Analysis Overview
SHA256
6e0a79de47349533cdc95befec0b037d401fb4e0e7ac306ee9a519bc16ca7282
Threat Level: Known bad
The file net.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
RevengeRAT
Revengerat family
RevengeRat Executable
Loads dropped DLL
Drops startup file
Executes dropped EXE
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Checks processor information in registry
Uses Task Scheduler COM API
Runs net.exe
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-11 10:16
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-11 10:16
Reported
2023-06-11 10:19
Platform
win7-20230220-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\net.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\net.exe
"C:\Users\Admin\AppData\Local\Temp\net.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xqab0sh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5DF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gemkb4l-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC718.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC717.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ybn-nsqg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7F2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u-qs-hj7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8AD.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znnentkj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC979.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC978.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3zae4sd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA04.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hbvi9kqu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCABF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6jmm-pwl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB7A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zu8y3dy2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC16.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvmskhgw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCB2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-oojaews.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD4E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j2jkdfq0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE0A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3xkkhhs0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCED5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCED4.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5j-jug__.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF9F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4o_triaf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD05B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD05A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\es3fy2cd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0F6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5vxpzp8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD24F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD24E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6zeh61wc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2F9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5b_ta970.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3A5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lm3uo0x3.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD432.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD431.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vmvvonfl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4DD.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vpk24y_0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD55B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD55A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqikwdub.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5F6.tmp"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {6FD10FA4-9A7E-4513-8FEA-19F3896344D0} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.25.141.181:28050 | tcp | |
| US | 209.25.141.181:28050 | tcp | |
| US | 209.25.141.181:28050 | tcp |
Files
memory/1468-54-0x0000000001F10000-0x0000000001F50000-memory.dmp
memory/1600-56-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1600-57-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1600-58-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1600-59-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1600-60-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1600-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1600-62-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1600-64-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1600-65-0x00000000004C0000-0x0000000000500000-memory.dmp
memory/1304-68-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1304-69-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1304-67-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1304-66-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1304-71-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fgZblRvZ.txt
| MD5 | 1ca6f544faeeb4b277d9658f501db01a |
| SHA1 | acd0de8a3e631fe60cbf6225eb1b3bba1af7c89e |
| SHA256 | 9d02e4e94fe75f14c583d1ac7c986f907d25c1bb0f6806f258e3262dc0642b28 |
| SHA512 | 7903d20a8d326b6b44d986c4e19e03d01cb5ff43e67b9627cd3e412f7cddd5635137fd08f5a2e8b532a293050ededf6c080a625aa0753fb8662d4e1ac1704e6f |
memory/1304-74-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1304-76-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1600-77-0x00000000004C0000-0x0000000000500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4xqab0sh.cmdline
| MD5 | d9b9c9070581f7d6068b34744c2d1492 |
| SHA1 | 2d31e080dca8c569fd3f04bd24470fa025b10251 |
| SHA256 | d9a94251b479ef9cefb555cab69f0d300b58fe79ea6a03f05fa64918f3ef9697 |
| SHA512 | c271aea52219a8000a899a30584b4628134b996cafcd40d38a6c0423e2fa943b778d390d97f3a8b24da0563658c180642b67896ab0bf53b182b3b6204394c93e |
C:\Users\Admin\AppData\Local\Temp\4xqab0sh.0.vb
| MD5 | 334a368ac8099dc7e5f5dee3db3e0b64 |
| SHA1 | ad0f9d9c34d6b7bbee7532b4dec34ad12cdfe237 |
| SHA256 | ae2d531d9f2bf164b4266daebfe68ab290007cdad1537162392fe9b5a35dab7a |
| SHA512 | 8048a6b1035e0b0e1f3a76247f88257860c78c1c3c58f1acaa311468c6b37d29e0b725aae9b056449eca3068bb6d5f91c10864bc3f44338af19350bf6921a0ed |
C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcC5DF.tmp
| MD5 | 0661260842b2b86f669a0ed7151eecac |
| SHA1 | 4bee9cb78ddc466b29b2a64fea745e6849f78eba |
| SHA256 | 90c7a3237b359fffd1e957ea5dfce8390ec9720db08aa73e403cbce927905947 |
| SHA512 | 8bfb24598bfd1b03884686a1798137096695d7d13c486e180e53a20c6fb63701c14fab1ec48623e89d61aa29a8aed60d2807c73c21b35ba07d52dd8962c7e197 |
C:\Users\Admin\AppData\Local\Temp\RESC5E0.tmp
| MD5 | d6f4276b794a041b1c88eb7f23c37148 |
| SHA1 | fe4d2f3b543c9d2fc11056b7bcfa33542b91a037 |
| SHA256 | 669bf4fa1129ea65038efd58efb3181f0b8ed6c95591353b9cf012c6ee99dd9c |
