Malware Analysis Report

2025-01-18 04:44

Sample ID 230611-ma2ezshf2y
Target net.exe
SHA256 6e0a79de47349533cdc95befec0b037d401fb4e0e7ac306ee9a519bc16ca7282
Tags
stealer revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e0a79de47349533cdc95befec0b037d401fb4e0e7ac306ee9a519bc16ca7282

Threat Level: Known bad

The file net.exe was found to be: Known bad.

Malicious Activity Summary

stealer revengerat trojan

RevengeRat Executable

RevengeRAT

Revengerat family

RevengeRat Executable

Loads dropped DLL

Drops startup file

Executes dropped EXE

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks processor information in registry

Uses Task Scheduler COM API

Runs net.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-11 10:16

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-11 10:16

Reported

2023-06-11 10:19

Platform

win7-20230220-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\net.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Uses the VBS compiler for execution

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\net.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1468 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1600 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 340 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 340 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 340 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 340 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1600 wrote to memory of 612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 612 wrote to memory of 1476 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 612 wrote to memory of 1476 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 612 wrote to memory of 1476 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 612 wrote to memory of 1476 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1600 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 428 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 428 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 428 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 428 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1600 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1556 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1556 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1556 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1556 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1600 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1600 wrote to memory of 1112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1112 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1112 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1112 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\net.exe

"C:\Users\Admin\AppData\Local\Temp\net.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xqab0sh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5DF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gemkb4l-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC718.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC717.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ybn-nsqg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7F2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u-qs-hj7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8AD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znnentkj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC979.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC978.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3zae4sd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA04.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hbvi9kqu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCABF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6jmm-pwl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB7A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zu8y3dy2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC16.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvmskhgw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCB2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-oojaews.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD4E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j2jkdfq0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE0A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3xkkhhs0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCED5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCED4.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5j-jug__.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF9F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4o_triaf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD05B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD05A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\es3fy2cd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0F6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5vxpzp8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD24F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD24E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6zeh61wc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2F9.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5b_ta970.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3A5.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lm3uo0x3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD432.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD431.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vmvvonfl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4DD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vpk24y_0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD55B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD55A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqikwdub.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5F6.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6FD10FA4-9A7E-4513-8FEA-19F3896344D0} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp

Files

memory/1468-54-0x0000000001F10000-0x0000000001F50000-memory.dmp

memory/1600-56-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1600-57-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1600-58-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1600-59-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1600-60-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1600-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1600-62-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1600-64-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1600-65-0x00000000004C0000-0x0000000000500000-memory.dmp

memory/1304-68-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1304-69-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1304-67-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1304-66-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1304-71-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fgZblRvZ.txt

MD5 1ca6f544faeeb4b277d9658f501db01a
SHA1 acd0de8a3e631fe60cbf6225eb1b3bba1af7c89e
SHA256 9d02e4e94fe75f14c583d1ac7c986f907d25c1bb0f6806f258e3262dc0642b28
SHA512 7903d20a8d326b6b44d986c4e19e03d01cb5ff43e67b9627cd3e412f7cddd5635137fd08f5a2e8b532a293050ededf6c080a625aa0753fb8662d4e1ac1704e6f

memory/1304-74-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1304-76-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1600-77-0x00000000004C0000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4xqab0sh.cmdline

MD5 d9b9c9070581f7d6068b34744c2d1492
SHA1 2d31e080dca8c569fd3f04bd24470fa025b10251
SHA256 d9a94251b479ef9cefb555cab69f0d300b58fe79ea6a03f05fa64918f3ef9697
SHA512 c271aea52219a8000a899a30584b4628134b996cafcd40d38a6c0423e2fa943b778d390d97f3a8b24da0563658c180642b67896ab0bf53b182b3b6204394c93e

C:\Users\Admin\AppData\Local\Temp\4xqab0sh.0.vb

MD5 334a368ac8099dc7e5f5dee3db3e0b64
SHA1 ad0f9d9c34d6b7bbee7532b4dec34ad12cdfe237
SHA256 ae2d531d9f2bf164b4266daebfe68ab290007cdad1537162392fe9b5a35dab7a
SHA512 8048a6b1035e0b0e1f3a76247f88257860c78c1c3c58f1acaa311468c6b37d29e0b725aae9b056449eca3068bb6d5f91c10864bc3f44338af19350bf6921a0ed

C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcC5DF.tmp

MD5 0661260842b2b86f669a0ed7151eecac
SHA1 4bee9cb78ddc466b29b2a64fea745e6849f78eba
SHA256 90c7a3237b359fffd1e957ea5dfce8390ec9720db08aa73e403cbce927905947
SHA512 8bfb24598bfd1b03884686a1798137096695d7d13c486e180e53a20c6fb63701c14fab1ec48623e89d61aa29a8aed60d2807c73c21b35ba07d52dd8962c7e197

C:\Users\Admin\AppData\Local\Temp\RESC5E0.tmp

MD5 d6f4276b794a041b1c88eb7f23c37148
SHA1 fe4d2f3b543c9d2fc11056b7bcfa33542b91a037
SHA256 669bf4fa1129ea65038efd58efb3181f0b8ed6c95591353b9cf012c6ee99dd9c
SHA512 88abdf42a8259cc956b6e2f925cd9b02c19353c6d954b97e38250e4d6a8bd224c18a717ac3282e72c419c86432a5b62c0310392cc9b3ad165996c4d6a1f175a3

C:\Users\Admin\AppData\Local\Temp\gemkb4l-.cmdline

MD5 6d9f70813bbb6936a74e43090e8e85f1
SHA1 8922e3ca4b702cc969bc3aa92513f6aadf4cc59e
SHA256 92cc798e46262ae15beb9cc7c19d7e918b0ed5091865258d62263d5e192e7a4f
SHA512 8912f3f3f555651884870eb39ecad70b9db0a3365d699ab0f7a20bad3395fd2232b5417436aa0d76a7a48c4a2493e25beddf94ac1dd295fdbc349903e26247c5

C:\Users\Admin\AppData\Local\Temp\gemkb4l-.0.vb

MD5 ce03c49cad8d410b9dc835cb29e3df66
SHA1 74e982f2f862e440f005692af19d37e13ed23ed8
SHA256 affae47eeff482f74837ce0259daa0e6aa5d54f6f5e2fe69cec0d21d0f1b8ac7
SHA512 a3c13f3b2e1929b462a85d98880511403368f05ddae5f2240e50b2650d8e87e5f43575c39348aa041200571d5d3788c7337bcaafd3aa56253c72be8c139a6f9e

C:\ProgramData\SystemNT\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbcC717.tmp

MD5 fc0ae112d639ff25d431cd5a579ff71f
SHA1 bfe0fe75310e8074430659564b17a65f7f65e250
SHA256 d1fde5b01a1525ddb1e9d6e8cd02d6eb9e367e61e3c47e3955ef0a386be0a55a
SHA512 07b3ec241d513bbecca16ec23f3f3a7df07666d43263722c695271d4b4782317655882edd208b48f3e1d8cb093c3ad337ec804828d6499fc0b1bd55f6d13147e

C:\Users\Admin\AppData\Local\Temp\RESC718.tmp

MD5 34f2024de5de9bb91f61d848b9ebc205
SHA1 e5a22f0bea55695954bcf66690f088d260501bd1
SHA256 423fd45ab3447b157ea19a5b5e8645a47227bfdcb0b9e2b35de76527b0a90879
SHA512 4f8586c450dab55f358a911cd79ff54018fa4fdcea85ca4c307b0ae2fde5bf027202eb22af467345622e0b18268151bb70ab2c1b60cc9fddadaa33d1a5e94b51

C:\Users\Admin\AppData\Local\Temp\ybn-nsqg.cmdline

MD5 d971401dc1c909aacb0016520e8b85d6
SHA1 e35a8064be181b297b9dbbd530cf2491f8267bda
SHA256 59e6f98d4e5c0d710848dabf6373e1d51c4041c2fb0fdaee0628afb98bd10e26
SHA512 e31dfb38be571e90a198771a3404d3d9fe761e0977ab947531da7bccc6cc3a3af373a9dab3f9f418098ef95d7b9fc271aa67347b176756a3311724bec960223e

C:\Users\Admin\AppData\Local\Temp\ybn-nsqg.0.vb

MD5 313b65b69b3b2d5ce734629d00a11dab
SHA1 2ec198a69d4d819d6bc0d6008f222897f460b5f6
SHA256 31524c71683b1c8552c405466548f2adf4532482550d3b826132ef11be2bf7d9
SHA512 08eea12cdfef0a8e1b6694433c429732e3ed31ffb4d4f62621061bde271e77d3cb8c560b654b72a2afe45854b56ca09e425f368d2ac59e6a5bd939129ad43e6d

