Malware Analysis Report

2024-10-23 19:49

Sample ID 240312-mfz44sge87
Target 90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67
SHA256 90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67
Tags
chaos revengerat evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67

Threat Level: Known bad

The file 90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67 was found to be: Known bad.

Malicious Activity Summary

chaos revengerat evasion persistence ransomware spyware stealer trojan

Revengerat family

RevengeRat Executable

RevengeRAT

Chaos Ransomware

Chaos

Detects command variations typically used by ransomware

Deletes shadow copies

RevengeRat Executable

Renames multiple (181) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes backup catalog

Executes dropped EXE

Uses the VBS compiler for execution

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Interacts with shadow copies

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 10:25

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 10:25

Reported

2024-03-12 10:27

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RevengeRAT

trojan revengerat

Deletes shadow copies

ransomware

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (181) files with added filename extension

ransomware

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPEN_ME.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.js.js C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Script.vbs.vbs C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.ink.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.ink.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.js.js C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Script.vbs.vbs C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32NT = "C:\\Windows\\SysWOW64\\Win32NT.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\FinalCancer\$RECYCLE.BIN\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Win32NT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\SysWOW64\Win32NT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4995c9l03.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Win32NT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Win32NT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4004 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4860 wrote to memory of 928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 928 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 928 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 928 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4860 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2676 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2676 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2676 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4860 wrote to memory of 3296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 3296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 3296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3296 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3296 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3296 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4860 wrote to memory of 2812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 2812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 2812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2812 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4860 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4052 wrote to memory of 3440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4052 wrote to memory of 3440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4052 wrote to memory of 3440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4860 wrote to memory of 4616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 4616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 4616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4616 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4616 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4616 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4860 wrote to memory of 3284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 3284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 3284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3284 wrote to memory of 728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3284 wrote to memory of 728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3284 wrote to memory of 728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4860 wrote to memory of 4348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 4348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4860 wrote to memory of 4348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4348 wrote to memory of 4408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4348 wrote to memory of 4408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe

"C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lggdby1s\lggdby1s.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB853.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CAD108A41B44CCEA1F6198775C32C.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hq5kqbuh\hq5kqbuh.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1425AF5D7C244B7B7879283E512657.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4tb0qu4t\4tb0qu4t.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB97C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54F0A262E924021AAC21A74BC785688.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ausivba1\ausivba1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6EA413E61EDE4981B31F69A8C9710B9.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ujoxiyoi\ujoxiyoi.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25F8D46273A84CA09560FBF9A3E39ADE.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e0tsfwmq\e0tsfwmq.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9004429168E54F8E9C217FDA99966174.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxjjjyq5\yxjjjyq5.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18DD6EF6B1834C44A8E2FCA6F9CA201C.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3cpjer4z\3cpjer4z.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70B599A5141E44FB855FEB114B356B34.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xh4lqrvs\xh4lqrvs.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc927F33D813D24EEA8C285150976B4194.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\12khqy2i\12khqy2i.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5187018BA9E48BFB8EB2BEF5A8073B4.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zzmvxfcc\zzmvxfcc.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE21628FB5534A549C396D9B3CAF28B.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjlouxzq\xjlouxzq.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDF1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD3EFCA8EB7C461B862C8FB4B6585FA9.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xtsnxkbw\xtsnxkbw.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A75B5EC994C4FE2B04E2ABDA9854.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qojbi4rv\qojbi4rv.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6D45409D0A24572AB851E4E89D6A212.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qfkverg1\qfkverg1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29839A3DC9874A65A4F006E18601F53.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iskyktmb\iskyktmb.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc618D73C230F1478A9153F4988228E4D0.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4enxqqju\4enxqqju.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC071.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4B297B28D29449FAC71DC85D5C85572.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afbv0zvb\afbv0zvb.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC10E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FEB85FCD91640568F5CECB59D3C8C97.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ker2v0hs\ker2v0hs.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC17B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2842BB347E84BD3BD23E5E1FEF5FA35.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sg0gfdmf\sg0gfdmf.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3B4274B12464835BAFB1A744CA148.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xholkj2d\xholkj2d.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC246.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7F3A854E85F44CD98F046E93492CC3A.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3uai515q\3uai515q.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc771A5F69A4DC4A929E5D8292F4926C4.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ueqpzmbr\ueqpzmbr.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC340.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc519A5AAC6FEE47E6A0EDEBDF61279590.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z22t20ly\z22t20ly.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9955015B163B415AA1BE1FD4F771F4B.TMP"

C:\Windows\SysWOW64\Win32NT.exe

"C:\Windows\system32\Win32NT.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qe2pzxfo\qe2pzxfo.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES722D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D4AB459923643FBB767119FFDDC44FB.TMP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "explorer" /tr "C:\Windows\SysWOW64\Win32NT.exe"

C:\Users\Admin\AppData\Local\Temp\47936297.exe

"C:\Users\Admin\AppData\Local\Temp\47936297.exe"

C:\Users\Admin\AppData\Local\Temp\8262284.exe

"C:\Users\Admin\AppData\Local\Temp\8262284.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\OPEN_ME.txt

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2v5t4j5u\2v5t4j5u.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc260495160C049A8A070FBB782171712.TMP"

C:\Windows\SysWOW64\Win32NT.exe

C:\Windows\SysWOW64\Win32NT.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 noose.servehttp.com udp
TN 41.230.67.22:666 noose.servehttp.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
TN 41.230.67.22:666 noose.servehttp.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
TN 41.230.67.22:666 noose.servehttp.com tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 noose.servehttp.com udp
TN 41.230.67.22:666 noose.servehttp.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
TN 41.230.67.22:666 noose.servehttp.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
TN 41.230.67.22:666 noose.servehttp.com tcp
US 8.8.8.8:53 noose.servehttp.com udp
TN 41.230.67.22:666 noose.servehttp.com tcp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

memory/4004-0-0x00000000745B0000-0x0000000074B61000-memory.dmp

memory/4004-2-0x00000000009F0000-0x0000000000A00000-memory.dmp

memory/4004-1-0x00000000745B0000-0x0000000074B61000-memory.dmp

memory/4860-4-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/4004-6-0x00000000745B0000-0x0000000074B61000-memory.dmp

memory/4860-7-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/4860-8-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/4860-9-0x0000000005900000-0x000000000599C000-memory.dmp

memory/4860-10-0x0000000005F50000-0x00000000064F4000-memory.dmp

memory/4860-11-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/2808-12-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NRHXJvb.txt

MD5 ba2dccdfaaf1ef0773a1d2b9d3a80769
SHA1 09dbd1de347a7e2e1db96e0d0c020fbd8d58bdf4
SHA256 4d5510830365819abf6aa5c51dfdac67d0ccf0a9d1d6ad6c717337be1a28a9fa
SHA512 dae5d60809973a5f8aca4b9579c8ee0953cff6dc8e4d0b08ff15e1dea877b6edbf46b6a8ae0c30684d1f37dade30a2cb1ab2aa52fd7e35d679a2ef1ca18cde63

memory/4860-14-0x0000000005C20000-0x0000000005C30000-memory.dmp

memory/2808-16-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/2808-15-0x0000000004D90000-0x0000000004DAA000-memory.dmp

memory/2808-18-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/2808-19-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/4860-20-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/4860-21-0x0000000005C20000-0x0000000005C30000-memory.dmp

memory/4860-24-0x0000000006D20000-0x0000000006DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lggdby1s\lggdby1s.cmdline

MD5 50027db9945080f7a3136bfb980796cb
SHA1 f0393bfdaa966288222759814ad1667370e76064
SHA256 da5077295395ab9ff18094df0764e15c1a130c8bb99dfeafa1a9579f51d34470
SHA512 026534eda5e034d8133976e618c9c6cdd272a0f2a5f8bc3c2f40484e450a2db74fe7e1b7838cc388ccb67ab98c9c7ff2393df801cea4e3c9bc1dc03c2582affc

C:\Users\Admin\AppData\Local\Temp\lggdby1s\lggdby1s.0.vb

MD5 b509947ba261f580c3ae3cf6a66227ed
SHA1 7e762c787a212fa5ca2f98a082de67e4825a01ce
SHA256 db024069fa3ae426b56383d89db603a25c28306e54132961d4a30fbfd68723f8
SHA512 14653dcb0322041c2f0ae5018eb2c4eae0448dee2240db42b015311767071d0ecd0756f0482f0c396dcd0418dc8b1a1036243108302eb1c91e6ef9e6faffb49a

C:\ProgramData\FinalCancer\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

C:\Users\Admin\AppData\Local\Temp\vbc1CAD108A41B44CCEA1F6198775C32C.TMP

MD5 c9e82f1c503a502ddf8c1541ca201cb5
SHA1 00383211cba606246080a9d268aaa1e5072d40d8
SHA256 64bfab8edf402374a17a08a1d365304dbd3f26937f1caa74e43d6b6bdc7f64cc
SHA512 fba125d6940183d437335c2ce3a930d1196ed0765d23d71043b3e2f097a46ed88ad30c14efb6ca35b5cb218c4cab891a174f79b401fb3670121d2e2a7d6815d8

C:\Users\Admin\AppData\Local\Temp\RESB853.tmp

MD5 7e330f74d42e46cd7a9caaa44a802ffa
SHA1 e048be17161e0cf15e976c49bcabacaa06e77694
SHA256 413da87e9d7532086fc22bcf400a2bf014c14d1033d010c7a97c2bbb98e34bb3
SHA512 733f3b0e7dbf15c8cedd4257a7452a8945313764f59731e7869f04293ad79809f12f03415c8a643ede9646ff5efcf701d3895459b8625850de0aad658eebf072