| SHA512 | 88abdf42a8259cc956b6e2f925cd9b02c19353c6d954b97e38250e4d6a8bd224c18a717ac3282e72c419c86432a5b62c0310392cc9b3ad165996c4d6a1f175a3 |
C:\Users\Admin\AppData\Local\Temp\gemkb4l-.cmdline
| MD5 | 6d9f70813bbb6936a74e43090e8e85f1 |
| SHA1 | 8922e3ca4b702cc969bc3aa92513f6aadf4cc59e |
| SHA256 | 92cc798e46262ae15beb9cc7c19d7e918b0ed5091865258d62263d5e192e7a4f |
| SHA512 | 8912f3f3f555651884870eb39ecad70b9db0a3365d699ab0f7a20bad3395fd2232b5417436aa0d76a7a48c4a2493e25beddf94ac1dd295fdbc349903e26247c5 |
C:\Users\Admin\AppData\Local\Temp\gemkb4l-.0.vb
| MD5 | ce03c49cad8d410b9dc835cb29e3df66 |
| SHA1 | 74e982f2f862e440f005692af19d37e13ed23ed8 |
| SHA256 | affae47eeff482f74837ce0259daa0e6aa5d54f6f5e2fe69cec0d21d0f1b8ac7 |
| SHA512 | a3c13f3b2e1929b462a85d98880511403368f05ddae5f2240e50b2650d8e87e5f43575c39348aa041200571d5d3788c7337bcaafd3aa56253c72be8c139a6f9e |
C:\ProgramData\SystemNT\vcredist2010_x64.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
C:\Users\Admin\AppData\Local\Temp\vbcC717.tmp
| MD5 | fc0ae112d639ff25d431cd5a579ff71f |
| SHA1 | bfe0fe75310e8074430659564b17a65f7f65e250 |
| SHA256 | d1fde5b01a1525ddb1e9d6e8cd02d6eb9e367e61e3c47e3955ef0a386be0a55a |
| SHA512 | 07b3ec241d513bbecca16ec23f3f3a7df07666d43263722c695271d4b4782317655882edd208b48f3e1d8cb093c3ad337ec804828d6499fc0b1bd55f6d13147e |
C:\Users\Admin\AppData\Local\Temp\RESC718.tmp
| MD5 | 34f2024de5de9bb91f61d848b9ebc205 |
| SHA1 | e5a22f0bea55695954bcf66690f088d260501bd1 |
| SHA256 | 423fd45ab3447b157ea19a5b5e8645a47227bfdcb0b9e2b35de76527b0a90879 |
| SHA512 | 4f8586c450dab55f358a911cd79ff54018fa4fdcea85ca4c307b0ae2fde5bf027202eb22af467345622e0b18268151bb70ab2c1b60cc9fddadaa33d1a5e94b51 |
C:\Users\Admin\AppData\Local\Temp\ybn-nsqg.cmdline
| MD5 | d971401dc1c909aacb0016520e8b85d6 |
| SHA1 | e35a8064be181b297b9dbbd530cf2491f8267bda |
| SHA256 | 59e6f98d4e5c0d710848dabf6373e1d51c4041c2fb0fdaee0628afb98bd10e26 |
| SHA512 | e31dfb38be571e90a198771a3404d3d9fe761e0977ab947531da7bccc6cc3a3af373a9dab3f9f418098ef95d7b9fc271aa67347b176756a3311724bec960223e |
C:\Users\Admin\AppData\Local\Temp\ybn-nsqg.0.vb
| MD5 | 313b65b69b3b2d5ce734629d00a11dab |
| SHA1 | 2ec198a69d4d819d6bc0d6008f222897f460b5f6 |
| SHA256 | 31524c71683b1c8552c405466548f2adf4532482550d3b826132ef11be2bf7d9 |
| SHA512 | 08eea12cdfef0a8e1b6694433c429732e3ed31ffb4d4f62621061bde271e77d3cb8c560b654b72a2afe45854b56ca09e425f368d2ac59e6a5bd939129ad43e6d |
C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcC7F2.tmp
| MD5 | b4f19acb28feeb40ede85b4954cb19b1 |
| SHA1 | 8a8f0b27ff86a8af21eca741009e71226e62599c |
| SHA256 | 937b661a576bcc8a717a40b482d9bcc6037ca6004075a4e2df90da4debd3c577 |
| SHA512 | dcb54cd0133a29884d16207e30ad23397c3f75fca894e8f93f442bb10f4885c823fcba60c57b5458b354d08dc1aab19b38ab401a3333706f25a18eb58793dbd0 |
C:\Users\Admin\AppData\Local\Temp\RESC7F3.tmp
| MD5 | 61b1039aee9a9ff1a4115401267ca700 |
| SHA1 | 41a31793971b54d83e7cbd7f990de1f02f3c758f |
| SHA256 | a5076f0caae50a0a10f9247b5f771b8c207df0f5ce378526856ee1040a201a64 |
| SHA512 | 863dd4322f195e796577c2a85d9635775bee55d944448ce89d5430a24590101e93838a52c616cf1792091c77564c1839554268100e0135618921b9be228d6f03 |
C:\Users\Admin\AppData\Local\Temp\u-qs-hj7.cmdline
| MD5 | 47d6e63c6a198f5214970c64a3302ef4 |
| SHA1 | 1cdcd6d45603a26a0ad96d0cc4e0b7dbb1ce0e87 |
| SHA256 | 740fd2f43c85b672ff91eefdb870a88b5009a70da1213d28f19e0609ec6c5cdc |
| SHA512 | 75b1848c193cb261fbf57d79d9b010158cf5837de93e8c17a37d0d0c5644d333526bf0a38ee8a1161df0deae59509fbfa94f9ff92e593947cc12d91411e14f61 |
C:\Users\Admin\AppData\Local\Temp\u-qs-hj7.0.vb
| MD5 | 8766d3cd3b7e2a808519035f33e2663f |
| SHA1 | 2c6812ee03338b59e9aa46151df7436124fbf276 |
| SHA256 | a37453b5d54c40de9d3dbd7b95c33e1c3ca2e8a99cbc7fb9b5ec9010db4ced0c |
| SHA512 | 1eb42f1d67fedb9c2571a3435ab4b98df21d4797ad1f4e837486324139a4dc5c1cffcc1404485a04c7a7e961346cd886ee48662e3ee1916f6f593ba22b432b95 |
C:\ProgramData\SystemNT\vcredist2010_x86.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
C:\Users\Admin\AppData\Local\Temp\vbcC8AD.tmp
| MD5 | 4e005c1c0479493f586c00a38e7ab931 |
| SHA1 | 5524ff3e54e7676d2cb5874de5db7af0eea12f62 |
| SHA256 | f53ac672df07cfead50f5ccc052ec3ca90a7356911e308d85a9de0358a772a8e |
| SHA512 | 9b6dd93d97966ba8d216a585d247202d28a501f01a33ae8339d7894742e266016ff9c71b54b08c5c5050f4f971dbcf68d0151bd4c7c9756c3f2101b051f5ba7e |
C:\Users\Admin\AppData\Local\Temp\RESC8BD.tmp
| MD5 | 550e3c49cf0797783cdbe36fd88ab02b |
| SHA1 | 2e03ea65a9a20afbc19856f0d8abf536bc744192 |
| SHA256 | 7fd84ab0a280630b7d20c5ff124ab9d1c3e52a198857bc2c0434547facaae744 |
| SHA512 | 1b5a1704db061e862c20bb3a42e49f0a25d9eae5298159ad9d9d22be40819388a0b07a4d2d45af2cdc3c6be9c15949c9c22d1a95aaec428e37abee84e2a34610 |
C:\Users\Admin\AppData\Local\Temp\znnentkj.cmdline
| MD5 | 96851fd7d7cd796ce1eb428de279055d |
| SHA1 | b0bf46057c871c34de8bddb4ea77c484c66e70af |
| SHA256 | eb76fd9059ce0cddda3a5285b51127f63fb02b67729cea4a303810af57bc814c |
| SHA512 | 9097023190e604bd09e454b87062a7f755d671118343f5b3b44c01f320c2fa7be57cb64a1b7af1386654a05b2b1c4fa69c1ed1e51b75276ba4fee6cc83622850 |
C:\Users\Admin\AppData\Local\Temp\znnentkj.0.vb
| MD5 | a4866a83e9455c509fc43ca26f4c3685 |
| SHA1 | 2a1cf8a4d4d625669f57c15f58c0b1eb38d6a6c7 |
| SHA256 | d06ba272ccc9a2d33c3db7fcf69577c0eb001f89de7b1a35c56c34f50ee7c04e |
| SHA512 | f241b6ba5a2cae67f0f9cde0931b4af008a858fc2384f671cd2e413b993d230907a9259a9745b83975d443ecc4387eb67c5cce487f1ae9005c84adcba0844142 |
C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcC978.tmp
| MD5 | d01b49c23d1411fe56479e1af8d36582 |
| SHA1 | be69752fee821e3fc83837ff6c2b1efec665b9ca |
| SHA256 | 534c429b53024d565bcbcfdfd3790cedf790aa8783989710ba156157557178ec |
| SHA512 | 59ea39611ca673ca2c0d00c6572a0aee3774d8b3517095e64d960118bc51e0d98d8daa931c29ccf0e9cec7e2af32561e7e707102ebd0f09c52b03dbd41a6ed56 |
C:\Users\Admin\AppData\Local\Temp\RESC979.tmp
| MD5 | a6e43e3bcebd5a1ab4b762dc4e6d0828 |
| SHA1 | 980c1181d645c461ce134136d713f13e5117255b |
| SHA256 | cf82e7ca20c6dfac2712bdfa9ff9c1015df5bf6886e32bcac3b0dec8335b0e98 |
| SHA512 | 3448f77a2e21008c0fe79f19c61fa59fdcae7342ff701b3a0033938768e28f2aeb75b33cfffcfc5006f719c1a65a92740fde0a75d710321696087587a0b0ae62 |
C:\Users\Admin\AppData\Local\Temp\z3zae4sd.cmdline
| MD5 | 205a8afeb29b1181c39586fb526f10d6 |
| SHA1 | 587760ce99a468c58aa414c6cc94e53cfeee960d |
| SHA256 | a0444389f12755af36e760eb7850541e178a6106fe3c68323b3f2d0f3c49a0c6 |
| SHA512 | 8da100c1e68c67524fded7ecb4fb39797acdb27d192032761024e4cdc262fe25569d98b6a5dd4e53415af6ba1f098be4a0a8fab7ee4fdc116e54535c9764b3f3 |
C:\Users\Admin\AppData\Local\Temp\z3zae4sd.0.vb
| MD5 | b78a05f477604354c54265dc1b62133d |
| SHA1 | c20cf1d39988baa72a99521352bb9c11582c5632 |
| SHA256 | f9b7510f9e8ac56b3d8cc3960a4dfbab750b32480252451149e0349563dc86d7 |
| SHA512 | 56d3e7501ae911ef98a75ae945ec1c9a98a9445ba8bf84b94f3bbd1a4b74e391465a4b7f88ee3170011e6a27923ca3a1671e82e6590556e19cc73a865cc89ecb |
C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcCA04.tmp
