Malware Analysis Report

2025-01-18 04:43

Sample ID 230731-rwqb3ahf4s
Target Client.exe
SHA256 78581129ce6d8cd874b44cf3410606e34dd046f58c8cd27adb76d320ac41b048
Tags
stealer mybot revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78581129ce6d8cd874b44cf3410606e34dd046f58c8cd27adb76d320ac41b048

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

stealer mybot revengerat trojan

RevengeRat Executable

RevengeRAT

Revengerat family

RevengeRat Executable

Executes dropped EXE

Drops startup file

Uses the VBS compiler for execution

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-31 14:32

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-31 14:32

Reported

2023-07-31 14:35

Platform

win7-20230712-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Uses the VBS compiler for execution

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\exefile.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\exefile.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2516 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 3004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2436 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2212 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2212 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2212 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2212 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2436 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1100 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1100 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1100 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1100 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2436 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1568 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1568 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1568 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1568 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2436 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1036 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1036 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1036 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1036 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2436 wrote to memory of 2188 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 2188 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 2188 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 2188 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2188 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2188 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2188 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2188 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\degvt3qo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2195.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2194.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnd4jk0l.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES231B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc230B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\85cbliqs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24CF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wt0lxz7n.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2637.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2636.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uc8tdnlz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2731.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2730.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v3ijwgbk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES283A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2839.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jvpusssv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28F4.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mmlcapgf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29EE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mm6ic0iq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A7A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sdbji4be.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B36.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B35.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jj16fuj9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BD1.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qiuc7jej.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CAC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mhtfkf7z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D86.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdhhqyz3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E8F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ds2soio.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F3B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oltrvy8c.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3035.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3034.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f_71kzyj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES317D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc317C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c-cek73v.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3277.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3266.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d1hhvpc8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3332.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3331.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z8354tog.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES340C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc340B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\chpgrpjp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34C6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rsl_ctpw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3592.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3591.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u0qc83ar.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES367C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc367B.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\exefile.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\exefile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "GoogleTaskMachineMQ" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\exefile.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B72F63D0-860C-411E-8E51-0B8D0DF5F370} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\exefile.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\exefile.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 209.25.141.181:54077 tcp
US 209.25.141.181:54077 tcp
US 209.25.141.181:54077 tcp
US 209.25.141.181:54077 tcp
US 209.25.141.181:54077 tcp
US 209.25.141.181:54077 tcp

Files

memory/2516-54-0x0000000000390000-0x00000000003B2000-memory.dmp

memory/2516-55-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/2516-56-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/2436-58-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/2436-60-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/2436-62-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/2436-64-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/2436-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2516-69-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/2436-68-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/2436-70-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/2436-74-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/2436-77-0x0000000000090000-0x00000000000B2000-memory.dmp

memory/2436-78-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2436-79-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2436-80-0x0000000002100000-0x0000000002140000-memory.dmp

memory/3004-81-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3004-83-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3004-87-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3004-85-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EZblRvZwfR.txt

MD5 bfbee1ccbe6981fafb1c7bff99680882
SHA1 3866c915b8a7e0592f8728c89faf6bb4d5ecf002
SHA256 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235
SHA512 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e

memory/3004-91-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3004-94-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3004-96-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3004-97-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/3004-98-0x0000000000730000-0x0000000000770000-memory.dmp

memory/3004-99-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2436-100-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2436-101-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2436-102-0x0000000002100000-0x0000000002140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\degvt3qo.cmdline

MD5 0356ff12fa7eaa06b863f773432d177c
SHA1 15ec71a2013faa017422e71bd335989e5a1b4131
SHA256 dd53afc6c4af02e11f7fce12438fde153a0e664920837c92b88b918e579ce9dc
SHA512 98dbdbba2817a834b6329e251f3894c3694c5e234d5f0538c9d3ed496c482007194361459d95ea20ef317c0dc31e571ac1e20f5f244675f2806cf76e00350f07

memory/2212-110-0x0000000002020000-0x0000000002060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\degvt3qo.0.vb

MD5 f117bb857fd7e4108cdeb3ce08b873c6
SHA1 51b8fe3a6c9d9249f9d2e7de4881d90214df8209
SHA256 f6318dbcab07f476412ffd75ff81fdeccb580aef58beffd334f96b2049001f43
SHA512 44596a18209aa443c0ad2c7f066dad2a882280d664626605a521ba93baa9ba1156ea87c299e36099789c150791eb4656cf6b35bb9921a9b4c65f07c309c3b02c