C:\Users\Admin\AppData\Local\Temp\hq5kqbuh\hq5kqbuh.cmdline

MD5 d58eb6b54d0023eca0cd73df08595d6e
SHA1 5eee2e50b21a7a332b4726fc83b1163256d8da17
SHA256 b1424d57bc3d6e0cf570b5fd993c808e936b48bea9ef85ddea4198a6d1fe6d2a
SHA512 007cd7126f8a7f80eb8628bdb1c1ee5eee455cf7ddc2c2d904ac8aed2f4818f1e1238aa704dc8ef081570d14ee41aa917ee20f51e89b7c5cfaaaa85e260ebc63

C:\Users\Admin\AppData\Local\Temp\hq5kqbuh\hq5kqbuh.0.vb

MD5 3dfc1912d533d8a58c7519120f72503c
SHA1 64a80c0efedd49a66e20d662069666a7816fd626
SHA256 7c50bd6ab1f3c9fae4acf6caa9a9de944dae58f8c12e99770f8caafb265a1494
SHA512 91122647b4d7ed5137c63a9ce9a870918c675d90df27d47b9b06d6932432fc17c7eed0cd8d1e50638e8be811cbc2f83f5e3a01dac5e16c2644e86ceedc4c4f5b

C:\ProgramData\FinalCancer\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc1425AF5D7C244B7B7879283E512657.TMP

MD5 2c5cafca48c8d6fe4d1fa6a80c68a7a4
SHA1 5dc8ff4bdb9ff9bf181d1371b80f034819631801
SHA256 ac37003fe12ade867384b99f197bfadd3d32a99eacced6a7cf9487b4b5fe6d43
SHA512 31aef9174de2d8276f10ef0c80054357e05a5485c22f90eb4f19c4f514b36529859747ecd6b15f252deb3c20961b470a944753e1214ffc1abf37fe401d88093f

C:\Users\Admin\AppData\Local\Temp\RESB8F0.tmp

MD5 cebc60a87858ee4ac1179c7747aa6e59
SHA1 d16367a36548af9f6f9043b46989079501d5a7b6
SHA256 924facd72126be85d75f2ac50ece6b08f8bf7359ccd45076f47661f72fa3f600
SHA512 9a39c19d16d683cb28b2b9dce8e1bb2ff2325b1011012acf18f86cf2e2a97f849044bb02f32caf37b3c91b85ea6f3e67edc35cb10c02007f182d52d1d8a42d4a

C:\Users\Admin\AppData\Local\Temp\4tb0qu4t\4tb0qu4t.cmdline

MD5 12e142f51c248331aae4c25362e3b868
SHA1 43f0ab46f62446e7ed79b18cac8c8116ced1bb19
SHA256 5ec323b545bd0898a24f42bdcbb00801a475a4762f98b00d023b643ec03fbc24
SHA512 65599039d9d35a3d69011f7bf0cb26535c004fd391ed08dc38703def3027e96a7108624e6dfb520f2749d65636f1558d8cbd0e17e41f740da580fdcac0cf88a2

C:\Users\Admin\AppData\Local\Temp\4tb0qu4t\4tb0qu4t.0.vb

MD5 947bbeb4c36d980bb08d825efea9e864
SHA1 c0851e8f24dabfcc47b43cbe42a94902f5c91ef2
SHA256 23f3eb806036137b81e92672f88d3e011038301285a60a128bae6bf29e5a035a
SHA512 2589f015c969ab95d87e49da85128b93e1e0197f40be26becd534468c86b53b82e56f43d742276d3bd22393f37c0f5739d6c4552b027b5b02e5adf1877960ab6

C:\ProgramData\FinalCancer\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc54F0A262E924021AAC21A74BC785688.TMP

MD5 388c3b323363c06f4b7d2f6c4f64f6ce
SHA1 f4f43724e4d67028566150d88228834c316c56ba
SHA256 53a787e6cc777cd682c8ca5bd35253d9c1def459796f18e694bedddfc6d2fdbf
SHA512 6b0ef7e8538392eecb47afd3ee2d2c5187fc87b7ce890ff661f977e778b931d6969193373ebaada6aec4e62d5d354e49e345752628af7953e201b14a2391e64a

C:\Users\Admin\AppData\Local\Temp\RESB97C.tmp

MD5 5524c92ce82fb7554b6e3eea076398f5
SHA1 21177e3a3363d4feb1daedd9994696ac4dd158e4
SHA256 f6a33eee78b2fbadc5e4f01d42b5c032ebcf17f8a795b0081e7d98b6c28d3304
SHA512 df8d0fa34fec758d4479eae71e319083dde260fe906e6b68c57b6dff33d9e2bb7bfc68c4f0d9e4d68e03bc699a4baa8105c6b522bd12e678adac66209fe4ddeb

C:\Users\Admin\AppData\Local\Temp\ausivba1\ausivba1.cmdline

MD5 2749635ccc5191844d589f99bafecb5d
SHA1 5bf5ffab27aea09cbc8fb5ac3fed0fefe4086faa
SHA256 ebe61319a6f31c3802c9fbaaaabcc2ed92c9e185a6940e97ecf26e7a5e186ce6
SHA512 6c07324c4e0d34648737cdc21361a241c9cc16490f9d0d25c38c9e39d971ff50fad78df34b5ce3b5a9b42ded8882eb7a81660bb2e790a907732cff0ee31453d4

C:\Users\Admin\AppData\Local\Temp\ausivba1\ausivba1.0.vb

MD5 4f16bc8195bf8faffcb7143004f6b98d
SHA1 d8108fdb15755c22cd5df165a137b5d2af5bc938
SHA256 8d22deda1240345582850f7211306b82fbe8cc9f8a84f9fe3ca5ce3ac03be844
SHA512 be5a0f8b45170edcf250c5c822f63697da5e378fff6bbf52fbd65beb17a0683b2de1dc353eeacace0cac0ddeb389528ec34eabedb66df38a34d707d2640bdd28

C:\Users\Admin\AppData\Local\Temp\vbc6EA413E61EDE4981B31F69A8C9710B9.TMP

MD5 00d94705062aee9661956251f5a0756d
SHA1 e0befbd6aae745b6466fbc14cf06f9b29a2c3206
SHA256 20567e632f4c8e35b20d0c296b2fa37e5e24bf857b21cbc94a020f79e442b453
SHA512 d6fc786ca12a68b68f37d575c2d7241fece2d407fd840d05c90e15486e6329c521ba57d3008dee7098f5e6ec581e4cc22a12eeb667436547258788240bc4e6ec

C:\Users\Admin\AppData\Local\Temp\RESBA09.tmp

MD5 90ea1f6a6746d38b9163eae473f010dd
SHA1 4046c96cb5d1b650443ffd58cfe3f854a029471e
SHA256 cf77408620b7b2447bad942615b89e8c35c871c4990afee2cbdc2b218184dbe6
SHA512 4feebc016ca5e91f45bb2da193ac4aa93fdbde2ca3ac4a82e7bde1de769d0893e788d3e1ef23e7c97ed7443c86c56a6169ad8efb0fa1bdb65dd479036409f7a5

C:\Users\Admin\AppData\Local\Temp\ujoxiyoi\ujoxiyoi.cmdline

MD5 fd811ed93a343a5524c0fabb2da78483
SHA1 dc28c939d756285eb4c91ca345781334e5f681a9
SHA256 904bb09a8cdc110f4c25b3371b04910fbf34a4f1a8cca679e004b58f56cdd71f
SHA512 8fa931eb6ae97896110a98c0c40ada5b37b21800c814d0b3eb7f815d7e1041789986d6f7e4bbac68e111dbbfe7f2e35949654707c1c0913645b48f77f9cd18e6

C:\Users\Admin\AppData\Local\Temp\ujoxiyoi\ujoxiyoi.0.vb

MD5 5468e283cbe84c3f87136870c07f13a4
SHA1 1625c084c011837f40a489ffc75e1d57a2886dbc
SHA256 f59f43e9ee0aec96a0d838ab5469a198a39a3c8b0c68c6538da5103953c007ca
SHA512 dc3d26f9efd6e023ed1530a912a26961b2ac16037fa71aec3ad4c16069c2ad0444dee5157552f960b2f7953708169392ce2e7af6786452dec221240449b0ef0a

C:\Users\Admin\AppData\Local\Temp\vbc25F8D46273A84CA09560FBF9A3E39ADE.TMP

MD5 b496aac40c58f2ef341740e6f8476241
SHA1 90536b1e56f1aa68d7c3b493ff99c63492bb9896
SHA256 978b9122a336b6722d953d11b319e8db62a0e51277a45021d7ca96d41fca204f
SHA512 c3253e6bb679d42f5e386b0136b1e8ca88c3a34718213073c0260d202d95b962a4121bb0a452d3059551b42b4e2cd84e1d23b2ff76173ec711e9f1e09c996496

C:\Users\Admin\AppData\Local\Temp\RESBA76.tmp

MD5 b3df9210db118dcb656b6e9c38635c38
SHA1 99305afc182c7b81908087877fca3298f56db645
SHA256 f8bbd3503f959749ed8d51d041e7bc0c996ec08190e1a8a382f3eca5537e9443
SHA512 03fb3898d1f8efba4c67048e42dec92b67295efee081a971c3cc9cf0f27f8d323c4916658177daa1a3b22564cca08b70b7740f6905d7997168b8e156e8f54465

C:\Users\Admin\AppData\Local\Temp\e0tsfwmq\e0tsfwmq.cmdline

MD5 d3c80d6b6d7fa30ed7998610426a99ef
SHA1 3b9624831ba216a53631659e0ebb94d0c9a389f8
SHA256 9f2b96318506761f13f7c8b047a84eee1eda46653b19d014f62341b953e803a7
SHA512 7dbab541b788de106d7d85c5bc30dfc26188bcbe74ada1a133bc3691be88d4a3e7605ef115b48047bdb371fddee3afca8948ccbf2b849d8307fedc30506d39d7