C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcC7F2.tmp

MD5 b4f19acb28feeb40ede85b4954cb19b1
SHA1 8a8f0b27ff86a8af21eca741009e71226e62599c
SHA256 937b661a576bcc8a717a40b482d9bcc6037ca6004075a4e2df90da4debd3c577
SHA512 dcb54cd0133a29884d16207e30ad23397c3f75fca894e8f93f442bb10f4885c823fcba60c57b5458b354d08dc1aab19b38ab401a3333706f25a18eb58793dbd0

C:\Users\Admin\AppData\Local\Temp\RESC7F3.tmp

MD5 61b1039aee9a9ff1a4115401267ca700
SHA1 41a31793971b54d83e7cbd7f990de1f02f3c758f
SHA256 a5076f0caae50a0a10f9247b5f771b8c207df0f5ce378526856ee1040a201a64
SHA512 863dd4322f195e796577c2a85d9635775bee55d944448ce89d5430a24590101e93838a52c616cf1792091c77564c1839554268100e0135618921b9be228d6f03

C:\Users\Admin\AppData\Local\Temp\u-qs-hj7.cmdline

MD5 47d6e63c6a198f5214970c64a3302ef4
SHA1 1cdcd6d45603a26a0ad96d0cc4e0b7dbb1ce0e87
SHA256 740fd2f43c85b672ff91eefdb870a88b5009a70da1213d28f19e0609ec6c5cdc
SHA512 75b1848c193cb261fbf57d79d9b010158cf5837de93e8c17a37d0d0c5644d333526bf0a38ee8a1161df0deae59509fbfa94f9ff92e593947cc12d91411e14f61

C:\Users\Admin\AppData\Local\Temp\u-qs-hj7.0.vb

MD5 8766d3cd3b7e2a808519035f33e2663f
SHA1 2c6812ee03338b59e9aa46151df7436124fbf276
SHA256 a37453b5d54c40de9d3dbd7b95c33e1c3ca2e8a99cbc7fb9b5ec9010db4ced0c
SHA512 1eb42f1d67fedb9c2571a3435ab4b98df21d4797ad1f4e837486324139a4dc5c1cffcc1404485a04c7a7e961346cd886ee48662e3ee1916f6f593ba22b432b95

C:\ProgramData\SystemNT\vcredist2010_x86.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbcC8AD.tmp

MD5 4e005c1c0479493f586c00a38e7ab931
SHA1 5524ff3e54e7676d2cb5874de5db7af0eea12f62
SHA256 f53ac672df07cfead50f5ccc052ec3ca90a7356911e308d85a9de0358a772a8e
SHA512 9b6dd93d97966ba8d216a585d247202d28a501f01a33ae8339d7894742e266016ff9c71b54b08c5c5050f4f971dbcf68d0151bd4c7c9756c3f2101b051f5ba7e

C:\Users\Admin\AppData\Local\Temp\RESC8BD.tmp

MD5 550e3c49cf0797783cdbe36fd88ab02b
SHA1 2e03ea65a9a20afbc19856f0d8abf536bc744192
SHA256 7fd84ab0a280630b7d20c5ff124ab9d1c3e52a198857bc2c0434547facaae744
SHA512 1b5a1704db061e862c20bb3a42e49f0a25d9eae5298159ad9d9d22be40819388a0b07a4d2d45af2cdc3c6be9c15949c9c22d1a95aaec428e37abee84e2a34610

C:\Users\Admin\AppData\Local\Temp\znnentkj.cmdline

MD5 96851fd7d7cd796ce1eb428de279055d
SHA1 b0bf46057c871c34de8bddb4ea77c484c66e70af
SHA256 eb76fd9059ce0cddda3a5285b51127f63fb02b67729cea4a303810af57bc814c
SHA512 9097023190e604bd09e454b87062a7f755d671118343f5b3b44c01f320c2fa7be57cb64a1b7af1386654a05b2b1c4fa69c1ed1e51b75276ba4fee6cc83622850

C:\Users\Admin\AppData\Local\Temp\znnentkj.0.vb

MD5 a4866a83e9455c509fc43ca26f4c3685
SHA1 2a1cf8a4d4d625669f57c15f58c0b1eb38d6a6c7
SHA256 d06ba272ccc9a2d33c3db7fcf69577c0eb001f89de7b1a35c56c34f50ee7c04e
SHA512 f241b6ba5a2cae67f0f9cde0931b4af008a858fc2384f671cd2e413b993d230907a9259a9745b83975d443ecc4387eb67c5cce487f1ae9005c84adcba0844142

C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcC978.tmp

MD5 d01b49c23d1411fe56479e1af8d36582
SHA1 be69752fee821e3fc83837ff6c2b1efec665b9ca
SHA256 534c429b53024d565bcbcfdfd3790cedf790aa8783989710ba156157557178ec
SHA512 59ea39611ca673ca2c0d00c6572a0aee3774d8b3517095e64d960118bc51e0d98d8daa931c29ccf0e9cec7e2af32561e7e707102ebd0f09c52b03dbd41a6ed56

C:\Users\Admin\AppData\Local\Temp\RESC979.tmp

MD5 a6e43e3bcebd5a1ab4b762dc4e6d0828
SHA1 980c1181d645c461ce134136d713f13e5117255b
SHA256 cf82e7ca20c6dfac2712bdfa9ff9c1015df5bf6886e32bcac3b0dec8335b0e98
SHA512 3448f77a2e21008c0fe79f19c61fa59fdcae7342ff701b3a0033938768e28f2aeb75b33cfffcfc5006f719c1a65a92740fde0a75d710321696087587a0b0ae62

C:\Users\Admin\AppData\Local\Temp\z3zae4sd.cmdline

MD5 205a8afeb29b1181c39586fb526f10d6
SHA1 587760ce99a468c58aa414c6cc94e53cfeee960d
SHA256 a0444389f12755af36e760eb7850541e178a6106fe3c68323b3f2d0f3c49a0c6
SHA512 8da100c1e68c67524fded7ecb4fb39797acdb27d192032761024e4cdc262fe25569d98b6a5dd4e53415af6ba1f098be4a0a8fab7ee4fdc116e54535c9764b3f3

C:\Users\Admin\AppData\Local\Temp\z3zae4sd.0.vb

MD5 b78a05f477604354c54265dc1b62133d
SHA1 c20cf1d39988baa72a99521352bb9c11582c5632
SHA256 f9b7510f9e8ac56b3d8cc3960a4dfbab750b32480252451149e0349563dc86d7
SHA512 56d3e7501ae911ef98a75ae945ec1c9a98a9445ba8bf84b94f3bbd1a4b74e391465a4b7f88ee3170011e6a27923ca3a1671e82e6590556e19cc73a865cc89ecb

C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcCA04.tmp

MD5 24c4112e72e817289e33f7e19ea0e1bc
SHA1 57c9697088bd619f3e7e5b1557ec06ea82fc4a47
SHA256 9d7f0a1ef6835860ca2ff4be9b385726fdcf43e09c93f6907c954debc0dc789a
SHA512 37c5cdb4743a08e0c83a126254ee703e8499de32f77f18a630c5b2fe189cb4c63f22339b761725e97155316895f26b1ed329c0e59054b47a1ecde72ba0fde2c9

C:\Users\Admin\AppData\Local\Temp\RESCA05.tmp

MD5 1ac82516a52140489047f8c0afa08e09
SHA1 84ea3c1a5d9d104730b8f9ebc0a9be254c9861a1
SHA256 d591e5927a22ddf03fc178a6dba141f3dda172add85bb8a9fa646bcab108c5d8
SHA512 da2c28dd79999207b99a721cefa89f51f73e5f663d2bade8599ff8d19e8cd496cca3833984d224b43ec5e19de47e75222a155b5863971723295034e09417c662

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\hbvi9kqu.cmdline

MD5 4d33a049df5554bef7eb22dc47a35c6c
SHA1 ffcbd105b6e91fc19bc645612e7d729cb73c9442
SHA256 1c5387d1c25ac8ef329bbfb4e4eb1fb01d93fe1e44ad8ef9d82bd46104f0187b
SHA512 da28f32501a9e46fe20ab0acff584acb03712eba8c91951656512c2ce90c57917ca37526c5e978fcd0da4b9b19107ba238e40b549bf5544ab606676a175de809

C:\Users\Admin\AppData\Local\Temp\hbvi9kqu.0.vb

MD5 eea98df6de061dec50605aae66847edd
SHA1 7dad2c743a43266d1c8bb2e1b86b1ef1e12e351f
SHA256 36d938f64e451da3eb2fce840b2b67308d4c5b15627a254f8237d39aaa235e64
SHA512 a0a4c1373eb672110c96f65f55dd9179f426528a0c7070c72b6e5a5d8cb626502bf6763758a8218b75b7f15ad2c32b11ecbe11a5c91777e18d6471fd0d7f0c08