C:\ProgramData\PerfLogs\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc2194.tmp

MD5 ca74fe60b2fcec71bbcf15c9e4b6ca31
SHA1 60905f6934f84d15f2f43e95e4dba86e9b0fb645
SHA256 8228e04e69eab354702b3db926a2e2bfe7717f50d63679ab9dce948128022b85
SHA512 3f935e1016f262fd4b5368319a6c031a901b4ddf72e923978632798420b8f6afaa5ee07dd5d8d196e900fff2cd62d63f36577f72c0b701a3db8e1c06b84cf83f

C:\Users\Admin\AppData\Local\Temp\RES2195.tmp

MD5 11971fa5a99a17ca4fb088ce933b822d
SHA1 977480ea1a43d090530f715e3f8154d71bbaa7d5
SHA256 048c4f732806bf81b4c81983174d210b73b4afdc7d5127d8a9efe5f954296ee2
SHA512 fec74fc91ce9070c3c9759f6dcf68319300719a67e53b72469369bef93c0c3ff41586fa8bdf9640566e68464589e21be7cbe0e05678d5f0a19194dc0f29533ae

C:\Users\Admin\AppData\Local\Temp\gnd4jk0l.cmdline

MD5 01bd57d16b2ed37a1e9251823a7a2773
SHA1 d08b501aec002e5f8fd996a3923ff0b21418e711
SHA256 32baeb4b60b6a7c5a9267061294d682d3a9342737eb4ee2adf4ad4fdad7b3a4a
SHA512 ea36d1b52b996f6f9a3b4745744497e1b3ebaa6e95e7472702f64dc96e9b3df58d8f026bff25beaeea23d6e5b59dae995f71d5135fbd1db54d00885a870295f1

C:\Users\Admin\AppData\Local\Temp\gnd4jk0l.0.vb

MD5 9123ee1840d0f8f48df3c44cd7768a95
SHA1 d06bd9acf486d06fcf2e8665fafa91a8c967f114
SHA256 2e45e7bf723ebede9876f1e4ab6f9ede1f12a606ed1e21cc5a4eee898940fad8
SHA512 5948899f9dc202dd31a097af7e872ecc3c34dc986c0690e781070f4279058b7fd985f9d1696a0d5855bd7bcb0aea904ff5a299f57a6f7b7dbcdbf1aaac9bb099

memory/1100-126-0x0000000002280000-0x00000000022C0000-memory.dmp

C:\ProgramData\PerfLogs\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc230B.tmp

MD5 00f156d49b0d3791de21194c4488cea7
SHA1 0ba4a6003fcc79fa4e676f5b1308b76394726549
SHA256 896645bd6fae8149ee292f825e6052777069355040e8faa08aa64df2087b0230
SHA512 43bfa568282d4e6fa1f62bf50ae1fd381777f15836c52dffc854d4f893b66b1582c3d7d94f94623f03046cca6979f3168edbb235af9bfb04b33f42ce28cba5ba

C:\Users\Admin\AppData\Local\Temp\RES231B.tmp

MD5 0155cb2b7c5f1db3afda3b41075b1fb8
SHA1 ec44e7ed6531cf2d2e8c78ee67efeffb282a1d0f
SHA256 20283f46ae4d511284685ddf68aff660e8377947250dcbc72f421c20490ba91f
SHA512 de4efea912206074ee10839efb45e6582ddab4226f6647da876375125b6640ccb4345a4e85e76ede732ba7abb552ebec5cd950f16d38568ee67a51b261be5d97

C:\Users\Admin\AppData\Local\Temp\85cbliqs.cmdline

MD5 5f2f0bdb9804771eb901b27fdb63b86e
SHA1 5d35f79ef9b7d13fb207510db734293739910ef4
SHA256 c120404453fbcafef29e944cf4dedd1ee980b2bf74ed1edf1e0527cd46832b00
SHA512 2774cb7b56c2cbf670adf1ff6317e088999994a5e1416d67e7269542533f125974ff76ca6a7f8c6a7697f59f2f1901739ca590742f48e2e8d0cdf59f271260d4

memory/1568-142-0x0000000002030000-0x0000000002070000-memory.dmp

C:\ProgramData\PerfLogs\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\85cbliqs.0.vb