C:\Users\Admin\AppData\Local\Temp\e0tsfwmq\e0tsfwmq.0.vb

MD5 9142a18b01ff279872841047b51af510
SHA1 5c2d3e41d89c3a9c3bdc501517eca75e0f7696f5
SHA256 5b349f3c62b28fb90ff3a3dece5af80ef2f43411b8bd69cb0b36249dbe4c0f50
SHA512 bab3f2e8cd81497cf470cbce824e15f12df96e498498fd839a44abb50b841ba1cab82f3b3f4935877bf4efae2d5daa6ea7726ba4cc5499cdc799e401d9820424

C:\Users\Admin\AppData\Local\Temp\vbc9004429168E54F8E9C217FDA99966174.TMP

MD5 2d4d7ce2956236cdcba7d30748f25e95
SHA1 8ea12b35ff98b7ca2e60b310fe114f201596da86
SHA256 dbc0fb5a877703e6b6bb2c4246655c6f633b944bb90db55d758185cb92d83b6c
SHA512 0b20eb0e07f7b44b087e73ecaa94bd23a5e6dc2b74bd22f4e641a2b5ebd03e6ce8c534003e2d07e1996d7d5ea8124b9a2a79930f76e90e3d740d9b49f7614551

C:\Users\Admin\AppData\Local\Temp\RESBAF3.tmp

MD5 0569d0a1cef22a03f88b26ecc7aef1f9
SHA1 1c3b32028b2dbc523a0a6d3005f43e5ebbd3b750
SHA256 695e37201ea855ba1763d468d10c4c056e7a7f65f84fb08f7298176e73c4147c
SHA512 7d66a9962a6788594331d09d7fa4159f0ec3041d74405409b20436acccc2bc3ee307609a575c9f064111c4a0b32a5b49b35c7624eb097ad00cf440287048a9ae

C:\Users\Admin\AppData\Local\Temp\yxjjjyq5\yxjjjyq5.cmdline

MD5 685795d6768bc27868c0a89e3edfaf7f
SHA1 13d3f65fc119db32c4601ea610893f14a12783fc
SHA256 dd79e5ddb295f7e1eafdaa7bc87a24cbb0432e7ee6245af46fa64e6f3cd3147d
SHA512 72afbded186b5934b4411646a4de1e76fce48b8d586e87270f335890c44a13c317041b33a79fcbaf75a0711bf41272fd65eb00a17667d2fc7563fd3a04697799

C:\Users\Admin\AppData\Local\Temp\yxjjjyq5\yxjjjyq5.0.vb

MD5 39f1090051deb4a4a43bd29b8814dfb8
SHA1 dc42c563bb81474709203426de65d06218cec279
SHA256 d08fc6785cc2c58653d2c660a0ef631524610bd247aa6fc992527c7e1042ab47
SHA512 9b794441eb4cd585b97404de86c3987c3c119bd5692daf9d7aa33f16283f2a3ce472d431304500cb65535b7ebb6b2da49a85b97ca79ab202b4d85dca99b37cf3

C:\Users\Admin\AppData\Local\Temp\vbc18DD6EF6B1834C44A8E2FCA6F9CA201C.TMP

MD5 5e95bd5730fa77a2bffebaa8c2524adc
SHA1 5ee9a598454cd8040bb9a5e48576a2f54d8718d4
SHA256 65351d77d5230172bf6e310b9e8fc40fce2b55476c10818ba11b3422e8a432d5
SHA512 c2d7605ceb2f3481d664fd5583fa9b8cdf4e2b4c6fe30b7070f6d3a60002dd1f46d9cbc8c0a2f52f5c9049a562c1b46d7c71e5a7d4cbecffbe08633fa26735a0

C:\Users\Admin\AppData\Local\Temp\RESBB70.tmp

MD5 83b475e36cf42bdd733fe32822678ec5
SHA1 4341c37177358aa2eaa1716e598081188a5b8af9
SHA256 6baa9c68c2a36b066b5aae07f82f56af9be23f8e5d21aa0681f075c04d9ed9d7
SHA512 89e2bbcf3c27979fc48fb192b1688f9edd5a3911203ae17ed21c3f77505f27bc7f4ef69f6b91428c40b15574de6945e0e2e0ec28b76025fd2f92874333cc116e

C:\Users\Admin\AppData\Local\Temp\3cpjer4z\3cpjer4z.cmdline

MD5 dce1cc1545d0864c93ac31a418ab2a69
SHA1 6d8b4cf26e9df540a84117169a174b367dc8aa7d
SHA256 c70478241eb4115a64cdf5135f49d9b39926bbdd5e1a479e67f8eadb3a42b4c5
SHA512 45fcf0b0d252fac389841b58a0a01905da5af0eed843597c530bb2d5c0c74da4173f0df53ed8b77138e40a0705f70916ebffe7ef4b72ccf42dff958e6232a08d

C:\Users\Admin\AppData\Local\Temp\3cpjer4z\3cpjer4z.0.vb

MD5 ec4a6c4c37c41025c6514c1ee717f9df
SHA1 396e60cefc15db8324c137c420d1b69be6cac00f
SHA256 72b07a8a7d88b81e3a65f1af9e988f4edb05944ee70ab87f14cd93b31589e9b7
SHA512 94eb5b790ede491b3250273385e81c03ef71a8f1a0249e8c2dc766c4cd3c79c35ed6dff3cabb06715f183866d7844f823140cf8c10c86caa7adb3956ff94a559

C:\Users\Admin\AppData\Local\Temp\vbc70B599A5141E44FB855FEB114B356B34.TMP

MD5 8816d949de547c849ee859103930780e
SHA1 b64e21d7cdc3e8a18069a0e5b1de9cf32888caad
SHA256 8851eb5f03e9c837301174363ea9f076fee5427b8b227c69ded82c610ce1d302
SHA512 0372edd9f5de51170393d6c48f22da41aab6e0e464b859288f27a0a0844b58c0825277629e7b717e3de4c94e6da55c5c232d4a1c83b3dad2effaa147a1d5d6ac

C:\Users\Admin\AppData\Local\Temp\RESBC0C.tmp

MD5 b61cf6dde7d8adf045976463d0e99794
SHA1 dbbbd08ce18a0900a1f203d14e89acd71028d088
SHA256 adce222359b9509613abbf639910ea39dc98f90eecab13ce4444cad24ca7fa8a
SHA512 24cf50ec1de584189f3a1aa3b0b932f3fc04f92614f667e89818827801db299f88d5ff5dd3e7ceefd8025fb7bbf16eceef8d792c80384acb77922c80da2382a1

C:\Users\Admin\AppData\Local\Temp\xh4lqrvs\xh4lqrvs.cmdline

MD5 20d4f4285b700a214238c48a2ab5f81c
SHA1 a4d8b88fdf6f2029c6057c69db5341d4bc7c2ce6
SHA256 96e36babecd2ffb43c3787fcc1bc8b778f9616df3e56bbcc3e292f4010b57680
SHA512 91dde8000e02363a162f3c7300fd5d15feebf45dc0b5bc01356e29e9311844f475978bbe10989c61bf8e9330218cdd2a009930945d285a6e8deba8e9680585ac

C:\Users\Admin\AppData\Local\Temp\xh4lqrvs\xh4lqrvs.0.vb

MD5 0d4174c11e206d3bad116dcc684782cc
SHA1 2e12d3e6dd5a25a90b2b9ea69020ecc04a5fa8dc
SHA256 c7a4202afe745612af78b3abd57b5187106aeca58fed11f725eab06040b18bc0
SHA512 769902f903486f824d9bf76ef7892bd1711932617171f7d3ccdf550ae171cadb65d86fd8a4994df21aaa121ac18981f165f47236a0d20185691083656d600a5a

C:\Users\Admin\AppData\Local\Temp\vbc927F33D813D24EEA8C285150976B4194.TMP

MD5 60c045fd5f525cbeb23660fbe7a49a65
SHA1 1424a27b5c3a7626e395cd58c7f4f77fa6bd3238
SHA256 5f251fdc5563215f352b252c0655138861ed27ed043409f22b9a856756b0c1f7
SHA512 fb4a7e1c52f5c16b2bd062e9b48c8cb186caeab6d88287b8f207ef393bca2ec7b8e92e644b658ffe394587f77bc576aa63d54709acce786023f2c98047df44dc

C:\Users\Admin\AppData\Local\Temp\RESBC89.tmp

MD5 5a773b4e7d60b1af53fd22b166e4e830
SHA1 728e3585b5c445a508ded8f1beadfb0f0d8eefe5
SHA256 534b141506ec62471ee79c8d393e4f04af51f4e3c2b221ad50811be72443ac3f
SHA512 5138323e03e3f4400e1a6c7621c82788b7ef4b58d5e11b5526f2fdffe942f98b80a6a82e5b82536f5845278ff8b704a131ebd6b56bcc785525639db08123bc19

C:\Users\Admin\AppData\Local\Temp\12khqy2i\12khqy2i.cmdline

MD5 06899f984e320709ee346f93b20b3835
SHA1 1fe9501c36bf70c58e657bdd883ac2d1db42920e
SHA256 0f9ae333ce16c1f41e38c1dccc094e911d94221c84fef475b41551bdba173dec
SHA512 24eef296e8422aa1a94807fd6f6bacea9ae15d459af1c10742d6c73c62101f62777164b17f7dbef881d7e9752472ea1cc14e4d1c41706e61e0ea1dfeed1aaf1c

C:\Users\Admin\AppData\Local\Temp\12khqy2i\12khqy2i.0.vb

MD5 70af9c1b36eadb0975a3b7b6396d75aa
SHA1 ad3e32d8f6e4b45e39b25c4690914521e893db05
SHA256 65cc055af8a35f3bbe2cc55418c2fe338a35f298c3fc45a6c0421d6bf9ebfeaf
SHA512 39b764f186469afa343ba755ef2c15e4f82d928d85e787e3a910b4210cfb3fee0119127c11c7794ac5e5f818bd2feae8b462237792e458ceae39ad1f55e30f1b