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcCABF.tmp

MD5 1526e5a0801a8c24f41a107c581b8e5e
SHA1 dc81f351b0fe6a38e0abff33bf2c2fafdb0be9d3
SHA256 4a0f1699ceb533a5ddf2c344290e54e00397883c588398695b5a709bb92f0d67
SHA512 bd9efd7627e6ba3e24585bf3557e7c57054fb68ded9e3597ab4065de3ca8688f9b804fe3efd8c34dfc18b10a994d29575047cbd43599a8e4d3ecbe70dd3eb3e3

C:\Users\Admin\AppData\Local\Temp\RESCAC0.tmp

MD5 25555be18a4092cb3ab31dd8fb894241
SHA1 96849d6f7ec051d53f00cfc15dff8e333561993d
SHA256 530a667dbfef86790a38e880b9db9fc05ceeedfa858c97c89eb9a348e7f3b101
SHA512 dc61d85eb45e77455de1d1a204623e05399ed7492a7adaf8f6256c49245b15081ae08217a9f9bc4b868d3b3863525b1e2d585606ac0fdb7af66093cc0d6f8cc8

C:\Users\Admin\AppData\Local\Temp\6jmm-pwl.cmdline

MD5 9c05f1c51f33c2a33abab75a684f622c
SHA1 63070a71bce64c689373ca5a2e81fbb0845b2c30
SHA256 c3491595cb59c13b7b8eb37aabfd9626e4e587b2ba03dfbb049f5397ac5cd150
SHA512 7d0c9df21e73b466f661f827d1dbb9270fe4ef4e3679d7026de6377bd9c00c9c2c1237697f1705220103c44928a4985d0573a6bbca6caa69012717afa5384b95

C:\Users\Admin\AppData\Local\Temp\6jmm-pwl.0.vb

MD5 d6875fca5e32b7fa0dad9bd8a02367ed
SHA1 104d8f29ae5fc5d3bf4717d3335059f5dcb910a6
SHA256 660dcf00ed2d31994f3e58324e1c249e4e07c682d0987db773bd04424b93d6ca
SHA512 d536a3cfe4ac75e4c5539ccef6a76a785c5f408d794a8ffb0b4715c514a9c845fa43e6d53f282aeadeab8b83723cc1768d36f554666c473591479cc3df0cbab7

C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\RESCB7B.tmp

MD5 f936965fdf08953e587ddc1dd34a4b26
SHA1 989579311440e5d40bb463fa74a764b8ca520e40
SHA256 b5e4310cdb2ef0e58e6b12fe17a2b7fef4bc283fe9230c0892ec4df4879a1576
SHA512 5348ab9886b9e048551ba7094b161130ce6697388923f271901bffc54840b8ef279af162622d5df83b0a1fa1e53e67e938871e3446757829882a002adec564fe

C:\Users\Admin\AppData\Local\Temp\vbcCB7A.tmp

MD5 e4a17d5e57953299f484f35a866e7355
SHA1 5834131374e27e00721bd61b270a59b17985cd26
SHA256 cf3930d64aa91318acd3fe34135057488cea18f4118cde3be022e9ca9a42877b
SHA512 49db8caeb0747a26dcc92c9dbf97dafc544c00065855e30bababed741367869c97d42389f5d22be5595943adee6c24f64bc45f874a19520bd3a6e732154a65ef

C:\Users\Admin\AppData\Local\Temp\zu8y3dy2.cmdline

MD5 2dd3373f1c3691a5fd99670c5b90a110
SHA1 b5b27751fd1f22038e57ed0a22272d2915c35ed2
SHA256 703c913f64e3df639c8c4abc471a45be67ca7831a67b73a15380459cbf1730be
SHA512 3f0cbb592c671814db5c720509dd7756ed3acc11f9c22d83735170b8912662a04abf31a4a6ce3a6879aac249967b831baeac852752c934a1bad6e93963d13791

C:\Users\Admin\AppData\Local\Temp\zu8y3dy2.0.vb

MD5 b9df787116b3a62078989ff5991f31ad
SHA1 b79c1818d90bfeee20188f16f71d35eaa0247b1c
SHA256 dd30426ab1bc5733aee05fd7e08d446259e21084c1e30e9ef8b0fd7e09593469
SHA512 a495c89812a18de07dbd54c63cbf06ddb4aaac5a218418cbd8f3efd155813384e2340c3dce704a8ea7afdcbed0ca9cf1019598cdf91efadc8da5d8c79f1bc7eb

C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcCC16.tmp

MD5 7bcafd9585f96a179d17504ab565c513
SHA1 23b6b2afa852a6a6c5fb989ba3367ca7969b3333
SHA256 e7982466e187e1b6cf04dd686f6643f0c5862688871c3f3ca2a9b1fa468d2afb
SHA512 420e1f963761659970669fb43b2ca3ff71a74bfa5e72e53bac0ca2cec40175940ac46dfca4fa77eb54484e364e07a43bfb1f656de8b47d1e3e551b094f14b8ec

C:\Users\Admin\AppData\Local\Temp\RESCC17.tmp

MD5 1616430a0a87c0637cd34880b018dccd
SHA1 649c74844872858ed3efcf48989306190149e490
SHA256 58bba0a561cb0c3184409a257bc812d8de48ea42a09d6c02f780a3489b762aef
SHA512 f05f24d7deee8ac21fdd1589f75e3c851afaa988e01db584d0da6e89be741db12c96e4bf723a2891ce4bca39884c9a16e6c65e5ab830b9ca2c931d6a5eaa0231

C:\Users\Admin\AppData\Local\Temp\hvmskhgw.cmdline

MD5 32b9ca9b8aad32a25492e5e6568d07f9
SHA1 6ac9579607b1c0ecbfc2a258a249e332fd52739f
SHA256 df9a6e9ea69d7ff7d2dd4e93c70fababcb1b5f1e6a38594d2c2740b90166907f
SHA512 f95123e22205a829834ae83bc636fe6a5b1b3d26404ccfca5c9183ba08b730a94b3c31e6882c5ede4d06b084e83dd0b6bcb2d1ed1f5d1569d3ee893ec381dac3

C:\Users\Admin\AppData\Local\Temp\hvmskhgw.0.vb

MD5 67d00c1b8cac0d620187a42ab7e46c55
SHA1 52b95e2bd627fc79ea3b3edf9c79594727313845
SHA256 7b18d0c4fef8625430589b30242eb50946e1adcbc226aaab7091a26a00df8009
SHA512 8c9e78077a9b9da511ffe5881dc2f9c9c01bc086f332ac506cf3f283fcdf74c3750a49d31f0fb25c213cc5411e2dfc9789768ecc3a5335fd220e6d51fea0896c

C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\RESCCB3.tmp

MD5 23b9e60bcf1f19df292d5d7f4f12827c
SHA1 0e2fae3a470950822b80557a7ee5d81c373c9aa5
SHA256 aec854be7102afa5dea21f677c851773942a385e92e9ff904236b50509248fe7
SHA512 0b002e987317418c79e7a023d4c5f81ad86e3cf6ab46ba5fbd7a3f7f6514e9489777e79f11f66c81591b0906142771263c8d9b5cd9279b6aeb39c49cd86e8704

C:\Users\Admin\AppData\Local\Temp\vbcCCB2.tmp

MD5 d21cdcd6862d555cc501f226d4a8391f
SHA1 2d1c5a5a304ef0d5e3d88e3ac527800926d1377b
SHA256 65efc14b79847907c47ccfda2d58f8e2d9457e061c51817c6f545dfcb7595156
SHA512 9238ff012ac335c5246f928b692d8dd6d6a707caab05110fa8177e2887149a911e7c1c916ae92d6ab7892bb91482a18c54485dc623fcd4c85fb7268f3628b3aa

C:\Users\Admin\AppData\Local\Temp\-oojaews.cmdline

MD5 cafc31f628de5c8ab7b84b59c9ccb904
SHA1 abdc04d02368921d95ee1586a309628ae08dcf15
SHA256 0d2e88530a9b67c8e9f5bb98a1c00496f7ca6ea691e247b8b2c290a708206da9
SHA512 183f15e281e6445efbefa96e8649621b36a94c8f669aff4f4a79b71d345fe99981dd6728831ed00d80913bcf9e86b3b7a9acee772f35556d55dab78baed5b8be