| MD5 | 24c4112e72e817289e33f7e19ea0e1bc |
| SHA1 | 57c9697088bd619f3e7e5b1557ec06ea82fc4a47 |
| SHA256 | 9d7f0a1ef6835860ca2ff4be9b385726fdcf43e09c93f6907c954debc0dc789a |
| SHA512 | 37c5cdb4743a08e0c83a126254ee703e8499de32f77f18a630c5b2fe189cb4c63f22339b761725e97155316895f26b1ed329c0e59054b47a1ecde72ba0fde2c9 |
C:\Users\Admin\AppData\Local\Temp\RESCA05.tmp
| MD5 | 1ac82516a52140489047f8c0afa08e09 |
| SHA1 | 84ea3c1a5d9d104730b8f9ebc0a9be254c9861a1 |
| SHA256 | d591e5927a22ddf03fc178a6dba141f3dda172add85bb8a9fa646bcab108c5d8 |
| SHA512 | da2c28dd79999207b99a721cefa89f51f73e5f663d2bade8599ff8d19e8cd496cca3833984d224b43ec5e19de47e75222a155b5863971723295034e09417c662 |
C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\hbvi9kqu.cmdline
| MD5 | 4d33a049df5554bef7eb22dc47a35c6c |
| SHA1 | ffcbd105b6e91fc19bc645612e7d729cb73c9442 |
| SHA256 | 1c5387d1c25ac8ef329bbfb4e4eb1fb01d93fe1e44ad8ef9d82bd46104f0187b |
| SHA512 | da28f32501a9e46fe20ab0acff584acb03712eba8c91951656512c2ce90c57917ca37526c5e978fcd0da4b9b19107ba238e40b549bf5544ab606676a175de809 |
C:\Users\Admin\AppData\Local\Temp\hbvi9kqu.0.vb
| MD5 | eea98df6de061dec50605aae66847edd |
| SHA1 | 7dad2c743a43266d1c8bb2e1b86b1ef1e12e351f |
| SHA256 | 36d938f64e451da3eb2fce840b2b67308d4c5b15627a254f8237d39aaa235e64 |
| SHA512 | a0a4c1373eb672110c96f65f55dd9179f426528a0c7070c72b6e5a5d8cb626502bf6763758a8218b75b7f15ad2c32b11ecbe11a5c91777e18d6471fd0d7f0c08 |
C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcCABF.tmp
| MD5 | 1526e5a0801a8c24f41a107c581b8e5e |
| SHA1 | dc81f351b0fe6a38e0abff33bf2c2fafdb0be9d3 |
| SHA256 | 4a0f1699ceb533a5ddf2c344290e54e00397883c588398695b5a709bb92f0d67 |
| SHA512 | bd9efd7627e6ba3e24585bf3557e7c57054fb68ded9e3597ab4065de3ca8688f9b804fe3efd8c34dfc18b10a994d29575047cbd43599a8e4d3ecbe70dd3eb3e3 |
C:\Users\Admin\AppData\Local\Temp\RESCAC0.tmp
| MD5 | 25555be18a4092cb3ab31dd8fb894241 |
| SHA1 | 96849d6f7ec051d53f00cfc15dff8e333561993d |
| SHA256 | 530a667dbfef86790a38e880b9db9fc05ceeedfa858c97c89eb9a348e7f3b101 |
| SHA512 | dc61d85eb45e77455de1d1a204623e05399ed7492a7adaf8f6256c49245b15081ae08217a9f9bc4b868d3b3863525b1e2d585606ac0fdb7af66093cc0d6f8cc8 |
C:\Users\Admin\AppData\Local\Temp\6jmm-pwl.cmdline
| MD5 | 9c05f1c51f33c2a33abab75a684f622c |
| SHA1 | 63070a71bce64c689373ca5a2e81fbb0845b2c30 |
| SHA256 | c3491595cb59c13b7b8eb37aabfd9626e4e587b2ba03dfbb049f5397ac5cd150 |
| SHA512 | 7d0c9df21e73b466f661f827d1dbb9270fe4ef4e3679d7026de6377bd9c00c9c2c1237697f1705220103c44928a4985d0573a6bbca6caa69012717afa5384b95 |
C:\Users\Admin\AppData\Local\Temp\6jmm-pwl.0.vb
| MD5 | d6875fca5e32b7fa0dad9bd8a02367ed |
| SHA1 | 104d8f29ae5fc5d3bf4717d3335059f5dcb910a6 |
| SHA256 | 660dcf00ed2d31994f3e58324e1c249e4e07c682d0987db773bd04424b93d6ca |
| SHA512 | d536a3cfe4ac75e4c5539ccef6a76a785c5f408d794a8ffb0b4715c514a9c845fa43e6d53f282aeadeab8b83723cc1768d36f554666c473591479cc3df0cbab7 |
C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\RESCB7B.tmp
| MD5 | f936965fdf08953e587ddc1dd34a4b26 |
| SHA1 | 989579311440e5d40bb463fa74a764b8ca520e40 |
| SHA256 | b5e4310cdb2ef0e58e6b12fe17a2b7fef4bc283fe9230c0892ec4df4879a1576 |
| SHA512 | 5348ab9886b9e048551ba7094b161130ce6697388923f271901bffc54840b8ef279af162622d5df83b0a1fa1e53e67e938871e3446757829882a002adec564fe |
C:\Users\Admin\AppData\Local\Temp\vbcCB7A.tmp
| MD5 | e4a17d5e57953299f484f35a866e7355 |
| SHA1 | 5834131374e27e00721bd61b270a59b17985cd26 |
| SHA256 | cf3930d64aa91318acd3fe34135057488cea18f4118cde3be022e9ca9a42877b |
| SHA512 | 49db8caeb0747a26dcc92c9dbf97dafc544c00065855e30bababed741367869c97d42389f5d22be5595943adee6c24f64bc45f874a19520bd3a6e732154a65ef |
C:\Users\Admin\AppData\Local\Temp\zu8y3dy2.cmdline
| MD5 | 2dd3373f1c3691a5fd99670c5b90a110 |
| SHA1 | b5b27751fd1f22038e57ed0a22272d2915c35ed2 |
| SHA256 | 703c913f64e3df639c8c4abc471a45be67ca7831a67b73a15380459cbf1730be |
| SHA512 | 3f0cbb592c671814db5c720509dd7756ed3acc11f9c22d83735170b8912662a04abf31a4a6ce3a6879aac249967b831baeac852752c934a1bad6e93963d13791 |
C:\Users\Admin\AppData\Local\Temp\zu8y3dy2.0.vb
| MD5 | b9df787116b3a62078989ff5991f31ad |
| SHA1 | b79c1818d90bfeee20188f16f71d35eaa0247b1c |
| SHA256 | dd30426ab1bc5733aee05fd7e08d446259e21084c1e30e9ef8b0fd7e09593469 |
| SHA512 | a495c89812a18de07dbd54c63cbf06ddb4aaac5a218418cbd8f3efd155813384e2340c3dce704a8ea7afdcbed0ca9cf1019598cdf91efadc8da5d8c79f1bc7eb |
C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcCC16.tmp
| MD5 | 7bcafd9585f96a179d17504ab565c513 |
| SHA1 | 23b6b2afa852a6a6c5fb989ba3367ca7969b3333 |
| SHA256 | e7982466e187e1b6cf04dd686f6643f0c5862688871c3f3ca2a9b1fa468d2afb |
| SHA512 | 420e1f963761659970669fb43b2ca3ff71a74bfa5e72e53bac0ca2cec40175940ac46dfca4fa77eb54484e364e07a43bfb1f656de8b47d1e3e551b094f14b8ec |
C:\Users\Admin\AppData\Local\Temp\RESCC17.tmp
| MD5 | 1616430a0a87c0637cd34880b018dccd |
| SHA1 | 649c74844872858ed3efcf48989306190149e490 |
| SHA256 | 58bba0a561cb0c3184409a257bc812d8de48ea42a09d6c02f780a3489b762aef |
| SHA512 | f05f24d7deee8ac21fdd1589f75e3c851afaa988e01db584d0da6e89be741db12c96e4bf723a2891ce4bca39884c9a16e6c65e5ab830b9ca2c931d6a5eaa0231 |
C:\Users\Admin\AppData\Local\Temp\hvmskhgw.cmdline
| MD5 | 32b9ca9b8aad32a25492e5e6568d07f9 |
| SHA1 | 6ac9579607b1c0ecbfc2a258a249e332fd52739f |
| SHA256 | df9a6e9ea69d7ff7d2dd4e93c70fababcb1b5f1e6a38594d2c2740b90166907f |
| SHA512 | f95123e22205a829834ae83bc636fe6a5b1b3d26404ccfca5c9183ba08b730a94b3c31e6882c5ede4d06b084e83dd0b6bcb2d1ed1f5d1569d3ee893ec381dac3 |
C:\Users\Admin\AppData\Local\Temp\hvmskhgw.0.vb
| MD5 | 67d00c1b8cac0d620187a42ab7e46c55 |
| SHA1 | 52b95e2bd627fc79ea3b3edf9c79594727313845 |
| SHA256 | 7b18d0c4fef8625430589b30242eb50946e1adcbc226aaab7091a26a00df8009 |
| SHA512 | 8c9e78077a9b9da511ffe5881dc2f9c9c01bc086f332ac506cf3f283fcdf74c3750a49d31f0fb25c213cc5411e2dfc9789768ecc3a5335fd220e6d51fea0896c |
C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\RESCCB3.tmp
| MD5 | 23b9e60bcf1f19df292d5d7f4f12827c |
| SHA1 | 0e2fae3a470950822b80557a7ee5d81c373c9aa5 |
| SHA256 | aec854be7102afa5dea21f677c851773942a385e92e9ff904236b50509248fe7 |
| SHA512 | 0b002e987317418c79e7a023d4c5f81ad86e3cf6ab46ba5fbd7a3f7f6514e9489777e79f11f66c81591b0906142771263c8d9b5cd9279b6aeb39c49cd86e8704 |
C:\Users\Admin\AppData\Local\Temp\vbcCCB2.tmp
| MD5 | d21cdcd6862d555cc501f226d4a8391f |
| SHA1 | 2d1c5a5a304ef0d5e3d88e3ac527800926d1377b |
| SHA256 | 65efc14b79847907c47ccfda2d58f8e2d9457e061c51817c6f545dfcb7595156 |
| SHA512 | 9238ff012ac335c5246f928b692d8dd6d6a707caab05110fa8177e2887149a911e7c1c916ae92d6ab7892bb91482a18c54485dc623fcd4c85fb7268f3628b3aa |
C:\Users\Admin\AppData\Local\Temp\-oojaews.cmdline
| MD5 | cafc31f628de5c8ab7b84b59c9ccb904 |
| SHA1 | abdc04d02368921d95ee1586a309628ae08dcf15 |
| SHA256 | 0d2e88530a9b67c8e9f5bb98a1c00496f7ca6ea691e247b8b2c290a708206da9 |
| SHA512 | 183f15e281e6445efbefa96e8649621b36a94c8f669aff4f4a79b71d345fe99981dd6728831ed00d80913bcf9e86b3b7a9acee772f35556d55dab78baed5b8be |