C:\Users\Admin\AppData\Local\Temp\vbcE5187018BA9E48BFB8EB2BEF5A8073B4.TMP

MD5 252fd46a5b3cd72411a783cabb14f35d
SHA1 5a83faacc65b91265a07c4b2c8c17e89f4f0c3e2
SHA256 157e9d2f36dfd53cc6fa365f2ccb98c339d20731bc884900ecea8a0f98376452
SHA512 9dc55af674b81b4b95f838385d1f1596a86d5040c7f8a2587a0556df7e1478eb4cc65b84667269d1397c71ec1d3729a039bd40105448a5433d365fab5a08fe7f

C:\Users\Admin\AppData\Local\Temp\RESBD16.tmp

MD5 29ed1e429c4205d389fab974efc2d373
SHA1 376c9cf0f3caf28da45c02bbf97446fadd01cd66
SHA256 72e97cfd5049ab07e20abecddfff97a4a8989551898fa24fa2242189c4f9876b
SHA512 cd5258ac83a076cc560643fd7e56c04611f0ea87dccfddbc6290b6e13a1c06fc73810d440ca96df01ac0ff760754569c950ad0da28b5cc0529258c3399d9f83b

C:\Users\Admin\AppData\Local\Temp\zzmvxfcc\zzmvxfcc.cmdline

MD5 133b3533beca009d017bf4c86d9bc60a
SHA1 c0cf87ef9f72ea9c425ef373aec350bd5e442b4d
SHA256 3ef877aae3a16166ec33469e1b3615e5980dd971afe53d70feea4bfe64d334f3
SHA512 fc50a228c46ac992f9fc01b8fb01c7076f8049a8c3af3db7eecec194309635868448c30fb4414de5368dcefe76b564f3f3b0ac480f831d397c6aa12e264851f1

C:\Users\Admin\AppData\Local\Temp\zzmvxfcc\zzmvxfcc.0.vb

MD5 e12c96de46debdd20e91958031bfcc54
SHA1 be562249eb536b4f772b719a798d136b39bc07d7
SHA256 d4c706d54244d4a4525f728baeba2f0c43a3a1d4971f99a291fe2d16f9348bef
SHA512 f5441352ba29b8f00a86d9f67c7eef9425d09a67fb4c2e88173c4012bfe16401ed942a182c5f8e4bd87551430764f661acabbed032ff219e5e5c3b09ff136353

C:\Users\Admin\AppData\Local\Temp\vbcEE21628FB5534A549C396D9B3CAF28B.TMP

MD5 a5dedb56c3f55e0fedd4bc8a094b9e29
SHA1 e52a59e775c4c5b8b6e5547d12c229405df2dcd8
SHA256 0ab53879d335a43d19b58212bc602b942904b3505f3cc24eef3afd7d3a4e9012
SHA512 c1c52e1b49d47b2f20b7874bfcc20a6c9c23bcd355ff496abd0a37db2bc7e7dacb4c50d483235014e070a2b6e5154bf150d48ade13c8599b36ddbfc995055863

C:\Users\Admin\AppData\Local\Temp\RESBD83.tmp

MD5 3f25b4e6960cb269d6ebcf9739b18aeb
SHA1 cfa9c86e2317e39819abf7400f9721d77722597b
SHA256 ae11170ba06e05d6a44050849dd33dbcad9be42c1f8a9fe5c3189852575b4ead
SHA512 b2b35469b226d8f81730e645db9fac394a9fef8f2a074906176b9f19fe498d0d3267cfa102b52af8f5b4fd559aa41d3fbde1ef11090b35cabd68703998d248d2

C:\Users\Admin\AppData\Local\Temp\xjlouxzq\xjlouxzq.cmdline

MD5 773e1b18e046e4864b460800a68cda76
SHA1 95f423cccec5f7817965619c3b733016cc251492
SHA256 ae9ed7606a816c1dfabb22d359d3819d19102a59066e1011e7b104059b8148b5
SHA512 1f968aa14161dcae2e8bfbfa54ffe5ed0cdc3eed53f10e9832feb3066a0a71fad593bcfc4225f730213253292a55097cd0f8e5e261c30e68802dab7a34e612e1

C:\Users\Admin\AppData\Local\Temp\xjlouxzq\xjlouxzq.0.vb

MD5 a25ab47471edf1ddfde1ac6dfefbdf5c
SHA1 38fe981ac57cb369ec38e3f07841cc7905bf70a0
SHA256 3502f5923531697e38c623c4fd6b6f47c25d9e819f016b84273ab08ea2fd92f9
SHA512 66e7e1b930062a7778de85be4dc14d60af0502bd1ec479d28ef8105c469006f6f7d531fbf4dd92894249079b29c20249dd8ba3fe814290aa9845e02efb59747d

C:\Users\Admin\AppData\Local\Temp\vbcCD3EFCA8EB7C461B862C8FB4B6585FA9.TMP

MD5 288cc7e790c325aeeced08cfa4ce385b
SHA1 ab8b228d10048de1c8181b1328c0a6896fe23394
SHA256 822ceb96371ccc29c933ec448c2faddf1c6e687c9624fc27f7515e1f8ecb1a7d
SHA512 79f7d0ce81bbb4543704a2c8d00d32af04c4981f0d5913ab4c6bb8bc64b51df6c54c25c84cf9084aea8665b52a3b38d366c0ea0f261125333a213392b2ca76a7

C:\Users\Admin\AppData\Local\Temp\RESBDF1.tmp

MD5 4f6a8716f937200802b95b1abb9bba02
SHA1 09f4bbb8ba943c7ccdaec040e5e590594b7f479e
SHA256 dc0180f3cc1c9c69b8f76e0d9ed49fb6657991f79eb79d6945ed5bcc32f62b20
SHA512 cd90c1831cd5337ebc424a5bb82364fafe744bc4f0309a032a6c34c3aa46f6775695f455169ec153ecb22fd8e224e2c9f2f575e020eb2dc043251f54bb47cf6b

C:\Users\Admin\AppData\Local\Temp\xtsnxkbw\xtsnxkbw.cmdline

MD5 baeb68279eba88278198d6b2b6812bc5
SHA1 58d95272ad320d966d1c507948498091855034af
SHA256 d82523e46518a432bf8c861f466b3b31b766313705d3f4e07e5b4235199b6766
SHA512 7443a1f2a7ed5f70ced08ec7d586a5a7b3a48ee947fbae82ca4ce5b04a8dd11c5ccbbb7cf4d1652f55a76f71da18596ee0e7b4d62b39e28a5d30f556ad9cdb95

C:\Users\Admin\AppData\Local\Temp\xtsnxkbw\xtsnxkbw.0.vb

MD5 56353dbafcab3482384f52e9926aeff9
SHA1 409782553e47a46675e2d300708fa6f45e0fd974
SHA256 397c249dc9c6d1b4c435de8dd2d20b3bdae6f83e57c6812c63df8437a24ea8ec
SHA512 49c5188d9e45fb8ceb32ab24f5217ed5d16f037ce798d9d5b759b63dc4d4227cfb50408d77cd2c545cc5c67c7cb7d8c87634678d65e1e295207da063ed9c5e5d

C:\Windows\SysWOW64\Win32NT.exe

MD5 a1c0029daca1846904be23abfdda0191
SHA1 747db08943b456b9fd3c583bb9d5d256e6543e55
SHA256 bc9f8a179b61a96f922697277c63b16dd6e04a571a21e3b2dfe2c274375d9f45
SHA512 0aa83ae6a3e43ecc70ec77e379c6a1e7915763c623b26a65981612b17b9b9a65787c318088961839c3b95e7f382893582759fa2f2049a02bf8ce82c34bc595a9

memory/4860-355-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/3188-354-0x000000006F220000-0x000000006F7D1000-memory.dmp

memory/3188-356-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/3188-357-0x000000006F220000-0x000000006F7D1000-memory.dmp

memory/3188-361-0x000000006F220000-0x000000006F7D1000-memory.dmp

memory/4576-363-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4576-365-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/1604-366-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4576-367-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4576-368-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/1604-369-0x0000000074460000-0x0000000074C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\47936297.exe

MD5 9ff9e2eb4f1d5405de3a35c8a5c25366
SHA1 25db133181d55e92d6a29192a49e6eb2c060bd69
SHA256 f78ebe96629ef0bf102ddefe4c2f08ae66c76a3d9c4a82cc6e25dd306d6ce99d
SHA512 eac4c150331039d96af9ca4d258ce3fa1a8c4f621b8d8e59574d4dea7bee9de6ed4827460d6e849b85037feacabe9d39131b5d0423854955db7785780fc8a3a8

C:\Users\Admin\AppData\Local\Temp\8262284.exe

MD5 0e2fa137fc4dd4f99e4cda506bc8b645
SHA1 9ec9ef974cdf29d1b5f19ca6d2b89ee6f274bb13
SHA256 4d6350c54f1a3a58d4b25f315f5ac7b20e7f48533c1cef4e374d766cfbf4c5d6
SHA512 b845c48e90dac4ad27086cbea0c36ee5d7bed2192eaa18a2a3029dada86b392e89ad3eb40a2bdc2ecab7414c24ec0b9f2081f8f7d5ac5b176b28d21c2694ecfe

memory/4052-401-0x0000000000CE0000-0x0000000000D32000-memory.dmp

memory/3160-403-0x0000000000F70000-0x0000000000FBC000-memory.dmp

memory/4052-404-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

memory/3160-405-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

memory/3208-417-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

memory/3160-416-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

memory/4052-429-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

memory/3976-428-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

C:\Users\Admin\Documents\OPEN_ME.txt

MD5 7f334c0bdedefade207b4a8a5e29c9f5
SHA1 1ed67865be5a3323dff223fcb440d1652aed8030
SHA256 6f520eca1afef05df125b8fbcb238dc19df86aa5ac0e8d7e99e711713c9355df
SHA512 ba26091c71a66f59b80d61ca228b3e31999d8b87fec4bca5339af863770259e7cb5bfc2f1f39542bf7d4371ec4b307f8e433c56373db86a00a48af33a79e1764

memory/3976-631-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

memory/3208-847-0x00007FFFC76A0000-0x00007FFFC8161000-memory.dmp

memory/380-848-0x000000006F4D0000-0x000000006FA81000-memory.dmp

memory/380-849-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/380-850-0x000000006F4D0000-0x000000006FA81000-memory.dmp

memory/380-855-0x000000006F4D0000-0x000000006FA81000-memory.dmp

memory/4012-856-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4012-858-0x0000000005B40000-0x0000000005B50000-memory.dmp

memory/4012-859-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4504-860-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4504-861-0x0000000005620000-0x0000000005630000-memory.dmp

memory/4504-862-0x0000000074460000-0x0000000074C10000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 10:25