C:\Users\Admin\AppData\Local\Temp\-oojaews.0.vb

MD5 63389d61965aeabd8cd43fca69e0eae5
SHA1 4eb00419039cd61c7e881896a53d0264d821df5d
SHA256 50ea4dc10a0d7d477cb184a4e87996f69e4038ec7101d22450ed9e877d9815ce
SHA512 e8b0b34401f54424064a236c76319b3868973b474c9e91290be1a85030d625512e26f65f8c364f69b65136644c0cc885a6ed3cda1529da245f0d77020f6e08bd

C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcCD4E.tmp

MD5 fc186dee7c8016a04ad4a550b5d2186a
SHA1 db5a4bd43d03642d363251093084e97689a8e1ed
SHA256 fa4ca83094080b4b31cb7e249e4e1fca5fe1795970e4d53b515c70b55900f88f
SHA512 74977ac24020436420eacb70675bbf610ced397e2a41c22898e899eac736e20714bbe6d5a126124a01f54c123f8402ce783f53fc1c7b82562915c6d26ad093ad

C:\Users\Admin\AppData\Local\Temp\RESCD5F.tmp

MD5 84b1dd37111539560626adc964fc4cad
SHA1 009c5d315e436de16add45c0acf0cd04b248f4fb
SHA256 e21ce35dcd77c00ecc53f05f676608aed6915be1b70ffd3b3b3270145c89e088
SHA512 e7575c72a9ab3052b95458b53135596dd14458c1dba474b6ea5a6e89d9ce6e59b55f42a5b1b4039853a2e47d76584509f8c9af64b4a3722cb85ff1459cb0f303

C:\Users\Admin\AppData\Local\Temp\j2jkdfq0.cmdline

MD5 06c0c07d6d414611fb3d1528f44e53fc
SHA1 b6a3b394fbfd4554c17e29c539420fa812fa0e9a
SHA256 b668712eec278fcf75057a0f305585da331a163f6e28d9f8bbff78e33a36366b
SHA512 0f6713c30b90c56400084778776f19538897ffe597d336ac93afdfb6e152dda23dc1748ce854c5a5aa79a961337059d05ab868b585aaeed7aecd8ef96fcd63e2

C:\Users\Admin\AppData\Local\Temp\j2jkdfq0.0.vb

MD5 1101df69fed8db2c37a716f49a122e1d
SHA1 11e76092a4ddb583c627e72b841a72b9233de410
SHA256 cf2b5eb4201861d8ac0e2fbbb7929d7645ed14d5d4a782fd98990f4368407559
SHA512 5729d804f7c3fc7e3196060816cffccb93647bc5f0691a70928bb51634b49afc0c1baa2535ae6357a69684ad3f69384adf0d0d1dfba3994cc5f8943b6787dcae

C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcCE0A.tmp

MD5 29df7ae875db3f92a3baa67cfabbf481
SHA1 6cf67b6029dc93c2aea0f9aac6fa653138b4ff06
SHA256 4956d0cf717ceb9f8eaaf049c7424ca23caa35777e3cb053e608ce966ed6b2be
SHA512 a5dc71034931509199a5ea12ca31fa567d243e9b6c94fa2346f26f8acc871c642bf7ea9cce247527b50af14c1286e8cb283211dcf82e5e60e48ae9fe6343fd21

C:\Users\Admin\AppData\Local\Temp\RESCE0B.tmp

MD5 77eb972ecc7552df2be93265a3d6ab55
SHA1 81ded360093b4dc6f3293dfb2e91360c767a8b5d
SHA256 8fe754017c5b70c6443978e885402ddecc3a6a863b0a30107f4c4c478a089155
SHA512 287140ef2ec93047963461bb0f7641c44bbb234ff58d09fbc04bd70592431f9fb63262e7b1e8668d57708aada6d6b0b08aa71437adc7783526a6a1551b13c64d

C:\Users\Admin\AppData\Local\Temp\3xkkhhs0.cmdline

MD5 e1d20351b1f1eeb78ac7881e3940c745
SHA1 f2549da955aeaddeb966656d883fbcdb2075fd83
SHA256 3976b7801c4bf354947f716e31f5a659db2604b5a192c4acabdf12289ac67ee0
SHA512 7eb8e5ea20632eb198c47b47f7fecefd5cf4f98dae21b8f3a82fbc8d0fed78e487be5bb57465b14366875f29c728cbbd771fd67cc042f3ec14ec1b60fc2152b7

C:\Users\Admin\AppData\Local\Temp\3xkkhhs0.0.vb

MD5 cd386bb30efcec58d701b555c523a0f8
SHA1 2252e54de0db8439e71cb4359e6d1cfc13a81a79
SHA256 9fa36b4d8842fdc663fd7c4fe9c0ed5f4906bbcb516d67d8f98515dfad14464d
SHA512 8d7034a7261e7ac5738401eec059103b40567757a068cbd0229ad9e9ebfb5e9a360ef180e19f20986d855e8f5b3ac2e7327b12947a5c00fe9ab0faebb64efd47

C:\ProgramData\SystemNT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1888-310-0x0000000000330000-0x0000000000370000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

MD5 08b7405b0067a9c129131d5321149fd6
SHA1 bf6eea2a57b4f9141cdf0b915bc688582586a082
SHA256 6e0a79de47349533cdc95befec0b037d401fb4e0e7ac306ee9a519bc16ca7282
SHA512 72aea47914e21519a7ce5f212922681cf96f1437856eab180c6dcbfc382fc2a2a5149cf98b37caddc8bef238589b9b436434e2c8eacfa074ac8a3e32f833d715

memory/1604-374-0x0000000001F20000-0x0000000001F60000-memory.dmp

memory/520-381-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/520-385-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/520-396-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/520-397-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/520-398-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/1252-400-0x0000000001F50000-0x0000000001F90000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-11 10:16

Reported

2023-06-11 10:19

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\net.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Uses the VBS compiler for execution

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\net.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\net.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4572 wrote to memory of 1016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 1016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 1016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1016 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1016 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1016 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4572 wrote to memory of 3088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 3088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 3088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3088 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3088 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3088 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4572 wrote to memory of 2844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 2844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 2844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2844 wrote to memory of 4688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2844 wrote to memory of 4688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2844 wrote to memory of 4688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4572 wrote to memory of 4376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 4376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 4376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4376 wrote to memory of 4108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4376 wrote to memory of 4108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4376 wrote to memory of 4108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4572 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 1220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1220 wrote to memory of 4624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1220 wrote to memory of 4624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1220 wrote to memory of 4624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4572 wrote to memory of 4008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 4008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 4008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4008 wrote to memory of 4792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4008 wrote to memory of 4792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4008 wrote to memory of 4792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4572 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2444 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2444 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2444 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4572 wrote to memory of 1724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4572 wrote to memory of 1724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\net.exe

"C:\Users\Admin\AppData\Local\Temp\net.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6r1ovxm6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6919D80234DB474AB5C79A97C14EFFE8.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3afool-y.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB200BD0633C4EB08DA84FC4AC88ACF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pk36-wt_.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A8104EFCBA44865A962DB8FE3F3FAB3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d3cgn_6r.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16F046E895A9440D89FDBBC462187465.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzqhbjsb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD28B7802B0624E58A3D72D86EABECD5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vddddwio.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2CE63EBA5D5465FAE634DF8E6A22E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkthxosl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc340AD24867954A089BE32ED28028DFF9.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hs-avqcc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA247CF4F1A441B991CE5EBCA8EFE6BE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fhcqndyj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcECC2160640154D14B0A366347FDA5E1F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\flq-qg-n.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF39C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA946759F54F464E83F7F5ACA87F8C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cpr2r_ql.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF457.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EC0BCAF2466441DB7331735A46386.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lrktbxjc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF523.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc634EE2DBB2D04593906122DBCB764F3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tzxradr-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF60D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66370B11490F47B180418D67B65F1C53.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\apge6__x.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF707.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF14C0D90F8044F279BCFA4929C76EC39.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aw35unae.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB70CFF8F1882439AB6CC65C217966B7.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ia3f64cb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB99F01C6287476BB9752181EB4F1254.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uprcr9do.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD94894D08AE54C7A9B662E54A7839233.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sff4wh0p.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc639EB09D72404972B85A3E778716CDCC.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d3t0g73n.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FF6697C3FDB49E5926A1FC3D92FB21.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckphf8eq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAD6306CC92E4ACC8BBE51313F42D27.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zvf-netn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB8DE92045C64BED99C53F55861989D.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mtwe7izs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1CBF94A86E47A9B27ED04388E686D9.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yhkfhg4z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE661F525BBD44080B8CD49D6E06ED7D.TMP"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.0.551786835\948833888" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81a005c-82e5-43a6-958e-78bd774a3fda} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 1948 17e4a5de758 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.1.1384877136\2072145050" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {730f2685-54da-4c1a-83d7-6af1cc5ca41a} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 2332 17e3d770458 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.2.1591478250\1349933136" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2928 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb274b19-e6ef-425f-bcd1-b7922926ab2a} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3036 17e4e2e8b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.3.2112620240\354475704" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05ae002f-ed9c-4774-80aa-813d5f26250e} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3676 17e4eb1b658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.4.790106751\856706045" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 3864 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d15ed87-22ef-4a1e-8a41-7848d9353eb8} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3900 17e4c882658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.7.514899083\1560904029" -childID 6 -isForBrowser -prefsHandle 5420 -prefMapHandle 5424 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f234b5fd-6f85-4984-9af2-72fcd948f978} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5412 17e501db758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.6.1647885532\159104499" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60907f44-ed83-4292-bd64-5870aafe52ff} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5220 17e4f832858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.5.61051262\4605877" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 4992 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc73851c-c7a8-4ff0-b696-771d03fd07c1} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5088 17e4ebdaf58 tab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 52.242.101.226:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 181.141.25.209.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 126.155.241.8.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.89.179.10:443 tcp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.155:443 assets.msn.com tcp
US 8.8.8.8:53 155.143.101.95.in-addr.arpa udp
N/A 127.0.0.1:50102 tcp
N/A 127.0.0.1:50108 tcp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 44.227.219.172:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.65.55:443 autopush.prod.mozaws.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 239.237.117.34.in-addr.arpa udp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 209.100.149.34.in-addr.arpa udp
US 8.8.8.8:53 55.65.117.34.in-addr.arpa udp
US 8.8.8.8:53 172.219.227.44.in-addr.arpa udp
US 8.8.8.8:53 191.144.160.34.in-addr.arpa udp
US 8.8.8.8:53 37.158.120.34.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp

