4669A89.TMP

MD5 cf5d89e63a979fae6a87015048f89bf6
SHA1 c42a88b41fab3213d14f838b68fed362bfa4d3e5
SHA256 cd9d0006ed529263fb5b321bb4d9b39158340e480d6535b9139af436f4a63518
SHA512 ef90170e9a3f605f1ff7b421b2e5b34c6023d5c7a72532aa04ac7bd1032d1a6c55d4aa2d11f6a0a0146e0978d675fa54c2de56d27bae87a0708125c1a31841c4

C:\Users\Admin\AppData\Local\Temp\RESBF6.tmp

MD5 5cc1524b084d30e60d0531ade2a222ca
SHA1 328ebe62cda0d78bed81d1afc2ee36592fa9f5b1
SHA256 e06ceec29e581e44e857483aae31b3c1d331a9b2eacef7d501630def983ff09b
SHA512 a263ed397502b8bdb6b9ec8cbc9ac13f1cf927c599dacd890d1b83e96c56f1740e1847b6cc35a7e2fe70b9e194825e7a63da962ab1da0db7ca0f868eb42d9235

C:\Users\Admin\AppData\Local\Temp\i2-ncy1r.cmdline

MD5 34c2c712656ac7f9047a533d3558f022
SHA1 22a3ed3948315db8266202209b36ef17a836725e
SHA256 53a679f9138246354e4df07c15e112cdb1e10a37d6443de4c4461836fe031123
SHA512 06c3c0ee8fc1c01506f6d5237ec006e8f57a71f88d86f529a7129a836918b8803c0aec56c4ac288a12906e49569981b0bad77136d5bfdd3d4e134f007a065fa0

C:\Users\Admin\AppData\Local\Temp\i2-ncy1r.0.vb

MD5 ae8eb6b25868950391265416771ed2f9
SHA1 c9c896e76d98d9b79b99fa46f22250829ac4fb81
SHA256 8f0ec724460841189bc388b37cdf45bf47cab57d331e20c599bb6cdaffff0122
SHA512 ae299a04f8f986690c691059e532dcfb71370f2e3c74098fbd1a3c3e4f8536d8293eff7cd4beddc5be6a754691b6a007f196d997dc77e81f8a1ad0689aa0c14d

C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcC6B9C47F448A40AE852756F2AFB2EE8B.TMP

MD5 a7d4a5ae829469f0518aee79d6b5fa0a
SHA1 f670f426b6e98df955b7470801660ea524fedfd0
SHA256 b9d146373463b77ad2d77df73ab8394a962d6697d5fd431ae932c0588b1fb8ec
SHA512 b82064c6022f406cdf63ddb86777939acf0aa6faa220bd6dc1eac33b1e510d16c33f7cf2f1e4d9bade2d6de423505b75683dc6e79a7e9b1c74b14983578288e9

C:\Users\Admin\AppData\Local\Temp\RESDAC.tmp

MD5 8de96b4279963cfb79ba78abc057abb5
SHA1 99de137ea1583a3c843f700c2db165fe57f3f2e6
SHA256 c6a5e3f272417710c2242c7baaf5f96663d5b227615d163a48f96e8465e10a5a
SHA512 11b26d3c49e917279f0b6bca989f6c0a644214e472a2eda2829e9f2f42bcf90e2f702222834fa9111812adc3b865e16a1dfc52b0831822fde5de8fdfce3267bc

C:\Users\Admin\AppData\Local\Temp\wiukm3lj.cmdline

MD5 fa555ae4a863ad5b31a0ec8b1c674fb5
SHA1 ce444c9c6b5e46c4f939c5310162647f6e723b6f
SHA256 54dcf00ac2050b41fe03020380ae5fda2e0c2bfaf494530c7f80103c21f9f820
SHA512 55650fc24fd5d394e49aa584c1f47b9980d5ba8a57ba1d7809bf242c9de44b62bbdefa89841561f889e49677d638d45386dc4edbb764f9fe2a61459b1ac8e21e