C:\Users\Admin\AppData\Local\Temp\-oojaews.0.vb
| MD5 | 63389d61965aeabd8cd43fca69e0eae5 |
| SHA1 | 4eb00419039cd61c7e881896a53d0264d821df5d |
| SHA256 | 50ea4dc10a0d7d477cb184a4e87996f69e4038ec7101d22450ed9e877d9815ce |
| SHA512 | e8b0b34401f54424064a236c76319b3868973b474c9e91290be1a85030d625512e26f65f8c364f69b65136644c0cc885a6ed3cda1529da245f0d77020f6e08bd |
C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcCD4E.tmp
| MD5 | fc186dee7c8016a04ad4a550b5d2186a |
| SHA1 | db5a4bd43d03642d363251093084e97689a8e1ed |
| SHA256 | fa4ca83094080b4b31cb7e249e4e1fca5fe1795970e4d53b515c70b55900f88f |
| SHA512 | 74977ac24020436420eacb70675bbf610ced397e2a41c22898e899eac736e20714bbe6d5a126124a01f54c123f8402ce783f53fc1c7b82562915c6d26ad093ad |
C:\Users\Admin\AppData\Local\Temp\RESCD5F.tmp
| MD5 | 84b1dd37111539560626adc964fc4cad |
| SHA1 | 009c5d315e436de16add45c0acf0cd04b248f4fb |
| SHA256 | e21ce35dcd77c00ecc53f05f676608aed6915be1b70ffd3b3b3270145c89e088 |
| SHA512 | e7575c72a9ab3052b95458b53135596dd14458c1dba474b6ea5a6e89d9ce6e59b55f42a5b1b4039853a2e47d76584509f8c9af64b4a3722cb85ff1459cb0f303 |
C:\Users\Admin\AppData\Local\Temp\j2jkdfq0.cmdline
| MD5 | 06c0c07d6d414611fb3d1528f44e53fc |
| SHA1 | b6a3b394fbfd4554c17e29c539420fa812fa0e9a |
| SHA256 | b668712eec278fcf75057a0f305585da331a163f6e28d9f8bbff78e33a36366b |
| SHA512 | 0f6713c30b90c56400084778776f19538897ffe597d336ac93afdfb6e152dda23dc1748ce854c5a5aa79a961337059d05ab868b585aaeed7aecd8ef96fcd63e2 |
C:\Users\Admin\AppData\Local\Temp\j2jkdfq0.0.vb
| MD5 | 1101df69fed8db2c37a716f49a122e1d |
| SHA1 | 11e76092a4ddb583c627e72b841a72b9233de410 |
| SHA256 | cf2b5eb4201861d8ac0e2fbbb7929d7645ed14d5d4a782fd98990f4368407559 |
| SHA512 | 5729d804f7c3fc7e3196060816cffccb93647bc5f0691a70928bb51634b49afc0c1baa2535ae6357a69684ad3f69384adf0d0d1dfba3994cc5f8943b6787dcae |
C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcCE0A.tmp
| MD5 | 29df7ae875db3f92a3baa67cfabbf481 |
| SHA1 | 6cf67b6029dc93c2aea0f9aac6fa653138b4ff06 |
| SHA256 | 4956d0cf717ceb9f8eaaf049c7424ca23caa35777e3cb053e608ce966ed6b2be |
| SHA512 | a5dc71034931509199a5ea12ca31fa567d243e9b6c94fa2346f26f8acc871c642bf7ea9cce247527b50af14c1286e8cb283211dcf82e5e60e48ae9fe6343fd21 |
C:\Users\Admin\AppData\Local\Temp\RESCE0B.tmp
| MD5 | 77eb972ecc7552df2be93265a3d6ab55 |
| SHA1 | 81ded360093b4dc6f3293dfb2e91360c767a8b5d |
| SHA256 | 8fe754017c5b70c6443978e885402ddecc3a6a863b0a30107f4c4c478a089155 |
| SHA512 | 287140ef2ec93047963461bb0f7641c44bbb234ff58d09fbc04bd70592431f9fb63262e7b1e8668d57708aada6d6b0b08aa71437adc7783526a6a1551b13c64d |
C:\Users\Admin\AppData\Local\Temp\3xkkhhs0.cmdline
| MD5 | e1d20351b1f1eeb78ac7881e3940c745 |
| SHA1 | f2549da955aeaddeb966656d883fbcdb2075fd83 |
| SHA256 | 3976b7801c4bf354947f716e31f5a659db2604b5a192c4acabdf12289ac67ee0 |
| SHA512 | 7eb8e5ea20632eb198c47b47f7fecefd5cf4f98dae21b8f3a82fbc8d0fed78e487be5bb57465b14366875f29c728cbbd771fd67cc042f3ec14ec1b60fc2152b7 |
C:\Users\Admin\AppData\Local\Temp\3xkkhhs0.0.vb
| MD5 | cd386bb30efcec58d701b555c523a0f8 |
| SHA1 | 2252e54de0db8439e71cb4359e6d1cfc13a81a79 |
| SHA256 | 9fa36b4d8842fdc663fd7c4fe9c0ed5f4906bbcb516d67d8f98515dfad14464d |
| SHA512 | 8d7034a7261e7ac5738401eec059103b40567757a068cbd0229ad9e9ebfb5e9a360ef180e19f20986d855e8f5b3ac2e7327b12947a5c00fe9ab0faebb64efd47 |
C:\ProgramData\SystemNT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1888-310-0x0000000000330000-0x0000000000370000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
| MD5 | 08b7405b0067a9c129131d5321149fd6 |
| SHA1 | bf6eea2a57b4f9141cdf0b915bc688582586a082 |
| SHA256 | 6e0a79de47349533cdc95befec0b037d401fb4e0e7ac306ee9a519bc16ca7282 |
| SHA512 | 72aea47914e21519a7ce5f212922681cf96f1437856eab180c6dcbfc382fc2a2a5149cf98b37caddc8bef238589b9b436434e2c8eacfa074ac8a3e32f833d715 |
memory/1604-374-0x0000000001F20000-0x0000000001F60000-memory.dmp
memory/520-381-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/520-385-0x0000000000390000-0x00000000003D0000-memory.dmp
memory/520-396-0x0000000000390000-0x00000000003D0000-memory.dmp
memory/520-397-0x0000000000390000-0x00000000003D0000-memory.dmp
memory/520-398-0x0000000000390000-0x00000000003D0000-memory.dmp
memory/1252-400-0x0000000001F50000-0x0000000001F90000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-11 10:16
Reported
2023-06-11 10:19
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\net.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\net.exe
"C:\Users\Admin\AppData\Local\Temp\net.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6r1ovxm6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6919D80234DB474AB5C79A97C14EFFE8.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3afool-y.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB200BD0633C4EB08DA84FC4AC88ACF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pk36-wt_.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A8104EFCBA44865A962DB8FE3F3FAB3.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d3cgn_6r.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16F046E895A9440D89FDBBC462187465.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzqhbjsb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD28B7802B0624E58A3D72D86EABECD5.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vddddwio.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2CE63EBA5D5465FAE634DF8E6A22E.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkthxosl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc340AD24867954A089BE32ED28028DFF9.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hs-avqcc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA247CF4F1A441B991CE5EBCA8EFE6BE.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fhcqndyj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcECC2160640154D14B0A366347FDA5E1F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\flq-qg-n.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF39C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA946759F54F464E83F7F5ACA87F8C.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cpr2r_ql.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF457.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EC0BCAF2466441DB7331735A46386.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lrktbxjc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF523.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc634EE2DBB2D04593906122DBCB764F3.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tzxradr-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF60D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66370B11490F47B180418D67B65F1C53.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\apge6__x.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF707.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF14C0D90F8044F279BCFA4929C76EC39.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aw35unae.