Files

memory/652-133-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/4572-135-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4572-137-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3700-138-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fgZblRvZ.txt

MD5 1ca6f544faeeb4b277d9658f501db01a
SHA1 acd0de8a3e631fe60cbf6225eb1b3bba1af7c89e
SHA256 9d02e4e94fe75f14c583d1ac7c986f907d25c1bb0f6806f258e3262dc0642b28
SHA512 7903d20a8d326b6b44d986c4e19e03d01cb5ff43e67b9627cd3e412f7cddd5635137fd08f5a2e8b532a293050ededf6c080a625aa0753fb8662d4e1ac1704e6f

memory/4572-141-0x0000000001490000-0x00000000014A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6r1ovxm6.cmdline

MD5 69bba8e4e58546b0dd00f26027fd7e3f
SHA1 d3b5f8619275383d930632db56bde7b106a6939c
SHA256 de4c9c5d53206c22427fb171bcce78012291577b3fb53e2031e13ff57014d1b4
SHA512 504d4eeae284fa1b67ed12c9e512882eca1ddcb9c8f2b32e32320ac4fee3988c56de245779846d9ebb839b0ba944df0a51444a6995258aacdee245d0018050d2

C:\Users\Admin\AppData\Local\Temp\6r1ovxm6.0.vb

MD5 11ba696d2de18ef571a881e83a386e0d
SHA1 d5a8aab53b9ce9208feeb435c999710e6f25c748
SHA256 d419a15f2fe0a10547879916cc5fe085dd7e197a43f678ee21e9446c07d119d0
SHA512 8b05581a68528f1a9bdccf80a8151ded5676b979075fb230d2eca785dbc3dd1b0a5477414108b2254494bd4159efd03d21106787e7810e6d3c9e6906d7d46a2a

memory/1016-150-0x0000000000680000-0x0000000000690000-memory.dmp

C:\ProgramData\SystemNT\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

C:\Users\Admin\AppData\Local\Temp\vbc6919D80234DB474AB5C79A97C14EFFE8.TMP

MD5 78297fe78d3177878f8735f78038b83e
SHA1 d851dd31c90ecb578cd3133e84a78636b67328ea
SHA256 c813e24ca351531f1a258f91e628d752bd9571f4b23607436b2989c353ea6b80
SHA512 d25049f4b7ec9228d03e5fbe756afc2dbaefdced36341132c5a346dd224cc9a253109bfaee355c5f5a08fe085e4ef2f1f4cd7f730d3706b07ec425d41a1afe6c

C:\Users\Admin\AppData\Local\Temp\RESEA16.tmp

MD5 747d44cd89ce2451fd5a3fce0685e105
SHA1 16328f16dce198d24b80be0f67c05eb52a5adb0e
SHA256 6658968272a08da6880f667e19b33bcfd8ddc015ac2d6b740f45efc52c008147
SHA512 324ab5393504d96144bb44148fbbc29ec92fc9272b45cd5d22016c53faae46718410fbb95e640229c93b1875f60be8d23448252e83635e61bebbadb3e39bdde1

C:\Users\Admin\AppData\Local\Temp\3afool-y.cmdline

MD5 083c740fa4d91f288e3c4b05d57a1a51
SHA1 1e0599bf4ed005f2a0f5297db8c9d9c1df1b7b78
SHA256 e00aaeb13b5fae31dbcfd9a630f4e26eaa8d9a77f72e92133a8527d9a34fd6ff
SHA512 36b4bfd6ceae924194dd4fbbfa38754263e03ecee52b1dda9f9039a149135f45526687f87f818bbc13debb34a4d008464464894a52828c692d0039205a7e9673

C:\Users\Admin\AppData\Local\Temp\3afool-y.0.vb

MD5 334a368ac8099dc7e5f5dee3db3e0b64
SHA1 ad0f9d9c34d6b7bbee7532b4dec34ad12cdfe237
SHA256 ae2d531d9f2bf164b4266daebfe68ab290007cdad1537162392fe9b5a35dab7a
SHA512 8048a6b1035e0b0e1f3a76247f88257860c78c1c3c58f1acaa311468c6b37d29e0b725aae9b056449eca3068bb6d5f91c10864bc3f44338af19350bf6921a0ed

C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcDB200BD0633C4EB08DA84FC4AC88ACF.TMP

MD5 a5a554c5b5dd73991db5d85a0a632295
SHA1 e2700125b8e939008153fe8ac86aaad92cbab87e
SHA256 61a28ab598cff4eb06878f07c12cf50025922aad00647445ff7414234ac74d78
SHA512 f4b9ef8f87b7be635490afd253be8ddb5f38a9613562687731c4d125909ee62d1ba591ade6c5ea057fa8a124d6a58c5f3605a2610223773ffc15f8761f00791d

C:\Users\Admin\AppData\Local\Temp\RESEB7E.tmp

MD5 6d922933d92b235b2f43c01151c0571c
SHA1 c96ed485a944591b95f9ea1729b78413049c3757
SHA256 a0fe4f3d8e05f31dbbaccc5e4a72949fcb33d7ceedad68fd8f54c3af1a706a4c
SHA512 2f3bea369222d2d0ec95c2973658f2ed59ee3f80c46d8ca1ae771694884861f107d258a760d56ca22beb78b628047e08a0a6b21f81d2ce1e07d96ead6197cbf9

C:\Users\Admin\AppData\Local\Temp\pk36-wt_.cmdline

MD5 496dd0cdd67be0dfbcc2880156dd78d3
SHA1 6d750be2ff51fd4989dce2b5951fc06d90495e0d
SHA256 3900b472d5b0f96f2a6fa40ab331f4667cdc762a991894725998025194ee65e0
SHA512 1b29c11b638cd13ae9ddb93ce1d13c9bd0c5ef5ca6bfb24c52bf4ebabec0e82ca8a69c5e6e85be92fd8a5c8857230cf10c48e3762521e5d703a47de406a4c362

C:\Users\Admin\AppData\Local\Temp\pk36-wt_.0.vb

MD5 ce03c49cad8d410b9dc835cb29e3df66
SHA1 74e982f2f862e440f005692af19d37e13ed23ed8
SHA256 affae47eeff482f74837ce0259daa0e6aa5d54f6f5e2fe69cec0d21d0f1b8ac7
SHA512 a3c13f3b2e1929b462a85d98880511403368f05ddae5f2240e50b2650d8e87e5f43575c39348aa041200571d5d3788c7337bcaafd3aa56253c72be8c139a6f9e

C:\ProgramData\SystemNT\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc3A8104EFCBA44865A962DB8FE3F3FAB3.TMP

MD5 88ca12c6fea4f1a52d73519f2e021a33
SHA1 0881c066289f3c6a30102e0d6c99b00dea015fdd
SHA256 2c1b80b970b934d4e3e8f49f8757658fc69cd87b6b55060abc2293c62e762593
SHA512 5a862cb26963e2d322e257591a7abe97146e9164cda6b9ffc9d52d9d0a4e386a573e782663610368d74ec90c5c0b9a2b61ac1adcc86589747d858dbe1947db6c