C:\Users\Admin\AppData\Local\Temp\wiukm3lj.0.vb

MD5 9fc1c2986a78e48303c69f262df98597
SHA1 9cb67d8927c71f03d6502a7b8899f223db773455
SHA256 fb34f1ab5e8e6f8c507f2ecba343c202faff530baff5c35e34af8632a03e535b
SHA512 38cff9bccf507bb11b9f7441a0446b94312da7b7b051f34d763a3dea84ba9561b043702678987f81a4464b621eefad53a211da6e7591b0417490807e787cff33

C:\ProgramData\SystemNT\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc6F08F10370240AFBA2C665896AB1C65.TMP

MD5 506d756ef9ee3af1d1ff4d2802cb43d4
SHA1 04085ee08cd57df307c02443ae739060d0ae5000
SHA256 190840c65b42bc660897addc40f3286ac804db334800f04c59028aceb36ca6ed
SHA512 2e822c12858d51a4031239d778fa7513fe63cbc973f0555f8d858510a73d00d2cbdc5fd44bdf80de8d56d39e11f82e9f1c673568dad41b0d22baf0400aea5931

C:\Users\Admin\AppData\Local\Temp\RESEE4.tmp

MD5 0e5a87bf3500cad69e2140434156df31
SHA1 9f4788af6aaf29a50404e425be80871dc4078442
SHA256 15e35384880f615fe9dbcdfeacc826bcca03e00108d09aba7a66b7351cff0514
SHA512 0d80d1ba469020464aeb6a4a35b4cae49613aa69d425587b7ab622b8879c9cb7ce586f9a5587c474ca2b16bb864fc31fb18be5fe609ae9e5ee7f9eca5cea7ead

C:\Users\Admin\AppData\Local\Temp\td2_mqj3.cmdline

MD5 f78fa6d1c6c2d4909ec645a3dd466b37
SHA1 f3f111f59c46c9846e5ecbd694271f997c4027a1
SHA256 44ff11cc61c97454f8ce14c0a3ee39c06ea3fd64d4b5f58ab3a37d81a7b1ddaf
SHA512 29e3c26792c3f8120690e9073cc544a8bcb5e1300317ca1e13a30743e0a88e0486ebc2b3d60f8d546f1eea622cdb409617e8a42804997f3ebffb61ceb4b0fd32

C:\Users\Admin\AppData\Local\Temp\td2_mqj3.0.vb

MD5 6632b8e6623b67be6e47b7578982b4af
SHA1 0e3dbc159228c41b62c33fc1dd79ef16b1e75608
SHA256 16832bc9cd3e97005002bc7ff2f885e16f1931fc1906e54aecb0c9926d350257
SHA512 241f25665d841e5c783279177c97b55f40a53ae7e44739d64607ccf408a413c994cc6d110af37e46ffb08cfb3251da129c8ca35bf3b3d9c9ad0f899896ec3cd7

C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcE26927205441497C8E533D541D64AF1.TMP

MD5 3257a11829a1fd132f6ff644cffe623f
SHA1 c0f0fd2b796691184e391e5bbee897572556de33
SHA256 61f238a3b40b588282576c33b78ce0d4e61beb8c10a03ec5d96ce74e0913809f
SHA512 5fda46c1a643d6433fde99a877ba59439bc07e4097fd684e9c9456e13dccfef9cd156cf8f9eecb39ba3524f233f3e161b8f7570ccb51c874d8db5bd83f510fbd

C:\Users\Admin\AppData\Local\Temp\RES106B.tmp

MD5 845182634f209f2e9d6cda4ff6a0d9f5
SHA1 b7b8f9a39215224ceefbcb5316c39a923675a1e7
SHA256 34684f79d75fc4ca1a529a4949d8e9b26b05715865841b72915625ee4a46ec81
SHA512 f4fcf93e4857d91f767011d6f07f8d4e021fba8730eab1cc5b06c4558c5c6dcc476d2aae96b11d0d79f4497f6adfd4cb75196feb4ea54ce01ed396b83a5b8c3f