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB70CFF8F1882439AB6CC65C217966B7.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ia3f64cb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB99F01C6287476BB9752181EB4F1254.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uprcr9do.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD94894D08AE54C7A9B662E54A7839233.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sff4wh0p.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc639EB09D72404972B85A3E778716CDCC.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d3t0g73n.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FF6697C3FDB49E5926A1FC3D92FB21.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckphf8eq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAD6306CC92E4ACC8BBE51313F42D27.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zvf-netn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB8DE92045C64BED99C53F55861989D.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mtwe7izs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1CBF94A86E47A9B27ED04388E686D9.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yhkfhg4z.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE661F525BBD44080B8CD49D6E06ED7D.TMP"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.0.551786835\948833888" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81a005c-82e5-43a6-958e-78bd774a3fda} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 1948 17e4a5de758 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.1.1384877136\2072145050" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {730f2685-54da-4c1a-83d7-6af1cc5ca41a} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 2332 17e3d770458 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.2.1591478250\1349933136" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2928 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb274b19-e6ef-425f-bcd1-b7922926ab2a} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3036 17e4e2e8b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.3.2112620240\354475704" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05ae002f-ed9c-4774-80aa-813d5f26250e} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3676 17e4eb1b658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.4.790106751\856706045" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 3864 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d15ed87-22ef-4a1e-8a41-7848d9353eb8} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 3900 17e4c882658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.7.514899083\1560904029" -childID 6 -isForBrowser -prefsHandle 5420 -prefMapHandle 5424 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f234b5fd-6f85-4984-9af2-72fcd948f978} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5412 17e501db758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.6.1647885532\159104499" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60907f44-ed83-4292-bd64-5870aafe52ff} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5220 17e4f832858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4552.5.61051262\4605877" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 4992 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc73851c-c7a8-4ff0-b696-771d03fd07c1} 4552 "\\.\pipe\gecko-crash-server-pipe.4552" 5088 17e4ebdaf58 tab
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 209.25.141.181:28050 | tcp | |
| US | 8.8.8.8:53 | 181.141.25.209.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.155.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.89.179.10:443 | tcp | |
| US | 209.25.141.181:28050 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 209.25.141.181:28050 | tcp | |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 95.101.143.155:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 155.143.101.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:50102 | tcp | |
| N/A | 127.0.0.1:50108 | tcp | |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 44.227.219.172:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.100.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.65.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.219.227.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.158.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
Files
memory/652-133-0x0000000000A70000-0x0000000000A80000-memory.dmp
memory/4572-135-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4572-137-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3700-138-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fgZblRvZ.txt
| MD5 | 1ca6f544faeeb4b277d9658f501db01a |
| SHA1 | acd0de8a3e631fe60cbf6225eb1b3bba1af7c89e |
| SHA256 | 9d02e4e94fe75f14c583d1ac7c986f907d25c1bb0f6806f258e3262dc0642b28 |
| SHA512 | 7903d20a8d326b6b44d986c4e19e03d01cb5ff43e67b9627cd3e412f7cddd5635137fd08f5a2e8b532a293050ededf6c080a625aa0753fb8662d4e1ac1704e6f |
memory/4572-141-0x0000000001490000-0x00000000014A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6r1ovxm6.cmdline
| MD5 | 69bba8e4e58546b0dd00f26027fd7e3f |
| SHA1 | d3b5f8619275383d930632db56bde7b106a6939c |
| SHA256 | de4c9c5d53206c22427fb171bcce78012291577b3fb53e2031e13ff57014d1b4 |
| SHA512 | 504d4eeae284fa1b67ed12c9e512882eca1ddcb9c8f2b32e32320ac4fee3988c56de245779846d9ebb839b0ba944df0a51444a6995258aacdee245d0018050d2 |
C:\Users\Admin\AppData\Local\Temp\6r1ovxm6.0.vb
| MD5 | 11ba696d2de18ef571a881e83a386e0d |
| SHA1 | d5a8aab53b9ce9208feeb435c999710e6f25c748 |
| SHA256 | d419a15f2fe0a10547879916cc5fe085dd7e197a43f678ee21e9446c07d119d0 |
| SHA512 | 8b05581a68528f1a9bdccf80a8151ded5676b979075fb230d2eca785dbc3dd1b0a5477414108b2254494bd4159efd03d21106787e7810e6d3c9e6906d7d46a2a |
memory/1016-150-0x0000000000680000-0x0000000000690000-memory.dmp
C:\ProgramData\SystemNT\DumpStack.log.ico
| MD5 | 9430abf1376e53c0e5cf57b89725e992 |
| SHA1 | 87d11177ee1baa392c6cca84cf4930074ad535c5 |
| SHA256 | 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381 |
| SHA512 | dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78 |
C:\Users\Admin\AppData\Local\Temp\vbc6919D80234DB474AB5C79A97C14EFFE8.TMP
| MD5 | 78297fe78d3177878f8735f78038b83e |
| SHA1 | d851dd31c90ecb578cd3133e84a78636b67328ea |
| SHA256 | c813e24ca351531f1a258f91e628d752bd9571f4b23607436b2989c353ea6b80 |
| SHA512 | d25049f4b7ec9228d03e5fbe756afc2dbaefdced36341132c5a346dd224cc9a253109bfaee355c5f5a08fe085e4ef2f1f4cd7f730d3706b07ec425d41a1afe6c |
C:\Users\Admin\AppData\Local\Temp\RESEA16.tmp
| MD5 | 747d44cd89ce2451fd5a3fce0685e105 |
| SHA1 | 16328f16dce198d24b80be0f67c05eb52a5adb0e |
| SHA256 | 6658968272a08da6880f667e19b33bcfd8ddc015ac2d6b740f45efc52c008147 |
| SHA512 | 324ab5393504d96144bb44148fbbc29ec92fc9272b45cd5d22016c53faae46718410fbb95e640229c93b1875f60be8d23448252e83635e61bebbadb3e39bdde1 |
C:\Users\Admin\AppData\Local\Temp\3afool-y.cmdline