Reported

2024-03-12 10:27

Platform

win7-20240221-en

Max time kernel

109s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RevengeRAT

trojan revengerat

Deletes shadow copies

ransomware

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Script.vbs.vbs C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.js.js C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.ink.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.ink.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPEN_ME.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.js.js C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Script.vbs.vbs C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32NT = "C:\\Windows\\SysWOW64\\Win32NT.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\FinalCancer\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Win32NT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\SysWOW64\Win32NT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n2053o5f2.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Win32NT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\47936297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8262284.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Win32NT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2376 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2596 wrote to memory of 328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 328 wrote to memory of 2476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 328 wrote to memory of 2476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 328 wrote to memory of 2476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 328 wrote to memory of 2476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2728 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2728 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2728 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2596 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2136 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2136 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2136 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2136 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2596 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 784 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 784 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 784 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 784 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2596 wrote to memory of 700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2596 wrote to memory of 700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 700 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 700 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 700 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe

"C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cgpqm50v\cgpqm50v.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF7273931F71463B84070DDAEAACAFB.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1u2foiob\1u2foiob.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE12C61B1AFAB4F78A317C51D4C7046A1.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1vakq5fu\1vakq5fu.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC043.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD284C408BF443BFBDB5D5592F8ABB42.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfhyxags\sfhyxags.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC14C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20D610C2C143496981121C1F84A51BB7.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\di3vtgdb\di3vtgdb.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC294.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6A39A5738DA45DB9A777C76DE6FDE12.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zub2r50e\zub2r50e.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC33F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AF549D4E9C646A5B5861EECEE2A2A9F.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gw03hshl\gw03hshl.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc539D3778783443D49B81BC5837BEBF24.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vlzauywb\vlzauywb.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94799B8B3EBF47918E3DD89376B05415.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ufuwoti0\ufuwoti0.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BA791617E164CAEABDFC79308BE68E.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xqy4xro\0xqy4xro.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98CE14622724A3AB5A39D206CE47574.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sikxynlf\sikxynlf.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3230C85161F4F328DFED4A13CEF16AD.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hshyg0b\5hshyg0b.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC86D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42C7128A0DA46848D442A193994DE16.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v42nqlik\v42nqlik.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC977.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CC50286F7EB479EB5C3DEDB5073E7C.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ha21cjqi\ha21cjqi.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96385818C9814D9484E7592A6089D4BD.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zeqamb51\zeqamb51.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69BA00A314F24024A9AA76A1196A1778.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iw0psqin\iw0psqin.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc558969E8846348FCBD975CEC2DC8ACF.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0h0ev42w\0h0ev42w.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE39046E427F4FA7A2B83BFC6E3B4AF.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\za44iqqg\za44iqqg.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC61CF0ABC0764367BB3EACC11A5AC86.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4e2ecfbu\4e2ecfbu.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C299466E8B7407D9067EAC2A23F9063.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bvcrzre4\bvcrzre4.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD079.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60C60AB336794AF2B415DDFD8BA071C0.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khbnc0w2\khbnc0w2.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2E26A6987384882B815E3C40EAC05F.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\igsq42zm\igsq42zm.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9284E49C6859453C9EA592F761A523D8.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m0oho2wd\m0oho2wd.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD85F802935346718BC7475C11AA5E4C.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nnsod43n\nnsod43n.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B54199B5538484EBB88ABA2CE149C.TMP"

C:\Windows\SysWOW64\Win32NT.exe

"C:\Windows\system32\Win32NT.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbcgszz5\tbcgszz5.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES901F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BDC82E22E45406ABEF7C1E319C7DDEE.TMP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "explorer" /tr "C:\Windows\SysWOW64\Win32NT.exe"

C:\Users\Admin\AppData\Local\Temp\47936297.exe

"C:\Users\Admin\AppData\Local\Temp\47936297.exe"

C:\Users\Admin\AppData\Local\Temp\8262284.exe

"C:\Users\Admin\AppData\Local\Temp\8262284.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3032 -s 568

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\OPEN_ME.txt

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0cmexbbi\0cmexbbi.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA32.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B57E6E81504916917E27C2A782C2C2.TMP"

C:\Windows\system32\taskeng.exe

taskeng.exe {BE2CB3CE-AB13-4C25-BA7A-7EE2FAA90408} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]

C:\Windows\SysWOW64\Win32NT.exe

C:\Windows\SysWOW64\Win32NT.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 noose.servehttp.com udp
TN 41.230.67.22:666 noose.servehttp.com tcp
TN 41.230.67.22:666 noose.servehttp.com tcp
TN 41.230.67.22:666 noose.servehttp.com tcp
US 8.8.8.8:53 noose.servehttp.com udp
TN 41.230.67.22:666 noose.servehttp.com tcp
TN 41.230.67.22:666 noose.servehttp.com tcp
TN 41.230.67.22:666 noose.servehttp.com tcp

Files

memory/2376-0-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/2376-1-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/2376-2-0x00000000006B0000-0x00000000006F0000-memory.dmp

memory/2596-4-0x0000000000090000-0x0000000000186000-memory.dmp

memory/2596-5-0x0000000000090000-0x0000000000186000-memory.dmp

memory/2596-7-0x0000000000090000-0x0000000000186000-memory.dmp

memory/2596-9-0x0000000000090000-0x0000000000186000-memory.dmp

memory/2596-11-0x0000000000090000-0x0000000000186000-memory.dmp

memory/2596-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2596-15-0x0000000000090000-0x0000000000186000-memory.dmp

memory/2596-18-0x0000000000090000-0x0000000000186000-memory.dmp

memory/2596-21-0x0000000000090000-0x0000000000186000-memory.dmp

memory/2376-22-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/2596-23-0x00000000714A0000-0x0000000071B8E000-memory.dmp

memory/2776-26-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2776-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2776-27-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2776-25-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2776-30-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2776-24-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NRHXJvb.txt

MD5 ba2dccdfaaf1ef0773a1d2b9d3a80769
SHA1 09dbd1de347a7e2e1db96e0d0c020fbd8d58bdf4
SHA256 4d5510830365819abf6aa5c51dfdac67d0ccf0a9d1d6ad6c717337be1a28a9fa
SHA512 dae5d60809973a5f8aca4b9579c8ee0953cff6dc8e4d0b08ff15e1dea877b6edbf46b6a8ae0c30684d1f37dade30a2cb1ab2aa52fd7e35d679a2ef1ca18cde63

memory/2596-32-0x00000000006A0000-0x00000000006E0000-memory.dmp

memory/2776-34-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2776-36-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2776-37-0x00000000714A0000-0x0000000071B8E000-memory.dmp

memory/2776-38-0x0000000004230000-0x0000000004270000-memory.dmp

memory/2776-39-0x00000000714A0000-0x0000000071B8E000-memory.dmp

memory/2596-40-0x00000000714A0000-0x0000000071B8E000-memory.dmp

memory/2596-41-0x00000000006A0000-0x00000000006E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cgpqm50v\cgpqm50v.cmdline

MD5 e3f33efe55bba4198b37be84982cac60
SHA1 a199283bfb8e66d5c7a562f25fb682f77f5af979
SHA256 2e329ca20b06e29a52d27c81c674f4e9a4d2a4e3f2f9db6e8203211b48ea6e77
SHA512 5949b2d71ac457934ce75af792cd173fa19edd4849e1eacdef931f0052cc7daadc832b7d66937bf3660b8c172402514257cefc516ff6ee9bb091193d1823b188

C:\Users\Admin\AppData\Local\Temp\cgpqm50v\cgpqm50v.0.vb

MD5 3dfc1912d533d8a58c7519120f72503c
SHA1 64a80c0efedd49a66e20d662069666a7816fd626
SHA256 7c50bd6ab1f3c9fae4acf6caa9a9de944dae58f8c12e99770f8caafb265a1494
SHA512 91122647b4d7ed5137c63a9ce9a870918c675d90df27d47b9b06d6932432fc17c7eed0cd8d1e50638e8be811cbc2f83f5e3a01dac5e16c2644e86ceedc4c4f5b

C:\ProgramData\FinalCancer\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcEF7273931F71463B84070DDAEAACAFB.TMP

MD5 0ad31e350f14f498b307c9b03b1ebdac
SHA1 f1a1da3e55bd4b467949f3d46cc20b98f939551c
SHA256 6504e17130c615f776b091a54eb0f8054f0826dceafc1fd7b0f173418af44fd8
SHA512 fd4a7bf60c8f6aa9dfcfd37576cabb447f15213ad1b2fa9c78a808344046e9cf998a11c1414371ac6997e778126a53133444093074c392dd6fa7a8fe1f3d7842

C:\Users\Admin\AppData\Local\Temp\RESBE02.tmp

MD5 9888fa40b293e303f35fe40433eb9f24
SHA1 372f7de1ca52883bf5b2f5ae27a2bd75b73041a5
SHA256 3b8a90045e0057e508425b01b3130f997ba7bf8239d1075283fbfcb5cd70fcb3
SHA512 c1ed9209a161cabc09285725bec4a551771e69e533b9a364adfcc772f9b90de3c3e01c136b9ef1d5b98dada2534d7d46eb60cb57a3bf0b72e087e3f12b21d499