C:\Users\Admin\AppData\Local\Temp\zef0c3xe.cmdline

MD5 566f50915b248fca81a49afd5bfe89dc
SHA1 29955b7dbe1b62e8704928a2f4f7014513543c6f
SHA256 0720f7a02eccd661e66af1cf8bfc9b901566305564d494ec2ee60ae7e63a34e4
SHA512 a23ae6a43cbdab0bb9300f41e81f0c6dd7c11b3c39e5d2b02af32ac53d137d06f8fc9e8649a6cc6d90c746ce9eceb1f3080c0139518ef4016c0224b55b148f1e

C:\Users\Admin\AppData\Local\Temp\zef0c3xe.0.vb

MD5 b23bae69c4cd1679b6eaa5c338f78bf8
SHA1 c07d3a742abe9705f2917ab4e6494631ba278ee2
SHA256 6c725586f404da5b8e1514863a8016a82ad6ed12da153bb038ee2472d12b3a4f
SHA512 01d31d9ea0a59562df993f12c288ad63942d18ea0cab27e0e8c863839548eeeb0a26664ce497ef9ed68095bf96754efe2bbd735e60b1713f4fcef4e6b97d63a7

C:\ProgramData\SystemNT\vcredist2010_x86.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbcB0992C3FDC84E8D8DC2F0AE33DBD4D2.TMP

MD5 64d92313519afe8c0854995a32474a96
SHA1 984e9efd70477eccf59a41ecb30fdd8ecb3e7faa
SHA256 d22e19b391b6f4a966cc994786a3f5ff8a8589f49825f941425fcd94e9a28496
SHA512 d60f1f35a39195d4101181a2568b2ab763448ddcf492a7899e9605813c2b44721fe1474b96d1ed921e00e9f4e6af2c1b5669e266c06aa557aa507597355cb4ee

C:\Users\Admin\AppData\Local\Temp\RES1146.tmp

MD5 ddeb3f1767ee2dae7ea6e80694745896
SHA1 25362a0add62310c809a79a56e765cbc0f16ffa4
SHA256 b5161562b7547976b87e949cedeb0ff8091c48afe90658390cfc372aeee76ff2
SHA512 cc67edb6141bd2d8dda13a07f45784ed91f3fe6ea56e6b4038e461fdd09a0cc81835a60e268be1be8f78803c204e734904dc34d71c349ecb4d9a5afc5cee6de7

C:\Users\Admin\AppData\Local\Temp\y8o0o3zf.cmdline

MD5 4e7d7aec4df0b635e61a00e530f639df
SHA1 e252866cb1dd1a88d4a74997591190448b0b00c0
SHA256 20d1f0f133a6093849ed5e3802f715606ea43611a0033e403d954cca60378c00
SHA512 b00b066af0089acb8a4a523556ccc8a0da554ab0552b3eeb703b58378a4a455051727b53c9c128627a4da0bf7704079222cb30a4f13ca9046e8fcb6cc38592bd

C:\Users\Admin\AppData\Local\Temp\y8o0o3zf.0.vb

MD5 eb62dd8b855a24369944d001d4c24b85
SHA1 a6793f997279ae1b59d1c7d5ec8643a3257eccc2
SHA256 d08cefb33628dc8316d3791b7f33384cf3106d9383547ce0a947bda69eb3010d
SHA512 bd120e3fba8f0738a12273680e37e5618907635e6b0c21559509b4870ac21238b12cd5c52db2504558b219c517db62b5a63b1b6c2d657c7c3048b1865fdb1ac0

C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc539D0B05D5374E598E776E89CDA421A0.TMP

MD5 7565dee9ba6fd50bbcdd048ad8d9b85f
SHA1 7d28bfc1f716af87fbe07e4355357f25362677e2
SHA256 aedf3bd9c37684c05bc91f1155b42a72ed24c348a16b3205836bb44ef878bc67
SHA512 96353c8ab995a05d48f400548896d5e04dadc917e6b9e5a1740f9392b87a045d60cb2420b12d9674722ff12ff96c6bc2e2cc1d9cbd348a530232fd188c9c114b