MD5 d1ee4fdb16f024ee149365e3465d5c90
SHA1 2e9322181cff67543703d6a25ecf376206c57757
SHA256 62337fbb94fff92b69d4649bff974da4f1df14c904f65cf4b33ce1c4d115d392
SHA512 b387682cb34abc343ab4ab8b59454ec8467ed345ec7edd04083c9357e6af625c9f3ee5cfcbe47b2eb7bf2d0c2a247972737dfb8d799186c3e29ddab89107d217

C:\Users\Admin\AppData\Local\Temp\vbc24CF.tmp

MD5 122ccc12df1871b9de30335f678d33ae
SHA1 05ec7fe33f7ec4320a56519fe81674dd6ab58ea2
SHA256 f71deb5d6e7b4203d1b9c4f75a1b2fa43a05c60acc31e61fe847563e1a644474
SHA512 a2c0e5d1d38b5b509b72541498eec67c80feb5b49c579eb93a7808abfaf9934d3e04b8093f78641936df33bee9e396f6b5d90454aaa4893ca737edd9e794f6a3

C:\Users\Admin\AppData\Local\Temp\RES24D0.tmp

MD5 e62f444e580693e8d77a3ac5e580a0c2
SHA1 fe5dfa444968d8d780943a572055ea0164e9b316
SHA256 7d1e452b6e68baef9a1ac8d6fd30f0be567c7a1d5f350ce9695336c89826c33e
SHA512 49ef2bf62fb7210584a8f3bcc3c0af7125f66f0f4ae7fcb452ec52132fc96d1e874c39703c2d3712112156de9bc7bbe80940c77d6192884b1039ac2f9a497781

C:\Users\Admin\AppData\Local\Temp\wt0lxz7n.cmdline

MD5 085616ca92f7bd07bedbfd854de47035
SHA1 9e8bae4fd2022c0cae4923e9e0016d4aceb45ae7
SHA256 0b62e4ae7b53e18c615d412edae40951e569045d125d345e545a03d97fdeff7b
SHA512 81a6e6a801ecdb985e102960396c02a2ff6d623dcdc39f555757855d319b9ded8d4763943d305c5fcb4e9843733d92b4a102e104174d287705b6f9dac84be788

C:\Users\Admin\AppData\Local\Temp\wt0lxz7n.0.vb

MD5 6441d936c7636f02bf310e302a54c27a
SHA1 7f38eb1d3a3ca114f7cd8d272a8ef3af2d4c72cf
SHA256 78617a744329a7f43839a07794bec4afbd92ed70369dbd7bcfd6fdb42acfe345
SHA512 c6980329c80272fa65cb8ac655829f1b1860e7933b4cfd6cc2da5e6b7bcaa196c82d524ae9fcbca23723621e5b24a578b01bd21cb6b896432b8ffd3ac89f3ba8

memory/1036-158-0x0000000000570000-0x00000000005B0000-memory.dmp

C:\ProgramData\PerfLogs\vcredist2010_x86.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc2636.tmp

MD5 94111738ce9ea188cf3b28b1eea881f2
SHA1 0ab5486aaca0f2b704dce4511d215b2cca89f124
SHA256 7471357fdae4d75b1d91ffe0b52ed74d1117bb0b19e8f6f31f9ba7ef4ce75c47
SHA512 f6c7ae955b915251082f1f47451fea916e9cb24858015f3c59efc63afdc720b8a5dc42ea47351dd304ba849efb8119b7390e5986ed8f2619b0500a2fb77800e1

C:\Users\Admin\AppData\Local\Temp\RES2637.tmp

MD5 99f01a425525e43990d61733146556a5
SHA1 e84fdcfe14416f2c522ec49f3443770482154489
SHA256 f4620fad084b1b8ea85188ebe622c0df8555e32c2524a9510fd2d0dd9d36693a
SHA512 ca549bfb7f79a6fea082932c1e73676a7e9a84c53ec678127c91ec96a988c72911b28ba34e6b6899e4090596c248447bad57a136a57935920ce80695b762b586

C:\Users\Admin\AppData\Local\Temp\uc8tdnlz.cmdline

MD5 0a4ba7ea1bff1ebdd38a49b46c53cc0d
SHA1 ec88d9a0f22110b0d9fd75937a5dee9db737df48
SHA256 648e2ee573de6028b9b40fd7cb3231e0a51fd07174406514113ea21859952dd4
SHA512 b7eaee6c1528f1951dd309995deaac28c62d32b51b543ceb2bae7d5be489749ce521b7edb642f00bf94c70a8baffb978f7b93df4cb843a37e12d3cf599c0a686