| MD5 | 083c740fa4d91f288e3c4b05d57a1a51 |
| SHA1 | 1e0599bf4ed005f2a0f5297db8c9d9c1df1b7b78 |
| SHA256 | e00aaeb13b5fae31dbcfd9a630f4e26eaa8d9a77f72e92133a8527d9a34fd6ff |
| SHA512 | 36b4bfd6ceae924194dd4fbbfa38754263e03ecee52b1dda9f9039a149135f45526687f87f818bbc13debb34a4d008464464894a52828c692d0039205a7e9673 |
C:\Users\Admin\AppData\Local\Temp\3afool-y.0.vb
| MD5 | 334a368ac8099dc7e5f5dee3db3e0b64 |
| SHA1 | ad0f9d9c34d6b7bbee7532b4dec34ad12cdfe237 |
| SHA256 | ae2d531d9f2bf164b4266daebfe68ab290007cdad1537162392fe9b5a35dab7a |
| SHA512 | 8048a6b1035e0b0e1f3a76247f88257860c78c1c3c58f1acaa311468c6b37d29e0b725aae9b056449eca3068bb6d5f91c10864bc3f44338af19350bf6921a0ed |
C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcDB200BD0633C4EB08DA84FC4AC88ACF.TMP
| MD5 | a5a554c5b5dd73991db5d85a0a632295 |
| SHA1 | e2700125b8e939008153fe8ac86aaad92cbab87e |
| SHA256 | 61a28ab598cff4eb06878f07c12cf50025922aad00647445ff7414234ac74d78 |
| SHA512 | f4b9ef8f87b7be635490afd253be8ddb5f38a9613562687731c4d125909ee62d1ba591ade6c5ea057fa8a124d6a58c5f3605a2610223773ffc15f8761f00791d |
C:\Users\Admin\AppData\Local\Temp\RESEB7E.tmp
| MD5 | 6d922933d92b235b2f43c01151c0571c |
| SHA1 | c96ed485a944591b95f9ea1729b78413049c3757 |
| SHA256 | a0fe4f3d8e05f31dbbaccc5e4a72949fcb33d7ceedad68fd8f54c3af1a706a4c |
| SHA512 | 2f3bea369222d2d0ec95c2973658f2ed59ee3f80c46d8ca1ae771694884861f107d258a760d56ca22beb78b628047e08a0a6b21f81d2ce1e07d96ead6197cbf9 |
C:\Users\Admin\AppData\Local\Temp\pk36-wt_.cmdline
| MD5 | 496dd0cdd67be0dfbcc2880156dd78d3 |
| SHA1 | 6d750be2ff51fd4989dce2b5951fc06d90495e0d |
| SHA256 | 3900b472d5b0f96f2a6fa40ab331f4667cdc762a991894725998025194ee65e0 |
| SHA512 | 1b29c11b638cd13ae9ddb93ce1d13c9bd0c5ef5ca6bfb24c52bf4ebabec0e82ca8a69c5e6e85be92fd8a5c8857230cf10c48e3762521e5d703a47de406a4c362 |
C:\Users\Admin\AppData\Local\Temp\pk36-wt_.0.vb
| MD5 | ce03c49cad8d410b9dc835cb29e3df66 |
| SHA1 | 74e982f2f862e440f005692af19d37e13ed23ed8 |
| SHA256 | affae47eeff482f74837ce0259daa0e6aa5d54f6f5e2fe69cec0d21d0f1b8ac7 |
| SHA512 | a3c13f3b2e1929b462a85d98880511403368f05ddae5f2240e50b2650d8e87e5f43575c39348aa041200571d5d3788c7337bcaafd3aa56253c72be8c139a6f9e |
C:\ProgramData\SystemNT\vcredist2010_x64.log.ico
| MD5 | bb4ff6746434c51de221387a31a00910 |
| SHA1 | 43e764b72dc8de4f65d8cf15164fc7868aa76998 |
| SHA256 | 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506 |
| SHA512 | 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1 |
C:\Users\Admin\AppData\Local\Temp\vbc3A8104EFCBA44865A962DB8FE3F3FAB3.TMP
| MD5 | 88ca12c6fea4f1a52d73519f2e021a33 |
| SHA1 | 0881c066289f3c6a30102e0d6c99b00dea015fdd |
| SHA256 | 2c1b80b970b934d4e3e8f49f8757658fc69cd87b6b55060abc2293c62e762593 |
| SHA512 | 5a862cb26963e2d322e257591a7abe97146e9164cda6b9ffc9d52d9d0a4e386a573e782663610368d74ec90c5c0b9a2b61ac1adcc86589747d858dbe1947db6c |
C:\Users\Admin\AppData\Local\Temp\RESECC6.tmp
| MD5 | 30f3812b6623f24a2b7c60703b1574db |
| SHA1 | 56dfe18239c357489459c4724f185699dd283835 |
| SHA256 | 2f9b425b183790df471ebb367d226f54e4e990230710bea3330a77d0c44ba63a |
| SHA512 | 8171268ac9284491af7213f8b5f0d95252a694a50aa7de8defb568a0356a0b1aa5c0d4ea4b43212837253470741ab761c0b1fc55b40640d4e2b77bbe0a52b908 |
C:\Users\Admin\AppData\Local\Temp\d3cgn_6r.cmdline
| MD5 | 7c7c806ea89f2cd12c761ae3363ccab3 |
| SHA1 | ff0c86ddabb9a6a1d20aa38dcc6633a29b4b17f9 |
| SHA256 | 0e078556e5f8ea56e7130e3db19f43cbeb906e49a73eaa117631e6aed531ecec |
| SHA512 | 27d45d3601fd106ecd82e291758ee9e965dc295deeebce7c3505bfa018989208301bc37fae7e9e81a44d94e75c46d5a95be72c031019e7135e791e239c7feb93 |
C:\Users\Admin\AppData\Local\Temp\d3cgn_6r.0.vb
| MD5 | 313b65b69b3b2d5ce734629d00a11dab |
| SHA1 | 2ec198a69d4d819d6bc0d6008f222897f460b5f6 |
| SHA256 | 31524c71683b1c8552c405466548f2adf4532482550d3b826132ef11be2bf7d9 |
| SHA512 | 08eea12cdfef0a8e1b6694433c429732e3ed31ffb4d4f62621061bde271e77d3cb8c560b654b72a2afe45854b56ca09e425f368d2ac59e6a5bd939129ad43e6d |
C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/4376-200-0x00000000023A0000-0x00000000023B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc16F046E895A9440D89FDBBC462187465.TMP
| MD5 | 735cac310b46e81dd76559efbf57c36c |
| SHA1 | cd154ed7e55069e229f74764d4edf3e902098f72 |
| SHA256 | ac0635335cc4ec2be338a6f5d93cf3cf1b467da20890c55dd37dcfe3aa436507 |
| SHA512 | 2c50e4fce1e9b6e89b301d662707376268a6de08e51068be36eed144e1544f37a6dd6d0a1af8b63e28687ae56d1b48fca7139eb6118a90f22800d5aa3e2a3f38 |
C:\Users\Admin\AppData\Local\Temp\RESEDA1.tmp
| MD5 | cb01984a0705342585fd75269d4856e7 |
| SHA1 | 05e016c65abcb92e6e0b3cf1995842e76efaa26c |
| SHA256 | 94c4e00013eb9e7732a3813964becce231a75040fa9e2638c9f5912bfb48fd3a |
| SHA512 | 9ce182a806c10af6b51be356652f484172122228eddaba901f3cd67fc23e0f56aedad1381d4b3bcdd9fbfcef76c32c4e9ee13ad6218755ae3eaf68d86b5c3022 |
C:\Users\Admin\AppData\Local\Temp\vddddwio.cmdline
| MD5 | 1eb45fcb7d99d3731330400ce732cc31 |
| SHA1 | f729b538467c473af9e9cf38efe4863b19d664e5 |
| SHA256 | e70790df23ffa46ea1badc473d61e220d8797dcfe7d28e62215e7157da23d724 |
| SHA512 | 5dda24e988512adaee0e89e70e7f6c9ffcb819a2ee2ec9d41d82bf7fe983e166041741d22547630870bd2ad91d78322c01e65bb8353b46a26d86506490049226 |
C:\Users\Admin\AppData\Local\Temp\vddddwio.0.vb
| MD5 | a4866a83e9455c509fc43ca26f4c3685 |
| SHA1 | 2a1cf8a4d4d625669f57c15f58c0b1eb38d6a6c7 |
| SHA256 | d06ba272ccc9a2d33c3db7fcf69577c0eb001f89de7b1a35c56c34f50ee7c04e |
| SHA512 | f241b6ba5a2cae67f0f9cde0931b4af008a858fc2384f671cd2e413b993d230907a9259a9745b83975d443ecc4387eb67c5cce487f1ae9005c84adcba0844142 |
C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcC2CE63EBA5D5465FAE634DF8E6A22E.TMP
| MD5 | e4b883dd4d785498e0f90f23fbe6849d |
| SHA1 | e063f631396fe5388e12924672baf46fa62a74b3 |
| SHA256 | 38d83ead2c7ad6a7df0e9ff4331268c7d4ba291b1808f65ba78c9a778683d26c |
| SHA512 | 45cb3fa35d3790aa289688300e88327a2aaa3b7734ccce00af994e0a5df0d710cd03c2ccba6c2b7eb5b358b65c32d94bccba9870fea03e81497b9b277c12217a |
C:\Users\Admin\AppData\Local\Temp\RESEFC4.tmp
| MD5 | c547304961e36a90872de95f08d3aa12 |
| SHA1 | 2025995bc9be6cd49123acd6fe1e3ff4cd89cebd |
| SHA256 | fa83632e6d66749ae64865378a079b204d861c87a53924d0743a9d643f82c71d |
| SHA512 | c5875bb68eb650a0cae2dc3ad8a667a37eda1244b7c2a1fe54e7a5cecfc72336d317af558a3a7d91c87a3fd2a226f1c84770e2c98790d8c0f5845ab962b96c96 |
C:\Users\Admin\AppData\Local\Temp\kkthxosl.cmdline
| MD5 | a756bb936c8b2c0894e7881be067ec39 |
| SHA1 | 415f316cfb47f21befcc750b73e37fd2ea35dd37 |
| SHA256 | 331e545cf47525db649e98b14bf7e64b4b3c166702211f82765666cca504040d |
| SHA512 | d29f7099d234dade7dc365718725106d5ae7101c8283133289598ff5a9097881df8d425357af4073e7a26fee7ed61910a0c85ddb2d99bd0c0afb738e58e26003 |
C:\Users\Admin\AppData\Local\Temp\kkthxosl.0.vb
| MD5 | b78a05f477604354c54265dc1b62133d |
| SHA1 | c20cf1d39988baa72a99521352bb9c11582c5632 |
| SHA256 | f9b7510f9e8ac56b3d8cc3960a4dfbab750b32480252451149e0349563dc86d7 |