C:\Users\Admin\AppData\Local\Temp\RES126F.tmp

MD5 6a0669590d97d6176f9bed2602fb8047
SHA1 b93c9843e95bcd0c2e71d7b6599fbc882e68995a
SHA256 427a95f0bc3a1997a7ebe40573ed6783325ea2190d90fbfc47cf3bfa7fe4713d
SHA512 fa2164024da9ea39d67d8258460d2af7cc280ae3e8760e98d6bc58cad36285761dc60c9d7fa95a057ef78a254086c6ec4fe0f95672aec86af9b14528cfa599eb

C:\Users\Admin\AppData\Local\Temp\ohy5olyk.cmdline

MD5 f00635dba085c20e969e539a51efe884
SHA1 69b0f637b459a283e8ec8f9e92f999c1b8ad8669
SHA256 73f4fe2b49da2d4fdd829c021eded8af6452b5f0ef5121c44fdb55f10241c354
SHA512 fe2296d3847a02d13ae0bbd4b6ade305e06cdbb733080206f1ff5e7372f3317643a2280638ee52f664ea220b1fb099cb780dc0cd43c4ab2d8d0d0cdea1cc4283

C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\ohy5olyk.0.vb

MD5 bebb2f77c5da61a9a0a2aefb983bd6aa
SHA1 a5d7aff92823b5b0dbbd67756ca135c3f6491892
SHA256 99a6596d1b483149a13368c4a4dcb9983d71e061ced2a82b11c3d3ca360c0446
SHA512 365102693d823c21e28d879ed3bc3e6b0872abb886f42a957b5719019f06d8c670b99fdeb37d9b9e47cd573c47aa5ccd08749e646ba990eb9196e42ad3ffdae9

C:\Users\Admin\AppData\Local\Temp\vbc936158ECB4F1413589E824238B5CA527.TMP

MD5 58f4a79de09bb9373c85aba22acad5f9
SHA1 347bf8014126146547b26f3c4cda4afee441245e
SHA256 e00c230d0655532bbf8092d0fd663417447b5a44955817e8bf4fbd09778faa3e
SHA512 6e8fe48474931c060ac14849e05c00990bd962119c63793bfbad82962c5cffe9c5b624e8a1c3e370bb6c7894ffd11543abc0adda8758d530d8fc833fd1e88c4e

C:\Users\Admin\AppData\Local\Temp\RES1349.tmp

MD5 288c4f38bf53830fd6a077ea5d14e91e
SHA1 2b73f0c79a1afacbe0fd338e8ad721d19abfa49a
SHA256 4f1875dfbfe39df03d72f3f8973c4e54e2305cca52b1e90c08309fb71778991d
SHA512 84a9cfa5bac85714ec61d9f20cb46b5e79f47286db50edf4f65e409a6f05d278ccf9d24e3437f1e4bcd5bebf68999f835f3c5f5e4814420ad4958267e0f64bb4

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\m0uz-omc.cmdline

MD5 baef93ee9da144011ae667eb01796963
SHA1 0de83b39f9084057e4f7e25b1cedf37d34f87f01
SHA256 e40fb17fe31041e2e38bc006335e13506e24d98f4df16cf3a1ce413d75f2258c
SHA512 49b1ae862e6945b7c51f644eb6d4cfdf37245c288519bca09d2a56b4fd4d78a1cac81e4a9cacaaaea2bae59207986a01ac846e88d4b69a28113da8391754073e

C:\Users\Admin\AppData\Local\Temp\m0uz-omc.0.vb

MD5 6c33c1dc16de9a18f8fcd8ed77fbc525
SHA1 c2c1d8528db8cfae4db90cd4a4e3a253d749f250
SHA256 deaf8b916144f0f4fbc1862b5d1db11a9f1d3d62cb337b99accc1887b6b35a22
SHA512 ec82c3ed676fc74f4d3d58ec6a00dee0319b206ae5f9fb95c4049adaa5c08d7d6754a43c484fa23add1c7c666a370480b8d98b4e69c20f90f7657b3b09f96a95

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcF989FD1BE8004B1A97105E3A8397A01A.TMP

MD5 d2481a81163b082edeebe4f323a32b7a
SHA1 17c12804948d6b3c9a37dc4a5bc83522dd22f2df
SHA256 a984cada28d4b60ea896a916911db264f2a365c86dfb5154415ec2fc006879cf
SHA512 4977cb8097e2429326024b04f4d365f01ce0691bfd48182553cfceb288650ee274f34e58330f99dabcfae40f487472e2601b012186f06f66bb021b8bd023f8c1