C:\Users\Admin\AppData\Local\Temp\RESECC6.tmp

MD5 30f3812b6623f24a2b7c60703b1574db
SHA1 56dfe18239c357489459c4724f185699dd283835
SHA256 2f9b425b183790df471ebb367d226f54e4e990230710bea3330a77d0c44ba63a
SHA512 8171268ac9284491af7213f8b5f0d95252a694a50aa7de8defb568a0356a0b1aa5c0d4ea4b43212837253470741ab761c0b1fc55b40640d4e2b77bbe0a52b908

C:\Users\Admin\AppData\Local\Temp\d3cgn_6r.cmdline

MD5 7c7c806ea89f2cd12c761ae3363ccab3
SHA1 ff0c86ddabb9a6a1d20aa38dcc6633a29b4b17f9
SHA256 0e078556e5f8ea56e7130e3db19f43cbeb906e49a73eaa117631e6aed531ecec
SHA512 27d45d3601fd106ecd82e291758ee9e965dc295deeebce7c3505bfa018989208301bc37fae7e9e81a44d94e75c46d5a95be72c031019e7135e791e239c7feb93

C:\Users\Admin\AppData\Local\Temp\d3cgn_6r.0.vb

MD5 313b65b69b3b2d5ce734629d00a11dab
SHA1 2ec198a69d4d819d6bc0d6008f222897f460b5f6
SHA256 31524c71683b1c8552c405466548f2adf4532482550d3b826132ef11be2bf7d9
SHA512 08eea12cdfef0a8e1b6694433c429732e3ed31ffb4d4f62621061bde271e77d3cb8c560b654b72a2afe45854b56ca09e425f368d2ac59e6a5bd939129ad43e6d

C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/4376-200-0x00000000023A0000-0x00000000023B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc16F046E895A9440D89FDBBC462187465.TMP

MD5 735cac310b46e81dd76559efbf57c36c
SHA1 cd154ed7e55069e229f74764d4edf3e902098f72
SHA256 ac0635335cc4ec2be338a6f5d93cf3cf1b467da20890c55dd37dcfe3aa436507
SHA512 2c50e4fce1e9b6e89b301d662707376268a6de08e51068be36eed144e1544f37a6dd6d0a1af8b63e28687ae56d1b48fca7139eb6118a90f22800d5aa3e2a3f38

C:\Users\Admin\AppData\Local\Temp\RESEDA1.tmp

MD5 cb01984a0705342585fd75269d4856e7
SHA1 05e016c65abcb92e6e0b3cf1995842e76efaa26c
SHA256 94c4e00013eb9e7732a3813964becce231a75040fa9e2638c9f5912bfb48fd3a
SHA512 9ce182a806c10af6b51be356652f484172122228eddaba901f3cd67fc23e0f56aedad1381d4b3bcdd9fbfcef76c32c4e9ee13ad6218755ae3eaf68d86b5c3022

C:\Users\Admin\AppData\Local\Temp\vddddwio.cmdline

MD5 1eb45fcb7d99d3731330400ce732cc31
SHA1 f729b538467c473af9e9cf38efe4863b19d664e5
SHA256 e70790df23ffa46ea1badc473d61e220d8797dcfe7d28e62215e7157da23d724
SHA512 5dda24e988512adaee0e89e70e7f6c9ffcb819a2ee2ec9d41d82bf7fe983e166041741d22547630870bd2ad91d78322c01e65bb8353b46a26d86506490049226

C:\Users\Admin\AppData\Local\Temp\vddddwio.0.vb

MD5 a4866a83e9455c509fc43ca26f4c3685
SHA1 2a1cf8a4d4d625669f57c15f58c0b1eb38d6a6c7
SHA256 d06ba272ccc9a2d33c3db7fcf69577c0eb001f89de7b1a35c56c34f50ee7c04e
SHA512 f241b6ba5a2cae67f0f9cde0931b4af008a858fc2384f671cd2e413b993d230907a9259a9745b83975d443ecc4387eb67c5cce487f1ae9005c84adcba0844142

C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcC2CE63EBA5D5465FAE634DF8E6A22E.TMP

MD5 e4b883dd4d785498e0f90f23fbe6849d
SHA1 e063f631396fe5388e12924672baf46fa62a74b3
SHA256 38d83ead2c7ad6a7df0e9ff4331268c7d4ba291b1808f65ba78c9a778683d26c
SHA512 45cb3fa35d3790aa289688300e88327a2aaa3b7734ccce00af994e0a5df0d710cd03c2ccba6c2b7eb5b358b65c32d94bccba9870fea03e81497b9b277c12217a

C:\Users\Admin\AppData\Local\Temp\RESEFC4.tmp

MD5 c547304961e36a90872de95f08d3aa12
SHA1 2025995bc9be6cd49123acd6fe1e3ff4cd89cebd
SHA256 fa83632e6d66749ae64865378a079b204d861c87a53924d0743a9d643f82c71d
SHA512 c5875bb68eb650a0cae2dc3ad8a667a37eda1244b7c2a1fe54e7a5cecfc72336d317af558a3a7d91c87a3fd2a226f1c84770e2c98790d8c0f5845ab962b96c96

C:\Users\Admin\AppData\Local\Temp\kkthxosl.cmdline

MD5 a756bb936c8b2c0894e7881be067ec39
SHA1 415f316cfb47f21befcc750b73e37fd2ea35dd37
SHA256 331e545cf47525db649e98b14bf7e64b4b3c166702211f82765666cca504040d
SHA512 d29f7099d234dade7dc365718725106d5ae7101c8283133289598ff5a9097881df8d425357af4073e7a26fee7ed61910a0c85ddb2d99bd0c0afb738e58e26003

C:\Users\Admin\AppData\Local\Temp\kkthxosl.0.vb

MD5 b78a05f477604354c54265dc1b62133d
SHA1 c20cf1d39988baa72a99521352bb9c11582c5632
SHA256 f9b7510f9e8ac56b3d8cc3960a4dfbab750b32480252451149e0349563dc86d7
SHA512 56d3e7501ae911ef98a75ae945ec1c9a98a9445ba8bf84b94f3bbd1a4b74e391465a4b7f88ee3170011e6a27923ca3a1671e82e6590556e19cc73a865cc89ecb

C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc340AD24867954A089BE32ED28028DFF9.TMP

MD5 49c05f046baf13798f18cd5261b36d6b
SHA1 5990cb03d3c1bec820578d1b93d05a5e57e5e348
SHA256 ab33bf21c5fa41f176c51d2f7416eed15c995b9203209658a9234cb09dbc36f7
SHA512 d791d69f4be0e24d1668374e91e6e377794617a4a12493aeab6913f19e7342e9802c805fdcb76aacb046c1e986b868ee8c9bab190b3061464cff82c90817926a

C:\Users\Admin\AppData\Local\Temp\RESF0CD.tmp

MD5 8bbdff6051a67fb77d8c590d6f8364a2
SHA1 8f1001f8e4bb35c7aafc12336481ecd860159629
SHA256 bd9830a4685d9c58445e39f887a5ea58d0437ef01eb09b09865f82ffe3887d66
SHA512 1ca2f8146cb4641f0c0b5825bca0d2e4fbc5dcc28ea2fe1907d0219d0fb5f06a100fecc26c66aca029eb262d48af15bf481a9f813d3bfb2b0cff4e3e602e39a8

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\hs-avqcc.cmdline

MD5 767d93e30b300bd43690d04c198b38a5
SHA1 4b868e3abdf44f538a2c942420a5945995d6ed4d
SHA256 10cdfab96a21662001a4f151e8a632230ba33d8598c222b757be92a546cb1b99
SHA512 16a35d67482346e50b9bef5efc6f9ab7ad78a1a98c68a2e0f66d8e29f505c37062c2e291b9ecde2640bb3edbae0f3de6c4dd4b1ab47df2dcd28d287ffb11e087

C:\Users\Admin\AppData\Local\Temp\hs-avqcc.0.vb

MD5 eea98df6de061dec50605aae66847edd
SHA1 7dad2c743a43266d1c8bb2e1b86b1ef1e12e351f
SHA256 36d938f64e451da3eb2fce840b2b67308d4c5b15627a254f8237d39aaa235e64
SHA512 a0a4c1373eb672110c96f65f55dd9179f426528a0c7070c72b6e5a5d8cb626502bf6763758a8218b75b7f15ad2c32b11ecbe11a5c91777e18d6471fd0d7f0c08

memory/2444-249-0x0000000000B10000-0x0000000000B20000-memory.dmp

C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcAA247CF4F1A441B991CE5EBCA8EFE6BE.TMP