C:\ProgramData\PerfLogs\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\uc8tdnlz.0.vb

MD5 f325694647d41b3821a6e04979514b27
SHA1 e4d6081de5a409d55a116221d19be83be30fc167
SHA256 5787dbc4626c2d0a26593c333c81c1a975336f02960775655d65b98bdb7628ba
SHA512 dd6faca6263374531fe8406b9b1decadc15d44a399bc23f034532d179e92ed7d1f734ee460f3cab25524a5c1c29c8339cded410f69d8e8b563bd6901d541a16c

C:\Users\Admin\AppData\Local\Temp\RES2731.tmp

MD5 7182ed743ac868a194c9289199b9ca87
SHA1 a1d1b3e2826387f605125257974e8451acc5c5c7
SHA256 eb6cee1a0dedbb9a31224104ed29792bc465d2fc9e17a09e326afbb6667a603d
SHA512 a16975f3c3b77ba434865c9d8e759b0b063b37d48366c1704000fb27b892e87094ae277173b443ef483997ae74f8aa99ed5134a25db43ca3fb87754ad46134fb

C:\Users\Admin\AppData\Local\Temp\vbc2730.tmp

MD5 22121dd8a611b6ca5a8802a258eb4967
SHA1 fa8e063d2530c5d30269321b063838b3117ebbd4
SHA256 cb27113f06a860d3427201ebceab12547c1568bed552177cc6502f43f4319402
SHA512 dbad8520466693867c4177571a6d6c4fa667fcb7034517dd51c8b0b6e7ea73de0610eb5bbb133088dd5f61d44ed201f456b39d0225697921632aacb8257d97e8

memory/2188-179-0x0000000000360000-0x00000000003A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v3ijwgbk.cmdline

MD5 f5683d760010442a161c9de2f7d528e9
SHA1 63a07713392b9fafc5d61b277268cab78c1a0f30
SHA256 b163cb652d3997d70f329f74519db9a440ee0cc6cb8db475e851cbbb273c09f4
SHA512 6b67971ea2b70e7dcffc8b4911e87d4de7fe282f405dbe358722e82eef3a4d5e4208be3467961f98966742d8aa045e1c48fd59c05f54e474ed8bbbdb9f1a7215

C:\Users\Admin\AppData\Local\Temp\v3ijwgbk.0.vb

MD5 ee062df186c6ac92a0cefb6c2096cf1e
SHA1 ddccb2831bd71f774fad69bcb1195194220f05d3
SHA256 e181b89b1bea62c6436951412e300c1aae433a04eb7d07124b62d340202a0ed0
SHA512 5104b861fae349cbc955412f466302d05569271a344fbec4ed8628e6ab3cc9e1b040895f06e13c794d1bdb44f752e824a8b7bbc099ab2fdfec9e7a2165046703

memory/2380-190-0x0000000002320000-0x0000000002360000-memory.dmp

C:\ProgramData\PerfLogs\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc2839.tmp

MD5 8d47ee6b1386942074a61e6eb2bb991c
SHA1 53ccf0385b2483752e4fa0d3476dc3568366bdef
SHA256 63b54f52e3bf5cac602783067d9bec22f34c1e829fe22a9243533b3291b45a56
SHA512 44a7ecf7247e2484b508577b7332b8e47289b9a4c51ecdb95bcbed47ef006238886b9bdd6e84020889838aecdea269e8788ed4be502b7f560d3b461fbe29bd33

C:\Users\Admin\AppData\Local\Temp\RES283A.tmp

MD5 75f3c715c6243f7d03aae5bcb20d96e0
SHA1 0c1b2fce0ee9a96289d063a8370259534159a884
SHA256 bf0508d097aa56ef1da8934c943ff28712adb69a7cab0857bb8271f64644aefd
SHA512 155f07a1f3cf8664cba7fe75452d70e3d5c8673b429f5ed02997eb649d2fe290ba385baed632034dbcc52d2a229165f8e2d1d2712413fee48117bcef5bd9ad00

C:\ProgramData\PerfLogs\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\jvpusssv.cmdline