C:\Users\Admin\AppData\Local\Temp\RES1463.tmp

MD5 a27370aff7983314f3204e10310652ff
SHA1 5d7ebf79a7ae9e69a9add43ec9e132da908ed61e
SHA256 8abad00592f05e4e6b5fbedc2d5ad5cfeabf052dbeef62f52ac95484efcf5e53
SHA512 dd732a1c252dff6850b1f250e926ba14ae69dfe621e165f318fb3d78fbb8d7239f3b6b86bcf969e226dfdf5c40269757db971fcf169bccc0a5ec3715db2b2d9c

C:\Users\Admin\AppData\Local\Temp\zzdvh5ms.cmdline

MD5 728c90d2b9ab89f401a37b0470f09e47
SHA1 29dd42b2453469e1c2afd6b6ae39a6a02b9604de
SHA256 40c0acc05449a30d339b3a723233651a7bbe0e1c840946004cac4f3ba8a5ffab
SHA512 91c54e1932c9b904dc2c98997b0067730ef9a61d07c33e4c5bdc82a0d48569311af108a6d9c96f9a415c11d135f3c70668a0f2cd6b3c0c8d86e1058562c15ea3

C:\Users\Admin\AppData\Local\Temp\zzdvh5ms.0.vb

MD5 89b6dc723b152e03561de0fb538d6c0f
SHA1 f8bda82033ab5b1902cfa6391b05dc6dd6c1f58e
SHA256 1307ab55a59f7e00b4bd5028de6b5592d160fd0beeb4d79df3ef1ab563c01df5
SHA512 a7917740e6594cc5ccdcddc9aa56545fa40912d08e6a2fe3c3d427498b46e337a12bc85497b5668bd0add65c690a3ff0c0d0ae5f61574c454358da8deaa86f5b

C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcC5FD2F9DDE32428FA176FA4B908C363.TMP

MD5 9cae177db3cf54f21171914cfb3956a2
SHA1 8f141b266a354fb014bc99e4c60299b9b58c2556
SHA256 2f8ec8fa77d8ee06b821a12a37bb7fbe071eabfce60e1a336caf1bb1a368eed8
SHA512 87dc7384d0e76954161590e5d4a956706a7a83f76e34c13f4846f2ca6cf3daac50791a93b9694b56b02162ce19aecb571415a5748ed5b0c0f181bc9846713ba0

C:\Users\Admin\AppData\Local\Temp\RES155D.tmp

MD5 c77a14836e0b7535f0853475a02e3550
SHA1 6fd561af745f2b210e2d7690e9faec55ccc36b5a
SHA256 0dadb8adb612b2d8e0e336204f26bc37017d0495045c89975ed81ff08dc68d0a
SHA512 67fb3e749a93c4beb4f70d13fcf8672a73a8433febf48c8e207bf3067b9cbadb01a52a590aedc5a6d867a77c769f774fcd53e5342550b9abe677ce522cd258b6

C:\Users\Admin\AppData\Local\Temp\j6vzjehx.cmdline

MD5 ea7a1acbd852b5493f35f39ce9e744eb
SHA1 faa6f0eb04ad6a0eaff8e6f81c741566492f1288
SHA256 633b2182e0d7292baf8ed8981103ffd02ddc9c93efe405305098eb6ccb54fa82
SHA512 9dd71c8268dca0b5a762fdafbc76b792bf7bea6c83f7525c0dc206aa67782b9eba9b36d28d0cd2c2b5a63a40084d3c22d0428e95cefb450312e4cf84f9a7ae16

C:\Users\Admin\AppData\Local\Temp\j6vzjehx.0.vb

MD5 4ecc0d3873c865192b79be5a94fe4d63
SHA1 89220b757311564e4227f9fd4395bfe9f0408f4f
SHA256 5da4cdf3b60f9cb494723d69a453e06e568345348f4dba51f4f8aa042fdf00b2
SHA512 3108c43ba6ea9525dc6ffafe458b06d14441b39667121fa936f8bfa38309811be57a07ee7045279859d2e23c91d6abaa6fc6768550627268c7d7beb60a1e432a