MD5 6159ce48ff5c2ff961b49e995f2f44db
SHA1 115b5f216ad32e59975514e28227341d6e3ac2c8
SHA256 c8ef43399262a7c2de3b923f046fd2d9a3ee3b263c4c4c4675cbdb35a0d336e5
SHA512 83c5213ad18abcd4cabb38425f6f3c9fd046e1e2b962a854289f02af4b9ef5711975698e3fb99cb400fe37154e6c5d09b8523e8ffcc7ab7d7d60cc2a3b04a037

C:\Users\Admin\AppData\Local\Temp\RESF1B8.tmp

MD5 b4866916a9cefc44d7b56d04b4bebe01
SHA1 966253518a60601c2b4d3fca31ccb5703ed8e77c
SHA256 37e3a8a714eedefe9c15a0bc625d7896763f676c7ae03c61bfa55a6e282ec298
SHA512 0de4f6fc3dd9d0e8de3dfa3f603436369230d7ef374ac9ab170d67150ab03d4974f6e9336fd16ca08ddfce313b8180efc5d696f7045596f77a7791606850fd1d

C:\Users\Admin\AppData\Local\Temp\fhcqndyj.cmdline

MD5 830082b0e0fbe2814475ea4f1be46eb3
SHA1 8306c6ed6e1ebd62a26ba06924b172501390ea1f
SHA256 c5287d5a8a2ddd60e675ef98ce393664e8c7c052fcb75239b5c296d73553b111
SHA512 16c7803c6f1e3a5e5d82b439f943b7408f3495eebb4d8047b35ac9b1f491c6f63980d695e5eaf9298e5cbb6490ac367d65c0335ecaff4c92aa79738054ee4753

C:\Users\Admin\AppData\Local\Temp\fhcqndyj.0.vb

MD5 d6875fca5e32b7fa0dad9bd8a02367ed
SHA1 104d8f29ae5fc5d3bf4717d3335059f5dcb910a6
SHA256 660dcf00ed2d31994f3e58324e1c249e4e07c682d0987db773bd04424b93d6ca
SHA512 d536a3cfe4ac75e4c5539ccef6a76a785c5f408d794a8ffb0b4715c514a9c845fa43e6d53f282aeadeab8b83723cc1768d36f554666c473591479cc3df0cbab7

C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcECC2160640154D14B0A366347FDA5E1F.TMP

MD5 38e8ce404baab1314da2abf560791b2c
SHA1 2c62bb091bb50d78e5a0334e8eaf8b0d94d90954
SHA256 aeda2aff222278ae58a6ce1c9b4966b8c3dac9cfa26b28221ac3f6957a327336
SHA512 bc86075302fdf232cc28a9fb77db15aa3f649b2aa2fdba39ca362addf9d057c213dc8c0850e21e3ca01bcc7153bac92cf4046f54ee909d79da9e1ca912b86780

C:\Users\Admin\AppData\Local\Temp\RESF2B2.tmp

MD5 2a1021c8851c235faec4003bd73d06fd
SHA1 c92d8a622b7867aa75fa903c136e1238e32249d8
SHA256 d2002ebf1bfd6d827984ea3d0f82b1512cf7b36a6a21876985cf6a7a0d8f8842
SHA512 3ecff0e2eea5a8956712b05adeab57510a0c09e07365ab51532ff2440552517a9aefd8691bed882acbdf2fdf20f7c2c512d0825bda4883a1f8ad988bd17fe29a

C:\Users\Admin\AppData\Local\Temp\flq-qg-n.cmdline

MD5 7774e198e7a3713a1236653c62be96f9
SHA1 8d98632b37d79777dc8718915b46f58328d18bca
SHA256 58937c35d180b05a5deb3aad4776ebc828ce10e0482d89548839ae82f9367f77
SHA512 38ef663226b9dbc9074cfe93c00495145b1eed746cd2827ef7ce3cca314dcf84471114d999ca1e96d67fa6fd4fb37452cd3af9e4ac7cf3ec0b38090550741ab9

C:\Users\Admin\AppData\Local\Temp\flq-qg-n.0.vb

MD5 b9df787116b3a62078989ff5991f31ad
SHA1 b79c1818d90bfeee20188f16f71d35eaa0247b1c
SHA256 dd30426ab1bc5733aee05fd7e08d446259e21084c1e30e9ef8b0fd7e09593469
SHA512 a495c89812a18de07dbd54c63cbf06ddb4aaac5a218418cbd8f3efd155813384e2340c3dce704a8ea7afdcbed0ca9cf1019598cdf91efadc8da5d8c79f1bc7eb

C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcBA946759F54F464E83F7F5ACA87F8C.TMP

MD5 6b53d240f35dc86058a1dc5c6b7f23f3
SHA1 59e7d2d31605bc3be522149e4c4a2051666d6af5
SHA256 c5031dc2d2ae844c6aa01b5b8e759c52fcd5611757aff6617d2d900576cc3943
SHA512 24f123d6d4f37dcc2f19505124b1e97b4d2bd484bb89ccdfa84e383ad4bdbbd86cb312f7c30f79017e698d761646a36a292db4a5b42f3b276ba9388e1266a1d6

C:\Users\Admin\AppData\Local\Temp\RESF39C.tmp

MD5 2385771932355db46be22f66aa061256
SHA1 31d4c0cc8c3736ac8867d0543151ebad5fe5b5ef
SHA256 b60224829e4632426edad6bf6f65bdac810261cd7129134d019c5f6ba853fd0c
SHA512 cac799fe80f3362429b2802b0324a4a1dd5195bbf7f64f0da66902ad1f33b395f2e5c9909932bd23e2a6606c8560cda9108ecce7bbbafa0ffe940301fc6c9823

C:\Users\Admin\AppData\Local\Temp\cpr2r_ql.cmdline

MD5 206f229d1ce69439bea18e3603ac8330
SHA1 790b51cee8ec9f61e862d8b75fba056f221bd429
SHA256 fe4d5f25d88d479290cc4c6274292bcab5ae184f428567829e24b767ae10be2d
SHA512 0a6eb3ae413cc165d44954c88c26fa6706027c8837669091de58c7f284f397948956eef668e7a2d3d6fad03f7a01a474659c62ab343097227b7baccbffd1e89c

C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\cpr2r_ql.0.vb

MD5 67d00c1b8cac0d620187a42ab7e46c55
SHA1 52b95e2bd627fc79ea3b3edf9c79594727313845
SHA256 7b18d0c4fef8625430589b30242eb50946e1adcbc226aaab7091a26a00df8009
SHA512 8c9e78077a9b9da511ffe5881dc2f9c9c01bc086f332ac506cf3f283fcdf74c3750a49d31f0fb25c213cc5411e2dfc9789768ecc3a5335fd220e6d51fea0896c

C:\Users\Admin\AppData\Local\Temp\vbc2EC0BCAF2466441DB7331735A46386.TMP

MD5 a58a5709041b8e53a718d434addb4734
SHA1 290419e587511fdba7f7e9a17e7fca191cbc690c
SHA256 cc2fe003bdd72233f92f00bed3d5bf67b5a215cf9ba10c8ac1fe3b2c923f6576
SHA512 108bcfe0ee57545b709ea4fb594b95d4954d8bffab4c35d8bdf6ce9e698044e043ef566a51dc5d17bd5dd4fc4a58af4810b17ac463ca151c2bf3408f9eb64f42

C:\Users\Admin\AppData\Local\Temp\RESF457.tmp

MD5 7f51fabd2731ef75b9ace13b89d48448
SHA1 158d4365fba047d2448e4b069a0376ab0788a4e5
SHA256 d1f4185b447060fdea88b13b06140fcde004b486b10d57c585553ff2bcb6a5ce
SHA512 dad760caac9c5fb94b2d9ef9b5dff0a9ca0207125d6f28cd7de9496a211a5ac2b3fb68d89ce3d0d8dad1cd7e8f399ba47cef112ddd11e5e4e15a78b70fc46956

C:\Users\Admin\AppData\Local\Temp\lrktbxjc.cmdline

MD5 5e8bb1b3238b0075ccf7f7eef1f9617d
SHA1 e039ff864b2060e13bfd36899fd0a9d8ace7521b
SHA256 ecb82623564d46b4f5f19bfe2c0196ba074d2039535896a7b525489521913df4
SHA512 da523cfeef7e6cee37c7210730f480d178a55da87dfa9eaddb02202430418c0362ad67629c9471bb76f64f0addce3d3885bf8d6b2ecd01fc14df50fa92283a42

C:\Users\Admin\AppData\Local\Temp\lrktbxjc.0.vb

MD5 63389d61965aeabd8cd43fca69e0eae5
SHA1 4eb00419039cd61c7e881896a53d0264d821df5d
SHA256 50ea4dc10a0d7d477cb184a4e87996f69e4038ec7101d22450ed9e877d9815ce
SHA512 e8b0b34401f54424064a236c76319b3868973b474c9e91290be1a85030d625512e26f65f8c364f69b65136644c0cc885a6ed3cda1529da245f0d77020f6e08bd