C:\Users\Admin\AppData\Local\Temp\1u2foiob\1u2foiob.cmdline

MD5 4b96f7b2524902d3d9649b95d37da7f0
SHA1 676c6a0d56369714021b8c7ef585eb5f346c2f82
SHA256 2b0fc4d7d119298f99d00e2181e93e686e2644e7f940cfa852c846496c039428
SHA512 2b0f3f449b444afa8ee3089ce896e3d7799f2705fd87e5910d33b326b9bac0f3c99d461472c66cfc32b93763289b968e28c6e31fb152eb81ca0293b8fe503f86

C:\Users\Admin\AppData\Local\Temp\1u2foiob\1u2foiob.0.vb

MD5 947bbeb4c36d980bb08d825efea9e864
SHA1 c0851e8f24dabfcc47b43cbe42a94902f5c91ef2
SHA256 23f3eb806036137b81e92672f88d3e011038301285a60a128bae6bf29e5a035a
SHA512 2589f015c969ab95d87e49da85128b93e1e0197f40be26becd534468c86b53b82e56f43d742276d3bd22393f37c0f5739d6c4552b027b5b02e5adf1877960ab6

C:\ProgramData\FinalCancer\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbcE12C61B1AFAB4F78A317C51D4C7046A1.TMP

MD5 ca6c53d460c7898e1a506d851fd1292d
SHA1 c77287219d0c34023a5ca44ca121ad8fd5a81741
SHA256 ece5254ba9ef062e12b41c74ab738162f0a8c23517e4a4c7596e68a3385760e4
SHA512 48e1177457abda1db4ebc6c1a88ce8765ff01a839e09e846487516a6ae52fcabdf0c8a73727b260d4bf6b37bc329e3e4707af2f837fddca3e6165a24e8068f4c

C:\Users\Admin\AppData\Local\Temp\RESBF49.tmp

MD5 43a3a7fea1397f71a2e35960b724fbda
SHA1 7146f860921a475e3b2ca330a74655287c11ed56
SHA256 3b87cf3dd5f6e1c33265d864a71f6a7bb25b7f161669a8cc7f276e43a3d974ce
SHA512 64dd1dcd4c98ecea01699deaaa1910b245d6782c701a1823437b7514ae82cc67f16cbc6ce62fb23ba33dc2e3d97e95ae9da71057f3465b9637c609d19299dca6

C:\Users\Admin\AppData\Local\Temp\1vakq5fu\1vakq5fu.cmdline

MD5 405a9eb6b44a1a73551889778a9d1c82
SHA1 96db723666c2c423eb032634c8576f48d63b7e22
SHA256 7919868fbe826354b9f7cbd25f0f08730df144e36e65a9648c6e533b08582720
SHA512 7f4fd1d2bfd067a94c610d56b1fa4d3f823ccc6637de6d02f0a55722a98710b84a0cc7a1e7f748f946d554c312104776d7bf467c805d0734e731a8828d0e7f45

C:\Users\Admin\AppData\Local\Temp\1vakq5fu\1vakq5fu.0.vb

MD5 4f16bc8195bf8faffcb7143004f6b98d
SHA1 d8108fdb15755c22cd5df165a137b5d2af5bc938
SHA256 8d22deda1240345582850f7211306b82fbe8cc9f8a84f9fe3ca5ce3ac03be844
SHA512 be5a0f8b45170edcf250c5c822f63697da5e378fff6bbf52fbd65beb17a0683b2de1dc353eeacace0cac0ddeb389528ec34eabedb66df38a34d707d2640bdd28

C:\Users\Admin\AppData\Local\Temp\vbcFD284C408BF443BFBDB5D5592F8ABB42.TMP

MD5 ec5202e2eb61c659886752e857882b9a
SHA1 5d350cb75f2a46ca38eb4c14b3d55612033c5289
SHA256 ce4aa768ccd7806aacda2c7c3710286d6c28ebb2c24396140ef186c0f3e65127
SHA512 fbb61bc31c070538e6d1c7fd6c6df95b7817b58ed11d05634374fe93d216fa103326362d055d511738b8b3a91eff650ac0428ed8aaca4b78995d54201b691632

C:\Users\Admin\AppData\Local\Temp\RESC043.tmp

MD5 9978c02da3d18c73b715c35bfd5bebc1
SHA1 2dedabb6f13c7cffcd548696d5b234f4c89ebcea
SHA256 d70c386310ebb76a9fd39b84ab0cc87cbe9742fc47137103122f41087ba6f61e
SHA512 0a8f7edfb9908cf0c73330e8b23e54a72a5c3639696f3f2c07929de04a8b28ba2720c0f883a4553a9e7fe061c3a31ca143172d4ce20438f0b3ea96bc13d9a97a

C:\Users\Admin\AppData\Local\Temp\sfhyxags\sfhyxags.cmdline

MD5 d0555df2a94157067e03eb22650239f4
SHA1 3113dfd9ee3cd49e0e7c3e60be720c6b8cea4e75
SHA256 e2cfb63227456ca42638cd0de2c16292d5130fef814d3b8777798e25f79388c2
SHA512 1c21d15c3dd0bf4f43aee015b6ffb0b84fec19c132e0e39fb05e654ee66af027af2b33d540362f4a36251136c8d5d9dbb2bedd06e0b523b59874afedabe0fd8b

C:\Users\Admin\AppData\Local\Temp\sfhyxags\sfhyxags.0.vb

MD5 5468e283cbe84c3f87136870c07f13a4
SHA1 1625c084c011837f40a489ffc75e1d57a2886dbc
SHA256 f59f43e9ee0aec96a0d838ab5469a198a39a3c8b0c68c6538da5103953c007ca
SHA512 dc3d26f9efd6e023ed1530a912a26961b2ac16037fa71aec3ad4c16069c2ad0444dee5157552f960b2f7953708169392ce2e7af6786452dec221240449b0ef0a

C:\Users\Admin\AppData\Local\Temp\vbc20D610C2C143496981121C1F84A51BB7.TMP

MD5 ecbc1db98cc372af74d55399addae499
SHA1 ac8543ab72cb623fb11dd0eac686969e8c521e6d
SHA256 6dc5ab7cd5ecbc6328466e78c3c4b4fd2b6cbb5a71ddfffd05127a127d157894
SHA512 a709c2bfa63ed51bac2ce785da5e4f477116a3f860f59e561dfe3944bff10c04e28fd1e1d81decc8329eb9d3dc65ed4d542a39e16893b5f179e11e0fce05f572

C:\Users\Admin\AppData\Local\Temp\RESC14C.tmp

MD5 13019e72b73d5fff8cf65b9bd8a5deb7
SHA1 652f2cd278482dce79f957b0204391f50764e819
SHA256 cd5fbe71fd9bc2285f48aaaa604f84dec366ac4615c236bbd5e3678ccf07e9b8
SHA512 077dbd46531e5ea5d721e03fdc889d59b1f6f21ed9a5d7bd0f1cfa1cdfa969d0aa893528645d16171db3ca2de8a97d039c0fd27d4b7388880694061439b37df7

C:\Users\Admin\AppData\Local\Temp\di3vtgdb\di3vtgdb.cmdline

MD5 c65355afba382b7663d84ac7d14eff69
SHA1 985218dd63ed225409d18cabd27ce1382dc5c32a
SHA256 82f3f7665d418727767915369a72a1489f884b8781ebf1828c72e89e8a14ada9
SHA512 a8f150de7ce3dec5b3f3a6ece88c9126cd92c62d71025386587cd84bb9ffdc5dce14beefff23450ec0edfc79d2b0d43f4e39d474ae14d7cb2f61d5578c4b89d5

C:\Users\Admin\AppData\Local\Temp\di3vtgdb\di3vtgdb.0.vb

MD5 9142a18b01ff279872841047b51af510
SHA1 5c2d3e41d89c3a9c3bdc501517eca75e0f7696f5
SHA256 5b349f3c62b28fb90ff3a3dece5af80ef2f43411b8bd69cb0b36249dbe4c0f50
SHA512 bab3f2e8cd81497cf470cbce824e15f12df96e498498fd839a44abb50b841ba1cab82f3b3f4935877bf4efae2d5daa6ea7726ba4cc5499cdc799e401d9820424

C:\Users\Admin\AppData\Local\Temp\vbcD6A39A5738DA45DB9A777C76DE6FDE12.TMP

MD5 d9371a70f4788f0cfe715dad88288588
SHA1 2c94bf76cc04cd7c30104e106ad8ba0f5300b803
SHA256 cae32ac785735fa054cdb8d7a39116d847a117656578527d77f7e8fe79cd0af4
SHA512 e2f7222030e2f8bcc6c2be2d0f292df9fb7afc7806bb7340e2cc1b3f6540397d38fc8e9192774a0e4a1ab5b8c1e922ea1c8203c111b52970291b972e8f16b90a

C:\Users\Admin\AppData\Local\Temp\RESC294.tmp

MD5 7e76d76df2c4f764afe748eae5bb1644
SHA1 a8b68b239ce93f797cbb58575cef2244eba4aad9
SHA256 3221115e16f3822031ab332573aa22342acf4949ea971d787da3a5cf20d55924
SHA512 bbab3ec48650c77afac699b02c2472a9f2dfcbf9fc72d73e13c15ae503cb6240d2a38b4b4890f271b197dbc86ba06c8c2f2dc75a3b26ab650ac47f9a567ac6ad

C:\Users\Admin\AppData\Local\Temp\zub2r50e\zub2r50e.cmdline

MD5 ebede3443958d2a9bc9c2eda9dbcf4c8
SHA1 375a96307214cb48e51ebb4ea606e5912c535d62
SHA256 33164139417c0e10f04b533d5070fb0018ae7204fbdb4debd67d84a04177c010
SHA512 12883ee13973c1ade4c18887f2f98691a0eeae50203453b5547c99a55359bd2945fff4ac771d50c26320799c5fa48e39305265d94dbd340b5f806406c0092bb3