C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc7B9446FB18EC492E8E9482FB1282D431.TMP

MD5 3836b35d64f2cf7981583961bc82aea5
SHA1 aa11f0a968f60d29365eec8160050089dff737a7
SHA256 410aa0919c98bfc8f7b28564d7afa59a4646361b2ea6f277d597007b14464408
SHA512 dc436cc5ec5bde83a646e550c8673e4ccc3687bfae8b0764c4c71977fe755bf2ccfc3304c5868b4076304a776a7c25fd54d5d5e08840bd93a98013a1747060f3

C:\Users\Admin\AppData\Local\Temp\RES1685.tmp

MD5 ac565441eb68df3657597928d0e481cf
SHA1 9f8c5180277fb1c8d1e8748d4680c29035bcfd4d
SHA256 ef2d9cf0f3861b94ae36f44f0b9c4028662df68daaca849c50250910b2cb79c6
SHA512 61bb007b1f024ed220580f8ed07481fdb1c1cecfa85eb9ebee3edaafb1c48f2edeb979ddb4ae76d71f1c2d96e7320ed0acd3bac8f0d7a36300be5fc916230296

C:\Users\Admin\AppData\Local\Temp\tlgrew6p.cmdline

MD5 60373325a118eb7869b9781205708946
SHA1 45ce7e36d6590b50334372eae82f46a1922c94dd
SHA256 d565d7f9420e340a2bb61dbdda3d9c26441706c9bc0f02b593143a69372fd849
SHA512 3a2e80defae321b61f5f437832846ea4c8a1afb8f06c1dc533a854f9b932676f18140f98e88e211ab4fc5b455d5531f07555c52e1568103a9d7012d514e29036

C:\Users\Admin\AppData\Local\Temp\tlgrew6p.0.vb

MD5 aa4759a2f16e274da63c66556a9bfaff
SHA1 47301d24dfe22eff3e6127d6aef39e29569b68ff
SHA256 66ae36ff98ae7035a2707e5cd07a5e8db7527ea8407f1b56023b4dcfc0fb776b
SHA512 aec075b88c400f991db2ed4c9c8dcc9a171f7128fdfdb9dbc048b21e1c69ea286e98ce0c3ce979761c775c1787440f0e6d3fa9b1e745f03d90ec5e681ba52b65

C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcF0037A5B339C4E1BA3634DE057A0D6C1.TMP

MD5 c50210246cd334c244efca51f02dde1a
SHA1 e665aa8437b5372fa123bed3f465127e15a229ac
SHA256 e94f815441464ed0c553e332fca76156aa995d5c6e08df225bb8e810dd63d609
SHA512 e06ba1f9ce5303daa99ad33a570b0dcd2aa46e28a2463ccb3778b8de50d5c1f44e33a040641efad8d13ef12ca70acdd2a840f62c31b00abcd1f0c1d94c7a2b96

C:\Users\Admin\AppData\Local\Temp\RES17BE.tmp

MD5 84b15be06ec1d7760567135c7996417a
SHA1 e965ccda1cbd36da5ffc748ff369683cdb787a80
SHA256 acbbffced02cb4e6083ba2829f5bb677eff206b413ec32b6bbb97cb65e770763
SHA512 0f65de07ccbbec9b0b13527550fc3c4c3515654ae2b51010906ddd6ddc788227e9c81a9dbc6f80024246d7d37cd73d55ff73272ab851d9d6c7c50a305d40ea34

C:\Users\Admin\AppData\Local\Temp\z0ipjh09.cmdline

MD5 2b546c42b2a3af749950a8c7eb542de4
SHA1 81f83e2615a88ab95962396bfae4369a1de1d99a
SHA256 3db10bc2be71f53e36ea536cc6f7e1af516ac435e7180cf66ffc7a51edf4c928
SHA512 3fc6b5e9beb76af7987f479fffc1018ce0ea21400ed457eca074ad6119ea7e6da23ee79c82051567ed49432b258f32a6c056dcd9b3c1212190371e6e2bbcefbd