| SHA512 | 56d3e7501ae911ef98a75ae945ec1c9a98a9445ba8bf84b94f3bbd1a4b74e391465a4b7f88ee3170011e6a27923ca3a1671e82e6590556e19cc73a865cc89ecb |
C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc340AD24867954A089BE32ED28028DFF9.TMP
| MD5 | 49c05f046baf13798f18cd5261b36d6b |
| SHA1 | 5990cb03d3c1bec820578d1b93d05a5e57e5e348 |
| SHA256 | ab33bf21c5fa41f176c51d2f7416eed15c995b9203209658a9234cb09dbc36f7 |
| SHA512 | d791d69f4be0e24d1668374e91e6e377794617a4a12493aeab6913f19e7342e9802c805fdcb76aacb046c1e986b868ee8c9bab190b3061464cff82c90817926a |
C:\Users\Admin\AppData\Local\Temp\RESF0CD.tmp
| MD5 | 8bbdff6051a67fb77d8c590d6f8364a2 |
| SHA1 | 8f1001f8e4bb35c7aafc12336481ecd860159629 |
| SHA256 | bd9830a4685d9c58445e39f887a5ea58d0437ef01eb09b09865f82ffe3887d66 |
| SHA512 | 1ca2f8146cb4641f0c0b5825bca0d2e4fbc5dcc28ea2fe1907d0219d0fb5f06a100fecc26c66aca029eb262d48af15bf481a9f813d3bfb2b0cff4e3e602e39a8 |
C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\hs-avqcc.cmdline
| MD5 | 767d93e30b300bd43690d04c198b38a5 |
| SHA1 | 4b868e3abdf44f538a2c942420a5945995d6ed4d |
| SHA256 | 10cdfab96a21662001a4f151e8a632230ba33d8598c222b757be92a546cb1b99 |
| SHA512 | 16a35d67482346e50b9bef5efc6f9ab7ad78a1a98c68a2e0f66d8e29f505c37062c2e291b9ecde2640bb3edbae0f3de6c4dd4b1ab47df2dcd28d287ffb11e087 |
C:\Users\Admin\AppData\Local\Temp\hs-avqcc.0.vb
| MD5 | eea98df6de061dec50605aae66847edd |
| SHA1 | 7dad2c743a43266d1c8bb2e1b86b1ef1e12e351f |
| SHA256 | 36d938f64e451da3eb2fce840b2b67308d4c5b15627a254f8237d39aaa235e64 |
| SHA512 | a0a4c1373eb672110c96f65f55dd9179f426528a0c7070c72b6e5a5d8cb626502bf6763758a8218b75b7f15ad2c32b11ecbe11a5c91777e18d6471fd0d7f0c08 |
memory/2444-249-0x0000000000B10000-0x0000000000B20000-memory.dmp
C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcAA247CF4F1A441B991CE5EBCA8EFE6BE.TMP
| MD5 | 6159ce48ff5c2ff961b49e995f2f44db |
| SHA1 | 115b5f216ad32e59975514e28227341d6e3ac2c8 |
| SHA256 | c8ef43399262a7c2de3b923f046fd2d9a3ee3b263c4c4c4675cbdb35a0d336e5 |
| SHA512 | 83c5213ad18abcd4cabb38425f6f3c9fd046e1e2b962a854289f02af4b9ef5711975698e3fb99cb400fe37154e6c5d09b8523e8ffcc7ab7d7d60cc2a3b04a037 |
C:\Users\Admin\AppData\Local\Temp\RESF1B8.tmp
| MD5 | b4866916a9cefc44d7b56d04b4bebe01 |
| SHA1 | 966253518a60601c2b4d3fca31ccb5703ed8e77c |
| SHA256 | 37e3a8a714eedefe9c15a0bc625d7896763f676c7ae03c61bfa55a6e282ec298 |
| SHA512 | 0de4f6fc3dd9d0e8de3dfa3f603436369230d7ef374ac9ab170d67150ab03d4974f6e9336fd16ca08ddfce313b8180efc5d696f7045596f77a7791606850fd1d |
C:\Users\Admin\AppData\Local\Temp\fhcqndyj.cmdline
| MD5 | 830082b0e0fbe2814475ea4f1be46eb3 |
| SHA1 | 8306c6ed6e1ebd62a26ba06924b172501390ea1f |
| SHA256 | c5287d5a8a2ddd60e675ef98ce393664e8c7c052fcb75239b5c296d73553b111 |
| SHA512 | 16c7803c6f1e3a5e5d82b439f943b7408f3495eebb4d8047b35ac9b1f491c6f63980d695e5eaf9298e5cbb6490ac367d65c0335ecaff4c92aa79738054ee4753 |
C:\Users\Admin\AppData\Local\Temp\fhcqndyj.0.vb
| MD5 | d6875fca5e32b7fa0dad9bd8a02367ed |
| SHA1 | 104d8f29ae5fc5d3bf4717d3335059f5dcb910a6 |
| SHA256 | 660dcf00ed2d31994f3e58324e1c249e4e07c682d0987db773bd04424b93d6ca |
| SHA512 | d536a3cfe4ac75e4c5539ccef6a76a785c5f408d794a8ffb0b4715c514a9c845fa43e6d53f282aeadeab8b83723cc1768d36f554666c473591479cc3df0cbab7 |
C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcECC2160640154D14B0A366347FDA5E1F.TMP
| MD5 | 38e8ce404baab1314da2abf560791b2c |
| SHA1 | 2c62bb091bb50d78e5a0334e8eaf8b0d94d90954 |
| SHA256 | aeda2aff222278ae58a6ce1c9b4966b8c3dac9cfa26b28221ac3f6957a327336 |
| SHA512 | bc86075302fdf232cc28a9fb77db15aa3f649b2aa2fdba39ca362addf9d057c213dc8c0850e21e3ca01bcc7153bac92cf4046f54ee909d79da9e1ca912b86780 |
C:\Users\Admin\AppData\Local\Temp\RESF2B2.tmp
| MD5 | 2a1021c8851c235faec4003bd73d06fd |
| SHA1 | c92d8a622b7867aa75fa903c136e1238e32249d8 |
| SHA256 | d2002ebf1bfd6d827984ea3d0f82b1512cf7b36a6a21876985cf6a7a0d8f8842 |
| SHA512 | 3ecff0e2eea5a8956712b05adeab57510a0c09e07365ab51532ff2440552517a9aefd8691bed882acbdf2fdf20f7c2c512d0825bda4883a1f8ad988bd17fe29a |
C:\Users\Admin\AppData\Local\Temp\flq-qg-n.cmdline
| MD5 | 7774e198e7a3713a1236653c62be96f9 |
| SHA1 | 8d98632b37d79777dc8718915b46f58328d18bca |
| SHA256 | 58937c35d180b05a5deb3aad4776ebc828ce10e0482d89548839ae82f9367f77 |
| SHA512 | 38ef663226b9dbc9074cfe93c00495145b1eed746cd2827ef7ce3cca314dcf84471114d999ca1e96d67fa6fd4fb37452cd3af9e4ac7cf3ec0b38090550741ab9 |
C:\Users\Admin\AppData\Local\Temp\flq-qg-n.0.vb
| MD5 | b9df787116b3a62078989ff5991f31ad |
| SHA1 | b79c1818d90bfeee20188f16f71d35eaa0247b1c |
| SHA256 | dd30426ab1bc5733aee05fd7e08d446259e21084c1e30e9ef8b0fd7e09593469 |
| SHA512 | a495c89812a18de07dbd54c63cbf06ddb4aaac5a218418cbd8f3efd155813384e2340c3dce704a8ea7afdcbed0ca9cf1019598cdf91efadc8da5d8c79f1bc7eb |
C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcBA946759F54F464E83F7F5ACA87F8C.TMP
| MD5 | 6b53d240f35dc86058a1dc5c6b7f23f3 |
| SHA1 | 59e7d2d31605bc3be522149e4c4a2051666d6af5 |
| SHA256 | c5031dc2d2ae844c6aa01b5b8e759c52fcd5611757aff6617d2d900576cc3943 |
| SHA512 | 24f123d6d4f37dcc2f19505124b1e97b4d2bd484bb89ccdfa84e383ad4bdbbd86cb312f7c30f79017e698d761646a36a292db4a5b42f3b276ba9388e1266a1d6 |
C:\Users\Admin\AppData\Local\Temp\RESF39C.tmp
| MD5 | 2385771932355db46be22f66aa061256 |
| SHA1 | 31d4c0cc8c3736ac8867d0543151ebad5fe5b5ef |
| SHA256 | b60224829e4632426edad6bf6f65bdac810261cd7129134d019c5f6ba853fd0c |
| SHA512 | cac799fe80f3362429b2802b0324a4a1dd5195bbf7f64f0da66902ad1f33b395f2e5c9909932bd23e2a6606c8560cda9108ecce7bbbafa0ffe940301fc6c9823 |
C:\Users\Admin\AppData\Local\Temp\cpr2r_ql.cmdline
| MD5 | 206f229d1ce69439bea18e3603ac8330 |
| SHA1 | 790b51cee8ec9f61e862d8b75fba056f221bd429 |
| SHA256 | fe4d5f25d88d479290cc4c6274292bcab5ae184f428567829e24b767ae10be2d |
| SHA512 | 0a6eb3ae413cc165d44954c88c26fa6706027c8837669091de58c7f284f397948956eef668e7a2d3d6fad03f7a01a474659c62ab343097227b7baccbffd1e89c |
C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\cpr2r_ql.0.vb
| MD5 | 67d00c1b8cac0d620187a42ab7e46c55 |
| SHA1 | 52b95e2bd627fc79ea3b3edf9c79594727313845 |
| SHA256 | 7b18d0c4fef8625430589b30242eb50946e1adcbc226aaab7091a26a00df8009 |
| SHA512 | 8c9e78077a9b9da511ffe5881dc2f9c9c01bc086f332ac506cf3f283fcdf74c3750a49d31f0fb25c213cc5411e2dfc9789768ecc3a5335fd220e6d51fea0896c |
C:\Users\Admin\AppData\Local\Temp\vbc2EC0BCAF2466441DB7331735A46386.TMP
| MD5 | a58a5709041b8e53a718d434addb4734 |
| SHA1 | 290419e587511fdba7f7e9a17e7fca191cbc690c |
| SHA256 | cc2fe003bdd72233f92f00bed3d5bf67b5a215cf9ba10c8ac1fe3b2c923f6576 |
| SHA512 | 108bcfe0ee57545b709ea4fb594b95d4954d8bffab4c35d8bdf6ce9e698044e043ef566a51dc5d17bd5dd4fc4a58af4810b17ac463ca151c2bf3408f9eb64f42 |
C:\Users\Admin\AppData\Local\Temp\RESF457.tmp
| MD5 | 7f51fabd2731ef75b9ace13b89d48448 |
| SHA1 | 158d4365fba047d2448e4b069a0376ab0788a4e5 |
| SHA256 | d1f4185b447060fdea88b13b06140fcde004b486b10d57c585553ff2bcb6a5ce |
| SHA512 | dad760caac9c5fb94b2d9ef9b5dff0a9ca0207125d6f28cd7de9496a211a5ac2b3fb68d89ce3d0d8dad1cd7e8f399ba47cef112ddd11e5e4e15a78b70fc46956 |