MD5 59d325f066cfa08d969e74f10162f54e
SHA1 cba8209220f5a224d716a7192e700182e61c1eed
SHA256 4e6c462107401001c3e6c296ed404c2291b206c5e09fe15e7f7f5ba4e278823b
SHA512 48031287d9fcdffed68f805b0cc8aab1cb8498fe3305fdebf46df0305df7e673c9c68b8d38cf2d914638a81c335ede48ffbee357ca8ebfe84f60aa1e0a4ce235

C:\ProgramData\PerfLogs\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\jvpusssv.0.vb

MD5 dc07ad4c77aaa567136d321e2898e040
SHA1 9b724763ebc0a057e7716c817c7189da5ea16dcc
SHA256 33b2e08dace3925b8bd5d8e801e8e90f7b724543fbe4e9c4f0785fcdf92fd67d
SHA512 8d8b3e28abb360705ae761bb025e155a78668eed4d7d04eadf4b97268cf5a61491aed172a228f70281cefa3f7da99a69083f2bb46cef41da2d268ea9f45a90bf

C:\Users\Admin\AppData\Local\Temp\RES28F5.tmp

MD5 e0ce328b1dc275003dde710833c81ed3
SHA1 d16779e629bc0bc5c1451e6f6ba9dbae8c5473fa
SHA256 e58935ccf6e957ef95cf36c7c571f6901443da57ffa97566ef197db7d6c098ad
SHA512 7583644a31f75bfba8905a0b36c4cac2602dd98a5599402f220557cc230b905d2b1bb55825e5c0d9afc36c032538322d3240eef4c85c01642a1fd4afee88477d

C:\Users\Admin\AppData\Local\Temp\vbc28F4.tmp

MD5 bcf00d7dfbaca3fba9766e12048b9c0c
SHA1 9509e37eb84f1fa451d6c2a5ab77c3c9426d2064
SHA256 52f0260e416a1f360a3aef94099966c2fc5d95445fbe937ba9af8f4ba39d328e
SHA512 82842b81d572f61730697ea3797737895ce5ad186c0627c1201f55ae39bf6820bb9d167189faa94b31870f907a7c8d728a5dd4f82d7b582fe9c766f082904d6f

memory/828-206-0x0000000000720000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mmlcapgf.cmdline

MD5 1e6287e8bffd68e6dd87718ac3dee0a9
SHA1 b54d685e749b3e899f868ee49bad595201acd9db
SHA256 df258abd73cfcd6da20ea1de059a93551a3c6e0d586eda16d42ee0d010fddb20
SHA512 751a6c7553a04c0774350e0fad70cfe345df9fe44a42b93f06144f89606636d7b7e35b2bb18f4ebd540c2df547ada7582f4c9d5b04ea89264e2b320db6f64082

C:\Users\Admin\AppData\Local\Temp\mmlcapgf.0.vb

MD5 c7a05e70b05fcf74b220c8e83ecdbde2
SHA1 cfc3bbb0f437fb31971d3bf2fd98d44d32f132db
SHA256 c0616508f6ff618c58599072636dc225c36a3530041240b28fc6aea924d37ee5
SHA512 a338cb643cd0ef0977192896499a48591290f715f00bc7f27973c7eb8b5d9ce35b34734dbf0f92cd02a8fdf4b2619b9129810d4c7c31fb17733bc34da9080a19

memory/692-222-0x0000000002130000-0x0000000002170000-memory.dmp

C:\ProgramData\PerfLogs\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc29EE.tmp

MD5 25d0163e607c21c6019382665b47510c
SHA1 399391b5924b09ad18a86dabc86e7c29a93fe9b5
SHA256 21b4fbe75b38e0163882dc4987b80d69babe5d42dbb9c54d6d31e68ea116c22e
SHA512 25e6b68d1a59c608ddc1124878bed905f3d67be60775322ba951e10fa2fa2edca07b2b903607370f7659cf970cb2381c07b58a1cdad301a6aed1cdde4daef176

C:\Users\Admin\AppData\Local\Temp\RES29EF.tmp

MD5 210d178031d7d9a531712a1008239e1f
SHA1 6760c595e04cfd17599bd3fdfd47616a39ba0157
SHA256 ae4aad07e64c38d5543131547a20d9d22668e58bd2c73423539a0a037502723f
SHA512 b86b28a751a5ff8d372bf188f7b382535bb03e795bae10ed64edaeeff1aa7350e6ba912f8621962651f45dafceb035bda3b34de69c90454c33ef5d14ae25cc1c