C:\Users\Admin\AppData\Local\Temp\zub2r50e\zub2r50e.0.vb

MD5 39f1090051deb4a4a43bd29b8814dfb8
SHA1 dc42c563bb81474709203426de65d06218cec279
SHA256 d08fc6785cc2c58653d2c660a0ef631524610bd247aa6fc992527c7e1042ab47
SHA512 9b794441eb4cd585b97404de86c3987c3c119bd5692daf9d7aa33f16283f2a3ce472d431304500cb65535b7ebb6b2da49a85b97ca79ab202b4d85dca99b37cf3

C:\Users\Admin\AppData\Local\Temp\RESC33F.tmp

MD5 19ebdafbb28a4d22db5ed9febaee0937
SHA1 b4646f000077e780ae5e20ba47607917196cf52d
SHA256 ca3b0ac116541e6840ce72961eab556cd6fba43c7576f81144ed9a279f1c78a5
SHA512 54ea6e19ba8a82f30c8be6b59ac7560ddfc79addc0465ca610b7c0bd5a8068cf57ddd2766cbe88c50b1b992b11765f3d1e1003ab0f6c74b0651373a7f114c5fa

C:\Users\Admin\AppData\Local\Temp\vbc3AF549D4E9C646A5B5861EECEE2A2A9F.TMP

MD5 c9a4ac95cc98a1ef8db71e9ec8952db5
SHA1 a4bd495698a13f483630ef27b76146c4fcf3829f
SHA256 61522fc53ae67e19daeb769dcb561dc6ffe17772c86f197e56096b9530a0bbea
SHA512 ed45945e60199ad768d41337d6e9a26d60e873f476c871dc78acd0617eeeb1bef7a6c39c906824030fc7b164ff8fd116cc7522685df48e6c96383a63dcc1a6d6

C:\Users\Admin\AppData\Local\Temp\gw03hshl\gw03hshl.cmdline

MD5 605da44ece2b590ee615b718e73ce02a
SHA1 1dd6e9cd5b3546925ffa8460bf66a7bea7a679c6
SHA256 ea0286e4f647be34f43d69dc3fe7f26a90ff531e39e5af01f5d3ae192a5a835c
SHA512 7bd29ffbaaa930befdc072c346370b9068d9e8c92e66b119ab285a34c3f93ba9ba63ed3ea9c584e9e4a927ba4cbd5fe9b65dd52b45031bd15a648334852889aa

C:\Users\Admin\AppData\Local\Temp\gw03hshl\gw03hshl.0.vb

MD5 ec4a6c4c37c41025c6514c1ee717f9df
SHA1 396e60cefc15db8324c137c420d1b69be6cac00f
SHA256 72b07a8a7d88b81e3a65f1af9e988f4edb05944ee70ab87f14cd93b31589e9b7
SHA512 94eb5b790ede491b3250273385e81c03ef71a8f1a0249e8c2dc766c4cd3c79c35ed6dff3cabb06715f183866d7844f823140cf8c10c86caa7adb3956ff94a559

C:\Users\Admin\AppData\Local\Temp\vbc539D3778783443D49B81BC5837BEBF24.TMP

MD5 245b250daa21e9d3829321512d90732a
SHA1 14282b34edb91323d4827a9b8f0490004887e077
SHA256 8e5845d2f1407c0db1cf6bf2874424a421058da443598e762874cad2c4a7ff0e
SHA512 45ea140234799c9139dc7884db0fb0291e243231b6ab9097a4252d4dbd9ea17e5b1d0bdf3adcde8c427f50c731076e9263e60a22f80a19cec805796cb5fdf8e7

C:\Users\Admin\AppData\Local\Temp\RESC3FB.tmp

MD5 db4c01e7a0a4e4a923030a15925508ce
SHA1 4b9e7b8f92f2c666bae093ce26249c6b84566081
SHA256 cceeeabd76f07aff8eb33f03bf5c1ef49a2ea2933edca9bd3797bac84932dc98
SHA512 b3d7f67a8bb195cb6f996239f597fbd8afc49042c646970498f8dbe1c3fc197cd7d19fb19c11d41396128e02e941f9cc39a836350875ad552185e37866b71eba

C:\Users\Admin\AppData\Local\Temp\vlzauywb\vlzauywb.cmdline

MD5 ccb5c04b175b9eb688831811c9af1856
SHA1 b5c9d4b88f9653e35783d96f2287545f5ac67f86
SHA256 922d75b3ffd94df7515f07d835b5a088fab29bab95904cf94e42ec208ab6b349
SHA512 8596d70fa4e10f15bbbd29dcbc157b652a15352cf5c5895283ff22e2fe34cd4d4644fba194c85687e5676a0b2d16af73c88efef0d90f4a5d6383bb43138d4f44

C:\Users\Admin\AppData\Local\Temp\vlzauywb\vlzauywb.0.vb

MD5 0d4174c11e206d3bad116dcc684782cc
SHA1 2e12d3e6dd5a25a90b2b9ea69020ecc04a5fa8dc
SHA256 c7a4202afe745612af78b3abd57b5187106aeca58fed11f725eab06040b18bc0
SHA512 769902f903486f824d9bf76ef7892bd1711932617171f7d3ccdf550ae171cadb65d86fd8a4994df21aaa121ac18981f165f47236a0d20185691083656d600a5a

C:\Users\Admin\AppData\Local\Temp\vbc94799B8B3EBF47918E3DD89376B05415.TMP

MD5 153295e79d5e61d8b008e991a46afe94
SHA1 2362ae3c0a8e976ec781dabb8ca0280ee4591a9b
SHA256 d57f59431e73b6a88deaabda69683c39feabeef734791045db7a80d99232b521
SHA512 d8af032dd0e647da4575a065e2694fbeed3dbb3d4d459def18187eb9e252ab3819903442cb6f3e4c576d1705caf058d15d2df47088e8aa089083ed0384becd95

C:\Users\Admin\AppData\Local\Temp\RESC4F4.tmp

MD5 7cc4811895c57063431a7d859c6af3bc
SHA1 42b2341a595feee42c97e3910fb66f5da3026429
SHA256 fde824a62ab3222176ea997e04c65b6f8d643d56cbed6c5a9f7dfe3156ca88ae
SHA512 771d25d11ec61da7884859113933aed5ac1e68913e36fc85b964abe6022b720cf5f6d38483907d272a6e8dada8c56d144064274482f2d559ab3f0943b912d693

C:\Users\Admin\AppData\Local\Temp\ufuwoti0\ufuwoti0.cmdline

MD5 5d01c3c535d0b38ca46f87929b4f6179
SHA1 892fc6eabb33bd038a91782acb2c36311c0e4a52
SHA256 753cdcaa49c442065233b8eeec7ed433bd337dc32612100a6d9bfa400fc69696
SHA512 b976922f285e82939b9ba4d62cbe3a93cdbeb53c9bde8d2affe2d1253d420106d14c9bdde938dc8df5fa180ec8b6e0d534a2fb81febd43ea73bb5e2c7063e04c

C:\Users\Admin\AppData\Local\Temp\ufuwoti0\ufuwoti0.0.vb

MD5 70af9c1b36eadb0975a3b7b6396d75aa
SHA1 ad3e32d8f6e4b45e39b25c4690914521e893db05
SHA256 65cc055af8a35f3bbe2cc55418c2fe338a35f298c3fc45a6c0421d6bf9ebfeaf
SHA512 39b764f186469afa343ba755ef2c15e4f82d928d85e787e3a910b4210cfb3fee0119127c11c7794ac5e5f818bd2feae8b462237792e458ceae39ad1f55e30f1b

C:\Users\Admin\AppData\Local\Temp\vbc5BA791617E164CAEABDFC79308BE68E.TMP

MD5 e9bb68d8856cb9053b1976f2f20f0270
SHA1 a5687105b76b7ac2d1de4c76cb2fb3e5ab5110b1
SHA256 dc431a72c3bfdfa4163c4c05368e6e25e45c40fafcd95f8c33be3950f342a1fe
SHA512 6b48d5b82759aa65f76c46d5c9cf2fb6c1f3c562e95f138f5d2fcbfeae506a923d9f9c1ac8c0cbbc9d1c9a1859ea5a3978bb4e898c4429d22e34fedcc46b2871

C:\Users\Admin\AppData\Local\Temp\RESC5EE.tmp

MD5 f36a4449e69571191420f24c62531264
SHA1 eb9f5937397e0190871cfa542e580782dc18b7de
SHA256 6cf8601657022c45fd50306ae386f2c0dc2563d9bb3b1bf56d82a9e953735d5f
SHA512 2152ae80bfaf07d84654eece9d20731f26e83a517cba505a4678a341ee74ab07cf851d50601bb3c150712dfe300bae9a5e73d7019c9623763ea7d2e9cfe8c2ec

C:\Users\Admin\AppData\Local\Temp\0xqy4xro\0xqy4xro.cmdline

MD5 7d8b00448eea9c89b90ff7309c82ed6c
SHA1 ba256d075948ec1c2024211f39394f6e5a6e02af
SHA256 70fda0ec4c3e15d531040eda1ea2b018aa29ffc27a7de90a78e93bb0c47fd1b1
SHA512 47d82c6a4741a2c30ed1c0abd494a65075c8e485c2314012351ca67fd346b2967330968df5b8d9d44f19d575a57d626d68d39b2fe287945b37b3736a167f73e7