C:\Users\Admin\AppData\Local\Temp\z0ipjh09.0.vb

MD5 9d9dd2aae1451faa6b296ce2fc5f13a2
SHA1 6d6d39fb4fc80b4bf216a8edd884a91932ebf7f3
SHA256 e777028474493f4e41937e1df998a988a1c5c5cf5f364963ca10abc13d8c2c25
SHA512 ae2d6458871cd4352cfcd2e299b427e63c17f2f75d6ccfd44cb339eb4c5897ee048cb8785e54896724780ab3f1b426a32744a181b6063d019f03b150e02667df

C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc475010E44304DE1B25B5D2A7D551018.TMP

MD5 dfe580c621254b33c2371200646fad27
SHA1 650e29e19a849ec8d9760948ac119c81a7a97287
SHA256 4817c0d9f3fd90caa10904f3990ac9bab54c55f1d5b8afe1a9e9d8e2efb90320
SHA512 c14d7603d95c1e9f1dc564bfde2b18b67f294fe42c8a2ed7f666e477043a3edab0c6c3afd09cfa58e34cb92f6caf4b888ac459718cf7dcc094ad6656c0ba26df

C:\Users\Admin\AppData\Local\Temp\RES18F6.tmp

MD5 521803e2367bee3e1d0b1815253175a4
SHA1 bfc34ce3a51d12093c217b4a59ae8c6ef2be506f
SHA256 614dceacf6b0a87e6665ae73d6e78899c4881dab1b1b3ff8f4665e8065f968fa
SHA512 29a7b6e4f33378606f3696919686c2f95a40019d382308539d6c32a7a81bb820363a28f9033aded1ca72f703bf6f55c2ea2cdf2a5e6cc9dae066a114b18919e2

C:\Users\Admin\AppData\Local\Temp\kbmfw_im.cmdline

MD5 fa1933c2aa3938c1f152454b65211216
SHA1 ec72c4ab8358e1a77ce2108c5f4d961e9c023aa0
SHA256 3620f821cd820ea9f387a055df7bb6a72d6245f0b9b68d18283d20cd630e929d
SHA512 a4ef2c414e7848051c0165c0151047d5f60756dec078962d40eb40362e222e84b8996f0b264df92e9de19cef8e0be2d3602c974efeadb7e5b0a13ff0ee62e4b1

C:\Users\Admin\AppData\Local\Temp\kbmfw_im.0.vb

MD5 31713838be24004aa9b4c15004456de3
SHA1 41a586504ae3b70183e649ada59cf61ec3d6fa30
SHA256 c67a4ada1f2814dd08248f3f1973466ef2a8765b43e08dfe7f9f7cb5933bf7a9
SHA512 402b776be3d3c10ffd8872f2acd0dddac9dbf0ae9b1d351f20494797d675bdbe1b96f56f08d8dc6a3f2f5bfb179ebc490f8dd628cc1f5153d593c23341be261f

memory/1472-335-0x0000000002400000-0x0000000002410000-memory.dmp

C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/4352-404-0x0000000001400000-0x0000000001410000-memory.dmp

memory/3180-406-0x0000000002340000-0x0000000002350000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

MD5 ff621b3ec028ff34e6dd40649434e246
SHA1 2bf21078ee8f88b70291c41f7e41ab03fad0a27d
SHA256 40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790
SHA512 2bc1dcf4bb3cc887f8bd9188df7eb01eebe1516c7120a6b355af2a85790dcd3d9ffcd9cc529de5e5613178efe264dcb3c99730b1adb6f1d84b9e4afc0f4bb368

memory/2328-445-0x0000000000920000-0x0000000000930000-memory.dmp

memory/4720-450-0x0000000001B20000-0x0000000001B30000-memory.dmp

memory/2256-451-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2256-452-0x0000000001240000-0x0000000001250000-memory.dmp

memory/4720-453-0x0000000001B20000-0x0000000001B30000-memory.dmp

memory/1760-455-0x0000000000810000-0x0000000000820000-memory.dmp

memory/1612-460-0x00000000019D0000-0x00000000019E0000-memory.dmp