C:\Users\Admin\AppData\Local\Temp\mm6ic0iq.cmdline

MD5 8d1631d02d618a7e02b58a0ca2471fe5
SHA1 48267ab0bce982857b10da587da1aca86053df56
SHA256 4339afc6bdab1ca3625d8404b0d21cd479f58b147cf8c1550233c28ce6c7a29f
SHA512 85cd0d359a49a8d4042daee9a76ddcfa0d1fbd7e97b6adedd1b8a52a459a6896b8be3856765320206657fdf4408a16b1670dfe75c42f70e91e9392c2b9111040

C:\ProgramData\PerfLogs\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\mm6ic0iq.0.vb

MD5 2b20b5c04b5e327eb2f87930e0615d80
SHA1 8559a358a8d26d9dfff430248ecdc05ae17f9d27
SHA256 afdffc7e0b3b356f72c17b6dc30fee8a299a54166402bfb41ab9ed55cf938214
SHA512 aa47030d090925de8531404ce7dad6fee4888b2eb961cc1ded32fa3b270b64265646ef8840ed9ff7b987633d5f0a19f7aeb8b05a78770c7a84dbb525fcb14dbb

C:\Users\Admin\AppData\Local\Temp\vbc2A7A.tmp

MD5 da37b8c24faf7995d67d8b0ffddfea7f
SHA1 303075abfc46c1d0c17d4fce7d858ee733344558
SHA256 d0c3a4441f790bdb10b448249b9d359a3fa9e2f16bb6bfa912701c1f138d3ae2
SHA512 bad3273068c7f90954155f9bc80e9b16d114edfc880ff7de70b76de75a388eca8fb53dad9b5337d600a92835b4213c2f7485cc98e7178c227aa845ec484ba693

C:\Users\Admin\AppData\Local\Temp\RES2A7B.tmp

MD5 b7ee16ce3cb8a34f2036422a16c00ff7
SHA1 644966dce32bf092f833453fd0d55779d72dfb63
SHA256 f743aa8065e2b7421766dd2e345fc160b298540490ca0ccf988357310c6c260b
SHA512 3975543733c3ad625b773742a8f1fc645bf9e7b696d7f90a27ca4756deb810d58739ce9dd54bdd8320a80be816b1b85504c23329e61990903fba6a109afb74af

C:\Users\Admin\AppData\Local\Temp\sdbji4be.cmdline

MD5 b883a928c58e3ccd09b19b195a8261bd
SHA1 7579249b8aa7a99af60036e0dc72b271d6f812ac
SHA256 ce7c90f1b22d89d87abc91accf334b70a6c6c963c9cebdac2d20e8b0a6f44fb8
SHA512 c3682c1f2c2f2d1e85e38584aecb144980551932f039e10abdb5ec3a96dd605dfe2b4eae9cddb9e1f77bf6c8d439cd6a9bc3fdea73da6e9468eeadb94d9eba99

memory/2232-253-0x00000000020D0000-0x0000000002110000-memory.dmp

C:\ProgramData\PerfLogs\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\sdbji4be.0.vb

MD5 dad2d2ccb0543abd2d10ca4ee1776a19
SHA1 09c52f41ba48fbf5e802ec3697b63c7bb44043e2
SHA256 cf54f5bb6d202567aeca1ddf69d0bb66204ddeab5e1ab08eca27e352a7768599
SHA512 bfaa7ca7c8b6b027e27654818b2d74fdf30aecd8c2484af5cac6f7ffc772a4351a84ecd76e3e6b72e2ab6ee0bc90b9360846baf0dee2fd61765abf8a940b3ed7

C:\Users\Admin\AppData\Local\Temp\vbc2B35.tmp

MD5 571fb50fd7d5d04ac29937bb9aac7106
SHA1 24a552a209dbec2c881822e6ce8976a51785fa2f
SHA256 84f40ed6c4379731b148c45eeb7ed4cd750cc98acf905b2c7e3430a643d941ac
SHA512 c329ebb96d473db2be63422b45a2bb1616d7e796b2af8ce2ce753e44145be1188d06a1c07666d8d61601638a7a4514e3dcf41efe4b1c3c8fac7d1eedc2eb7188