C:\Users\Admin\AppData\Local\Temp\0xqy4xro\0xqy4xro.0.vb

MD5 e12c96de46debdd20e91958031bfcc54
SHA1 be562249eb536b4f772b719a798d136b39bc07d7
SHA256 d4c706d54244d4a4525f728baeba2f0c43a3a1d4971f99a291fe2d16f9348bef
SHA512 f5441352ba29b8f00a86d9f67c7eef9425d09a67fb4c2e88173c4012bfe16401ed942a182c5f8e4bd87551430764f661acabbed032ff219e5e5c3b09ff136353

C:\Users\Admin\AppData\Local\Temp\RESC6E7.tmp

MD5 1af9d6f40fe3b1c76e5403d275429e4e
SHA1 a28bcbab280b4f2baeeb4902234eb66ebb1f42b7
SHA256 07b1ae198ebc53918d6bd4331122cc69e06c36d2a4d16c4ee2d492f808f928f0
SHA512 b173d63c040b40db610ce195e825fafa935ab35e9a560dd971f240edeb73e201e7fa46349857cd7d552323fb4283374a18290cc0173584d7796dfe15b96b400f

C:\Users\Admin\AppData\Local\Temp\vbc98CE14622724A3AB5A39D206CE47574.TMP

MD5 f23d0b9491e31872027170690c0e7037
SHA1 4ce40fcad0edb3fcd89d2d52049ac4414385bb4b
SHA256 c62a28595e7dcbe13859b529d0d1d39f6acbf22505d356921db2a26b80624061
SHA512 9f40eb9610f95ed53ca96ddde0e2b95f74900758195bff7a7e80dccb4ada6ead52e30958f139ce1a35e97a8dae53da26bc389e770538f5470e00194d43588936

C:\Users\Admin\AppData\Local\Temp\sikxynlf\sikxynlf.cmdline

MD5 1833e0aac58327a5223c6d078f1ebfb5
SHA1 5626db21f7f1fb778a65d07b49956973e8ec76f2
SHA256 3ce3022db7646895121735ccb2d9ffa3afc48db4dbe0d6888165a7485e2bfd39
SHA512 53506649d67c843f0882e9637ae3d68ef2834d3de53628312295d9d9db939d4c77c43aa009519266da655371a24987519f008d06edf4826ce10443b7904e35df

C:\Users\Admin\AppData\Local\Temp\sikxynlf\sikxynlf.0.vb

MD5 a25ab47471edf1ddfde1ac6dfefbdf5c
SHA1 38fe981ac57cb369ec38e3f07841cc7905bf70a0
SHA256 3502f5923531697e38c623c4fd6b6f47c25d9e819f016b84273ab08ea2fd92f9
SHA512 66e7e1b930062a7778de85be4dc14d60af0502bd1ec479d28ef8105c469006f6f7d531fbf4dd92894249079b29c20249dd8ba3fe814290aa9845e02efb59747d

C:\Users\Admin\AppData\Local\Temp\vbcE3230C85161F4F328DFED4A13CEF16AD.TMP

MD5 7979c229943b5050f166d335d66b945c
SHA1 356b83a57a9f89c6c8dc1d5a341d4ca78f94fd2c
SHA256 f533e70584e394288a0c6f42b24f066c8ba182b51e65c8a435b5953f7231cb8a
SHA512 06762ba4470b112da067870f8be3a77c2bf958f583bee730ba2cc92bb9a43f23d0b4dca8d0c45a125ea32742373f5d80c7e9046710082dab56654ad2a5780fa4

C:\Users\Admin\AppData\Local\Temp\RESC7C2.tmp

MD5 cbd1d6378d49da385ec9db1119028fe1
SHA1 d084cb07ceab3c84a46882561566f52219b38384
SHA256 2a0d13e455c92c6f8e37a372ce868060c74efeac8e261fbab18c998d84df96c4
SHA512 583be751e9fa5b49d8faec0fabef512715df52fd0df7e0d56f24f610a8b67b0f04fc861270be0ab1caa6b8cd85642126c144c0e1b89a2f8c5630849d59684dcf

C:\Users\Admin\AppData\Local\Temp\5hshyg0b\5hshyg0b.cmdline

MD5 e79abd0b0d27124543c7fa9cba43a2cc
SHA1 21732d8c8da3d64e6fa2fb250433ed5578aea18e
SHA256 0fbba3c2aefc249e2420f3b439ea0e1b529a94d1f77df6649e5e1802ca16fbfc
SHA512 8393fec197d2efdbcf8a3b364ba5d159d8735c31603a2974c9c3c914bd0e762cefb5953f222d77a93b75618ab67be6e8d00846b8e6a5b5c2f9897caced2d3b0d

C:\Users\Admin\AppData\Local\Temp\5hshyg0b\5hshyg0b.0.vb

MD5 56353dbafcab3482384f52e9926aeff9
SHA1 409782553e47a46675e2d300708fa6f45e0fd974
SHA256 397c249dc9c6d1b4c435de8dd2d20b3bdae6f83e57c6812c63df8437a24ea8ec
SHA512 49c5188d9e45fb8ceb32ab24f5217ed5d16f037ce798d9d5b759b63dc4d4227cfb50408d77cd2c545cc5c67c7cb7d8c87634678d65e1e295207da063ed9c5e5d

C:\Users\Admin\AppData\Local\Temp\vbc42C7128A0DA46848D442A193994DE16.TMP

MD5 27667aaf1c1a04cc45b6e359400b8c6e
SHA1 088cbdf46f0500eb7ff1a6b57be48f8688853c31
SHA256 15ff66caa3545c7c909941f557c327ffcf603fcddc1a57b678da7933934e2184
SHA512 ad25c4f09435c528dcd30df30a69ab1ae82897016d6c42cdc1ec7919f1887ee87f71a5b39959c81d576d80ad6b15708f9b9edfd76db80ada1e4e4142affd59c6

C:\Users\Admin\AppData\Local\Temp\RESC86D.tmp

MD5 d6ee6960585535550bf9ed9fd0db43e1
SHA1 c863b428f7f422953fd136a9591c058f8d1f979f
SHA256 fe1d566b107df8a10c73862a6cb3339326337ec85cc48f0587ad801fadb125a0
SHA512 f9b0119446551847b4377b28b3ede5cf867a37685e1c72f20bafa1f1dbcfde5351cace7793d4f455be16eb23b03212f35a68ed25422625d09d673b4eba94cdea

C:\Users\Admin\AppData\Local\Temp\v42nqlik\v42nqlik.cmdline

MD5 2fde114abdb933b519dacf2eb7688236
SHA1 116b479d7c2c6fdb25c11b064294a5406b369fc7
SHA256 88a84dde74f5cccd5b881e946a82a0b3e782465a7f03ebd2958534dcce5ad350
SHA512 32aaf020294cb37938834d6f544196fb359bc10f2429175fad97d5d834ad92051b9ab4178fc4d04b8f29a114d67a5506efbf48049d951446e9b51f7e327ef4f5

C:\Users\Admin\AppData\Local\Temp\v42nqlik\v42nqlik.0.vb

MD5 7c409932dec5244e5cda022936f4e5fc
SHA1 c3c337310e62e6fa43b01d94973e6a73fc2c4a9a
SHA256 cf4fb5f907b89c9f07e395c89a90eb94242cd3f508f819816f0e5b627289457d
SHA512 dd33ef7f52a5a83d4553870e086fe205599bba9ed23c104d6a4eb21d0b0a2f7473d8ac150386cee0169cdfb1b5830def5e6ce3672a06d686b3d7c5a07a030f04

C:\Windows\SysWOW64\Win32NT.exe

MD5 0ba90c8d8c655ee822f19820c7641b6c
SHA1 94b09919d77c1760a003bcd3eee8745f79b5cd25
SHA256 90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67
SHA512 8c591016ea0edd78b00ad8cfcf6856e2f2902cbfd7208a3ca2367c0bcfbfdb89a473264d75f742706506e38e3edb0d42bfc627eb16191fe064464ce379c955f4

memory/812-370-0x000000006DC40000-0x000000006E1EB000-memory.dmp

memory/2596-371-0x00000000714A0000-0x0000000071B8E000-memory.dmp

memory/812-372-0x0000000001EC0000-0x0000000001F00000-memory.dmp

memory/812-373-0x000000006DC40000-0x000000006E1EB000-memory.dmp

memory/1768-385-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/812-389-0x000000006DC40000-0x000000006E1EB000-memory.dmp

memory/1768-390-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/1768-391-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1768-403-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/1656-408-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1768-409-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1768-410-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/1656-411-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/3032-433-0x0000000000B70000-0x0000000000BBC000-memory.dmp

memory/2712-432-0x0000000000F30000-0x0000000000F82000-memory.dmp

memory/2712-434-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

memory/3032-435-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9ff9e2eb4f1d5405de3a35c8a5c25366
SHA1 25db133181d55e92d6a29192a49e6eb2c060bd69
SHA256 f78ebe96629ef0bf102ddefe4c2f08ae66c76a3d9c4a82cc6e25dd306d6ce99d
SHA512 eac4c150331039d96af9ca4d258ce3fa1a8c4f621b8d8e59574d4dea7bee9de6ed4827460d6e849b85037feacabe9d39131b5d0423854955db7785780fc8a3a8

memory/2712-439-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

memory/2016-440-0x0000000000A10000-0x0000000000A62000-memory.dmp

memory/2016-441-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

C:\Users\Admin\Desktop\OPEN_ME.txt

MD5 7f334c0bdedefade207b4a8a5e29c9f5
SHA1 1ed67865be5a3323dff223fcb440d1652aed8030
SHA256 6f520eca1afef05df125b8fbcb238dc19df86aa5ac0e8d7e99e711713c9355df
SHA512 ba26091c71a66f59b80d61ca228b3e31999d8b87fec4bca5339af863770259e7cb5bfc2f1f39542bf7d4371ec4b307f8e433c56373db86a00a48af33a79e1764

memory/2016-504-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/3032-516-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

memory/2768-517-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2768-518-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

memory/2768-534-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2016-536-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

memory/2840-537-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/2840-549-0x0000000004750000-0x0000000004790000-memory.dmp