C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc634EE2DBB2D04593906122DBCB764F3.TMP

MD5 9208e5f33bf4c38eb9c33fa5bec4923c
SHA1 b92b4111fcde436f2a0b9ed67a6b8c5dececcfa4
SHA256 a20f727dae11e50f11ebf5a99c01e3b36ad74afa2f6bffd16a2ca5c29523a471
SHA512 ed53d3afd2305be3df199ffa3560a777cd74e1f0b257f78a3812613dc773eb3f2191254191dfe59edf687cfe7dc5ed3d0942fb9c6f40d47df2252082a10a8d34

C:\Users\Admin\AppData\Local\Temp\RESF523.tmp

MD5 aa0541fcff59d1e3f3f1be4bf12dbe92
SHA1 6ae95a8ba96119c333b5d7b48df6d1fa4f855a21
SHA256 e44986ebdd5e970bf7e8a8d688b94d5f1ba58b99b11014c35a2b8f22b0be545e
SHA512 7d54a085a5e0b654f1fc36d6773337ee2c7103bba2ed7816780746172617a2ee922c3e0eaff53afc20793fcc5514d4fdb3c237eae7b9c853bdd4c28a88d90f71

C:\Users\Admin\AppData\Local\Temp\tzxradr-.cmdline

MD5 c9774066bd500a5000aa2bdfef98abbb
SHA1 aae712e98383b19e7078118b14ef03f0cc78acb3
SHA256 d851eb1bbc835313cb795cf997747ad9e7164eaa84e067519b44431bc017d8d7
SHA512 c9ddd661e9b0932a49763ab7f8626d1bb73226849a617f412d9a7e1e798b89a2353e3600036fc86c6963929104c9d1ab94442d308f66d0f01653c865d8b33037

C:\Users\Admin\AppData\Local\Temp\tzxradr-.0.vb

MD5 1101df69fed8db2c37a716f49a122e1d
SHA1 11e76092a4ddb583c627e72b841a72b9233de410
SHA256 cf2b5eb4201861d8ac0e2fbbb7929d7645ed14d5d4a782fd98990f4368407559
SHA512 5729d804f7c3fc7e3196060816cffccb93647bc5f0691a70928bb51634b49afc0c1baa2535ae6357a69684ad3f69384adf0d0d1dfba3994cc5f8943b6787dcae

C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc66370B11490F47B180418D67B65F1C53.TMP

MD5 9f0a1660026172ed3de0c8ce27d29c4d
SHA1 e8b73b82aca9d898fefab5aa9dcddd71d488a05a
SHA256 8ac529b54eaa493e4295029c9f0e13a2d8077f356bcaadac3a9220e7e8a9514b
SHA512 852bc394c7b2438b7782c59c50d4b50bfddc0aeaa4f4617b652ba66928011ddf3d743ffa88eb283d6b319b51ab44be21f969d3faaa24970a7eede265a7365ce3

C:\Users\Admin\AppData\Local\Temp\RESF60D.tmp

MD5 341257a997a2d243d440109bd183866a
SHA1 3e0713580569705013746a8735b61f3b3288ea76
SHA256 3b7fd8e7d66bf6e7dfe1a52a8040b8abb5e7921a77416f66a892f3f854879335
SHA512 033c9705e00cd0874c725d04c67b5c976011ebc29f8756ebc67945095c9b9760eec9468bc7a66d8ab76ee017a1f35261fd8051c95c134b62fcd28d7657930ee7

C:\Users\Admin\AppData\Local\Temp\apge6__x.cmdline

MD5 7aff5a78004c7456d29f365993c3c9c1
SHA1 086d47743542d0f4e7a0219a33f592980e806707
SHA256 1590f52a0f411b7cb9aecfd95f62647f300abb02eff2c85b919b2172a7229d80
SHA512 b8ffa35ba4ffd3c337f0471087c73d0709c517b81db4dfaca6451b3c47ea84e5ff9c9c53b2d682603aa39f19412f23d7b6824b35703af0c7f97d86d46345b6b2

C:\Users\Admin\AppData\Local\Temp\apge6__x.0.vb

MD5 cd386bb30efcec58d701b555c523a0f8
SHA1 2252e54de0db8439e71cb4359e6d1cfc13a81a79
SHA256 9fa36b4d8842fdc663fd7c4fe9c0ed5f4906bbcb516d67d8f98515dfad14464d
SHA512 8d7034a7261e7ac5738401eec059103b40567757a068cbd0229ad9e9ebfb5e9a360ef180e19f20986d855e8f5b3ac2e7327b12947a5c00fe9ab0faebb64efd47

C:\ProgramData\SystemNT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/2116-372-0x00000000022C0000-0x00000000022D0000-memory.dmp

memory/4572-419-0x0000000001490000-0x00000000014A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe

MD5 08b7405b0067a9c129131d5321149fd6
SHA1 bf6eea2a57b4f9141cdf0b915bc688582586a082
SHA256 6e0a79de47349533cdc95befec0b037d401fb4e0e7ac306ee9a519bc16ca7282
SHA512 72aea47914e21519a7ce5f212922681cf96f1437856eab180c6dcbfc382fc2a2a5149cf98b37caddc8bef238589b9b436434e2c8eacfa074ac8a3e32f833d715

memory/4480-444-0x0000000000510000-0x0000000000520000-memory.dmp

memory/1608-449-0x0000000001150000-0x0000000001160000-memory.dmp

memory/1608-451-0x0000000001150000-0x0000000001160000-memory.dmp

memory/1608-453-0x0000000001150000-0x0000000001160000-memory.dmp

memory/1608-454-0x0000000001150000-0x0000000001160000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js

MD5 2ca68eec3c1fdbaa1ae996ee759fc3c8
SHA1 54363409a7393613ff528d0488d1cc16796ef2d8
SHA256 4fe10ac0c622a99629804d64c89b59339a12a63ffb0b56132bfe39ec9b25aa1a
SHA512 e2fdc625ee7d3e54c1cca72810eccccc3f493253319dad56693d77904692830302564897d7d9c33b876f645bfcd1a5498be9be81bb18932e3333d00ca3408c12

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp

MD5 f29fd9741cc46f2406c3019c0c33c8ca
SHA1 caf7914f6afcbf4376be7cc99640b1493f6af61a
SHA256 e64685c93439f13e32a9b468f70a075b1ff83bb640159ae8e52a7a772e1fc3a3
SHA512 4764749ccd633e1548375132370e7c72bbc8badd84a97110f2fc0d159f2ebc454fada8b8ec10f9d056f1abf5f418e055a041b2fef63ed62cac54894a0ca57621

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

MD5 759d25e6a8e93d595cb3a4fd83f73df7
SHA1 903df39dc8e194f8a3d6c385423abdd764347a48
SHA256 e70c970805db45542716df40a53b930b5f623260cf2022ccd8d2252925e94c1e
SHA512 77f2c950000ca33b7283e77742dbcc515a8d583266d3860c35f0f25538da09809d0594c1785c985fd6100a04e141b5cc86edf83b39059b9c4b6db11b2339a713

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

MD5 67c7cc62058df5de63e03aaeffff7da1
SHA1 692d4868f29c50c64664f69c9b57fa62a8a0eba3
SHA256 b39e9201bc1540ac29a2a2aafceb70bcc29ff02e95b2cff6da1ed28227804c77
SHA512 598f873c1b5cdb529e57b9d505c0690144a6d1f028ed51471a6867ef28a8b86e722c318a14395a625bdccdb341bb9075f3d28b0bf93c4597767b63a3d54eaaab

memory/4512-648-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/2232-663-0x0000000000FF0000-0x0000000001000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1e5a38ccdbd2e25999a9325c6caba7da
SHA1 80a29effa1327ecea748bdfcf58e127fcae37ff8
SHA256 1ce5917159efd157e55f9a93f44d832288e70cc3e010e987c46f355a76bd0277
SHA512 9fa5d668059bc08211f458239bbd0c9a0924f9d6f76859b7cf6bdc3809fe93bba3db5078692f689402e3c0db319d545f7c90d6b9a5dea481a489a5317835d839

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js

MD5 1f7ddad212462d892fdefdbd79ef3f1c
SHA1 bd01044531cec799f9bcadf59e97f35ebce62d47
SHA256 ed4566539bc37590c4201191a5a43812f55b6d7a0be0387ed1ec77af9a5bf5bf
SHA512 daeeda746e0f3eeae7534bd6f767a09fb61635c9bf27d67e364c26b9888c214d0b7132cc9d184c7436f70558c3d7cf18e21d8193b959df3a8b4852931e7ee34d