C:\Users\Admin\AppData\Local\Temp\RES2B36.tmp

MD5 ebd8c5a5a8d6c59a01dc534b2ee4427b
SHA1 60aa8982f6b0844f755f6276d281072f7d6ffdc5
SHA256 497a851730173be355afb90cb6006e5233718ea45ca164eb95587d07c5e3a601
SHA512 0da07a8bb8304a9458fb1a5269d4feca8622fa68acda4f6ce0720b77b163c736b8e7056299a8071e2d625bd9db9efc65b1eb7c5c2568d8c19c1ec6de7a85b0f6

C:\Users\Admin\AppData\Local\Temp\jj16fuj9.cmdline

MD5 7cf7b51ad025069576dd8c9a74c6de71
SHA1 cb28a536e0a94b9b7cd4985e58b4a3d0aea0c725
SHA256 01fbd6134f41d17dff98025b3b396cfdf25dc9ca94d1ec0c6098481436fdb4a8
SHA512 312edbb1f5ca74febc5de16b077d26f6a14ec5ec7ecf57be7290c106a08edff6e5af4ee3a6bbb0fd37fce4c8b4db0f18cb78348dc564be482d5b3305f615e87c

C:\Users\Admin\AppData\Local\Temp\RES2BD2.tmp

MD5 ada9ba1a0e993bbfa57af13ae251350f
SHA1 28a1381c405c458c752b89523377d42aae6d656a
SHA256 fb8bb0b0d9f95573cf292d1803676d7214ab8b72618334c801d15a1b71eebcd0
SHA512 cb408f784e00593f1fea435b0cb84f6f448af2896e5cb60b8e83d8a3ea05be3fdaa50dcd3381e2c5f2859261395e5c97c86787ce34d1e07588676d4ff662e6e7

C:\ProgramData\PerfLogs\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\jj16fuj9.0.vb

MD5 46d02098a08f58ef23b71da285a4d49d
SHA1 0329217cb50646d57f3d1cb7efb1144373373a1c
SHA256 10d1078a2c7421ccb96da75b77967b233d9b7c25a37b5a0a04bed2535ebccf9c
SHA512 6308a59bbf25bb35d3ee13496f219740e0ccb2a5fa45e7cac92d6069388cae95f2d148e1062cf01797cc0ed0640f99dd086727a516390348f7f15a70771272b1

C:\Users\Admin\AppData\Local\Temp\vbc2BD1.tmp

MD5 2b3ea2a883e94b72dbfe5b41aeca1276
SHA1 afb8a5d7e58b37f7e7b073d6850d0913bbd8ef70
SHA256 8a70640f0a2f30b1455a3d8c8c08c654e31dfaf62a04987cb290e0b38f857d45
SHA512 09cb217617b412b66463098c94f24f1398f418740dc00cca6fb47a70973a178e42026dd835cdc13b159ca3b2ee85be2a0cc585074eaf723fef0601001001f84b

memory/1832-269-0x0000000000620000-0x0000000000660000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qiuc7jej.cmdline

MD5 96341fc3ed39214c85fdf164a0cbb660
SHA1 9b65ec7e06bcd2ab7637bb187b0bca62be306933
SHA256 34c7df8f1e59db0ff20208e69dfb515fbd14b72bb59797649b3dd46b19964dbf
SHA512 1b16313064ba9ffd4bdf9adf093a2031077126db81301ebb65ec55f6583a77d59f6254945c02db875840de23e87b765c9debef1046c2362504fc9f07d7638eb3

C:\ProgramData\PerfLogs\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\qiuc7jej.0.vb

MD5 f6b2dd315bbaeef27a299c112dd5bb6b
SHA1 e32b6f807c197926dc07404fb144a28a1a8fa9af
SHA256 a45fb6d9552a9df97463bb809ea0f987137953bddb1e748e4f2f98168e4249e9
SHA512 d769ecfc682fcb17891e48992693d97c743e532cf2bc1571bf8f1d75e62cb8be25514252d866631d8dc264cacc0c351c2e5e4e6d8011fb5cfb9cf1e8d560e625

memory/2548-285-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2CAC.tmp

MD5 7dc1638e6f8886332916792f90eaa758
SHA1 4d6b99bf250b621a98c544fa7b6f783bcdbed536
SHA256 5202e9a293ae12b4f87fec59ab758fc11322eaf3ad24913730ab8e71d35ca2c8
SHA512 f4a17e4545d55688ec1c5e18dfb326f9532efd28756f184f644828476c8eafbcee86e4d25212207a3d06b79a81b45d9082d14f4c79de342f9e239778a1ad426c