C:\Users\Admin\AppData\Local\Temp\lrktbxjc.cmdline
| MD5 | 5e8bb1b3238b0075ccf7f7eef1f9617d |
| SHA1 | e039ff864b2060e13bfd36899fd0a9d8ace7521b |
| SHA256 | ecb82623564d46b4f5f19bfe2c0196ba074d2039535896a7b525489521913df4 |
| SHA512 | da523cfeef7e6cee37c7210730f480d178a55da87dfa9eaddb02202430418c0362ad67629c9471bb76f64f0addce3d3885bf8d6b2ecd01fc14df50fa92283a42 |
C:\Users\Admin\AppData\Local\Temp\lrktbxjc.0.vb
| MD5 | 63389d61965aeabd8cd43fca69e0eae5 |
| SHA1 | 4eb00419039cd61c7e881896a53d0264d821df5d |
| SHA256 | 50ea4dc10a0d7d477cb184a4e87996f69e4038ec7101d22450ed9e877d9815ce |
| SHA512 | e8b0b34401f54424064a236c76319b3868973b474c9e91290be1a85030d625512e26f65f8c364f69b65136644c0cc885a6ed3cda1529da245f0d77020f6e08bd |
C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc634EE2DBB2D04593906122DBCB764F3.TMP
| MD5 | 9208e5f33bf4c38eb9c33fa5bec4923c |
| SHA1 | b92b4111fcde436f2a0b9ed67a6b8c5dececcfa4 |
| SHA256 | a20f727dae11e50f11ebf5a99c01e3b36ad74afa2f6bffd16a2ca5c29523a471 |
| SHA512 | ed53d3afd2305be3df199ffa3560a777cd74e1f0b257f78a3812613dc773eb3f2191254191dfe59edf687cfe7dc5ed3d0942fb9c6f40d47df2252082a10a8d34 |
C:\Users\Admin\AppData\Local\Temp\RESF523.tmp
| MD5 | aa0541fcff59d1e3f3f1be4bf12dbe92 |
| SHA1 | 6ae95a8ba96119c333b5d7b48df6d1fa4f855a21 |
| SHA256 | e44986ebdd5e970bf7e8a8d688b94d5f1ba58b99b11014c35a2b8f22b0be545e |
| SHA512 | 7d54a085a5e0b654f1fc36d6773337ee2c7103bba2ed7816780746172617a2ee922c3e0eaff53afc20793fcc5514d4fdb3c237eae7b9c853bdd4c28a88d90f71 |
C:\Users\Admin\AppData\Local\Temp\tzxradr-.cmdline
| MD5 | c9774066bd500a5000aa2bdfef98abbb |
| SHA1 | aae712e98383b19e7078118b14ef03f0cc78acb3 |
| SHA256 | d851eb1bbc835313cb795cf997747ad9e7164eaa84e067519b44431bc017d8d7 |
| SHA512 | c9ddd661e9b0932a49763ab7f8626d1bb73226849a617f412d9a7e1e798b89a2353e3600036fc86c6963929104c9d1ab94442d308f66d0f01653c865d8b33037 |
C:\Users\Admin\AppData\Local\Temp\tzxradr-.0.vb
| MD5 | 1101df69fed8db2c37a716f49a122e1d |
| SHA1 | 11e76092a4ddb583c627e72b841a72b9233de410 |
| SHA256 | cf2b5eb4201861d8ac0e2fbbb7929d7645ed14d5d4a782fd98990f4368407559 |
| SHA512 | 5729d804f7c3fc7e3196060816cffccb93647bc5f0691a70928bb51634b49afc0c1baa2535ae6357a69684ad3f69384adf0d0d1dfba3994cc5f8943b6787dcae |
C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc66370B11490F47B180418D67B65F1C53.TMP
| MD5 | 9f0a1660026172ed3de0c8ce27d29c4d |
| SHA1 | e8b73b82aca9d898fefab5aa9dcddd71d488a05a |
| SHA256 | 8ac529b54eaa493e4295029c9f0e13a2d8077f356bcaadac3a9220e7e8a9514b |
| SHA512 | 852bc394c7b2438b7782c59c50d4b50bfddc0aeaa4f4617b652ba66928011ddf3d743ffa88eb283d6b319b51ab44be21f969d3faaa24970a7eede265a7365ce3 |
C:\Users\Admin\AppData\Local\Temp\RESF60D.tmp
| MD5 | 341257a997a2d243d440109bd183866a |
| SHA1 | 3e0713580569705013746a8735b61f3b3288ea76 |
| SHA256 | 3b7fd8e7d66bf6e7dfe1a52a8040b8abb5e7921a77416f66a892f3f854879335 |
| SHA512 | 033c9705e00cd0874c725d04c67b5c976011ebc29f8756ebc67945095c9b9760eec9468bc7a66d8ab76ee017a1f35261fd8051c95c134b62fcd28d7657930ee7 |
C:\Users\Admin\AppData\Local\Temp\apge6__x.cmdline
| MD5 | 7aff5a78004c7456d29f365993c3c9c1 |
| SHA1 | 086d47743542d0f4e7a0219a33f592980e806707 |
| SHA256 | 1590f52a0f411b7cb9aecfd95f62647f300abb02eff2c85b919b2172a7229d80 |
| SHA512 | b8ffa35ba4ffd3c337f0471087c73d0709c517b81db4dfaca6451b3c47ea84e5ff9c9c53b2d682603aa39f19412f23d7b6824b35703af0c7f97d86d46345b6b2 |
C:\Users\Admin\AppData\Local\Temp\apge6__x.0.vb
| MD5 | cd386bb30efcec58d701b555c523a0f8 |
| SHA1 | 2252e54de0db8439e71cb4359e6d1cfc13a81a79 |
| SHA256 | 9fa36b4d8842fdc663fd7c4fe9c0ed5f4906bbcb516d67d8f98515dfad14464d |
| SHA512 | 8d7034a7261e7ac5738401eec059103b40567757a068cbd0229ad9e9ebfb5e9a360ef180e19f20986d855e8f5b3ac2e7327b12947a5c00fe9ab0faebb64efd47 |
C:\ProgramData\SystemNT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/2116-372-0x00000000022C0000-0x00000000022D0000-memory.dmp
memory/4572-419-0x0000000001490000-0x00000000014A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
| MD5 | 08b7405b0067a9c129131d5321149fd6 |
| SHA1 | bf6eea2a57b4f9141cdf0b915bc688582586a082 |
| SHA256 | 6e0a79de47349533cdc95befec0b037d401fb4e0e7ac306ee9a519bc16ca7282 |
| SHA512 | 72aea47914e21519a7ce5f212922681cf96f1437856eab180c6dcbfc382fc2a2a5149cf98b37caddc8bef238589b9b436434e2c8eacfa074ac8a3e32f833d715 |
memory/4480-444-0x0000000000510000-0x0000000000520000-memory.dmp
memory/1608-449-0x0000000001150000-0x0000000001160000-memory.dmp
memory/1608-451-0x0000000001150000-0x0000000001160000-memory.dmp
memory/1608-453-0x0000000001150000-0x0000000001160000-memory.dmp
memory/1608-454-0x0000000001150000-0x0000000001160000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js
| MD5 | 2ca68eec3c1fdbaa1ae996ee759fc3c8 |
| SHA1 | 54363409a7393613ff528d0488d1cc16796ef2d8 |
| SHA256 | 4fe10ac0c622a99629804d64c89b59339a12a63ffb0b56132bfe39ec9b25aa1a |
| SHA512 | e2fdc625ee7d3e54c1cca72810eccccc3f493253319dad56693d77904692830302564897d7d9c33b876f645bfcd1a5498be9be81bb18932e3333d00ca3408c12 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | f29fd9741cc46f2406c3019c0c33c8ca |
| SHA1 | caf7914f6afcbf4376be7cc99640b1493f6af61a |
| SHA256 | e64685c93439f13e32a9b468f70a075b1ff83bb640159ae8e52a7a772e1fc3a3 |
| SHA512 | 4764749ccd633e1548375132370e7c72bbc8badd84a97110f2fc0d159f2ebc454fada8b8ec10f9d056f1abf5f418e055a041b2fef63ed62cac54894a0ca57621 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
| MD5 | 759d25e6a8e93d595cb3a4fd83f73df7 |
| SHA1 | 903df39dc8e194f8a3d6c385423abdd764347a48 |
| SHA256 | e70c970805db45542716df40a53b930b5f623260cf2022ccd8d2252925e94c1e |
| SHA512 | 77f2c950000ca33b7283e77742dbcc515a8d583266d3860c35f0f25538da09809d0594c1785c985fd6100a04e141b5cc86edf83b39059b9c4b6db11b2339a713 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
| MD5 | 67c7cc62058df5de63e03aaeffff7da1 |
| SHA1 | 692d4868f29c50c64664f69c9b57fa62a8a0eba3 |
| SHA256 | b39e9201bc1540ac29a2a2aafceb70bcc29ff02e95b2cff6da1ed28227804c77 |
| SHA512 | 598f873c1b5cdb529e57b9d505c0690144a6d1f028ed51471a6867ef28a8b86e722c318a14395a625bdccdb341bb9075f3d28b0bf93c4597767b63a3d54eaaab |
memory/4512-648-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/2232-663-0x0000000000FF0000-0x0000000001000000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 1e5a38ccdbd2e25999a9325c6caba7da |
| SHA1 | 80a29effa1327ecea748bdfcf58e127fcae37ff8 |
| SHA256 | 1ce5917159efd157e55f9a93f44d832288e70cc3e010e987c46f355a76bd0277 |
| SHA512 | 9fa5d668059bc08211f458239bbd0c9a0924f9d6f76859b7cf6bdc3809fe93bba3db5078692f689402e3c0db319d545f7c90d6b9a5dea481a489a5317835d839 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
| MD5 | 1f7ddad212462d892fdefdbd79ef3f1c |
| SHA1 | bd01044531cec799f9bcadf59e97f35ebce62d47 |
| SHA256 | ed4566539bc37590c4201191a5a43812f55b6d7a0be0387ed1ec77af9a5bf5bf |
| SHA512 | daeeda746e0f3eeae7534bd6f767a09fb61635c9bf27d67e364c26b9888c214d0b7132cc9d184c7436f70558c3d7cf18e21d8193b959df3a8b4852931e7ee34d |