C:\Users\Admin\AppData\Local\Temp\RES2CAD.tmp

MD5 8dd6e15720414fd01dc6e7e85396f767
SHA1 a7a5a6ee1c6d07d349fd03982d2603d5829bb83b
SHA256 587c15f56c9fc87fd2a33cd967e54037c3b424dbec4edc654066f31cee81c375
SHA512 0ce0c34c9b4135e5ad5085083283b14a79c5fe4e53424173d6071d4430179d11062a537c13e599074ad74ce80af321210afdde34e506024c62980f8309388fa4

C:\Users\Admin\AppData\Local\Temp\mhtfkf7z.cmdline

MD5 39f15f13aa69fe571eb82e0888c38fa0
SHA1 29a0418a2231667943f90556f156d48709320b70
SHA256 c5f6ee26616515b930e614d96bceb69601ec3d99da086a6e6143f3250d460abd
SHA512 ca8c5ebf204240a85b6d2ee2f51626308835865f97d70777ca88229e191576e5152ceaeaa90b6edc57ff2ccc43d390fded98eeb8cb81e78c5b704e7f7663488e

memory/2088-301-0x0000000002370000-0x00000000023B0000-memory.dmp

C:\ProgramData\PerfLogs\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\mhtfkf7z.0.vb

MD5 d696b2b86be5f5f534f1c11058def702
SHA1 6ce140eddfc9ff23f551badb94bde34bfd257a14
SHA256 31e2dc1efe7bcc041e0473d3e64b7f10a97e4b9377a5559ba704fc63a335c323
SHA512 9ba876000df06ee61488ec0c723c7d0c72ae9ec670df7f808504c384301608b20f9fcb5395da28ed94ddd38caeeca33e77003b6cff62e64d9dae3dcaa11c8fd4

memory/2956-314-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/2728-325-0x0000000002250000-0x0000000002290000-memory.dmp

memory/1944-336-0x0000000001E10000-0x0000000001E50000-memory.dmp

memory/2308-347-0x0000000002140000-0x0000000002180000-memory.dmp

memory/2944-357-0x00000000002A0000-0x00000000002E0000-memory.dmp

memory/3036-367-0x0000000002010000-0x0000000002050000-memory.dmp

memory/864-377-0x0000000000330000-0x0000000000370000-memory.dmp

memory/476-387-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1444-397-0x00000000005B0000-0x00000000005F0000-memory.dmp

memory/2128-409-0x0000000002280000-0x00000000022C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\exefile.exe

MD5 7b5b2a9dcb13d67e75aa734192b4aedb
SHA1 0f17e3af368066c2fcc439b6b9a9a5196acd5773
SHA256 78581129ce6d8cd874b44cf3410606e34dd046f58c8cd27adb76d320ac41b048
SHA512 c02d46465cc63f4573c5f76737e93ece6b1971d3825492711457f9e82bbf4bd2549dba55472095b24f153ed461993942340a6b1cc23889f16b79d3a35ea8256d

memory/2256-421-0x0000000001200000-0x0000000001222000-memory.dmp

memory/2436-423-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2256-422-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

memory/2256-424-0x0000000000B30000-0x0000000000BB0000-memory.dmp

memory/2256-425-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

memory/1824-435-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2256-439-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

memory/1824-438-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1824-441-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1824-442-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/1824-443-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/1824-444-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/968-453-0x0000000000090000-0x000000000009A000-memory.dmp

memory/968-457-0x0000000000090000-0x000000000009A000-memory.dmp

memory/968-460-0x0000000000090000-0x000000000009A000-memory.dmp

memory/968-462-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/968-461-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/1824-463-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/1824-464-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/2388-465-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2388-466-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/968-467-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2388-468-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1824-469-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/2616-471-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

memory/2616-472-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

memory/2616-473-0x0000000000AE0000-0x0000000000B60000-memory.dmp

memory/2088-488-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2616-487-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

memory/2088-489-0x0000000000D70000-0x0000000000DB0000-memory.dmp

memory/2928-505-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2088-506-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/1824-507-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/1824-508-0x00000000023C0000-0x0000000002400000-memory.dmp