Analysis Overview
SHA256
a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c
Threat Level: Shows suspicious behavior
The file a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:19
Reported
2024-06-04 01:21
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\Narrator.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe
"C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e1en5zkc.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A1D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2A1C.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\92c7b3sb.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D49.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2D48.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7rzhsaex.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3045.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3044.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sf-ftc1g.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES317D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC317C.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azkrqhjy.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3209.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3208.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-g9g-iqv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3296.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3295.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vghv6blk.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3341.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3331.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfzkg2m0.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES340C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC340B.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oxzuxtch.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES346A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3469.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lxmfrqtv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34A8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC34A7.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2jamua-y.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3525.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3514.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zln05jij.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC362D.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezxqshkk.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC36AA.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\akn-y48m.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3718.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3708.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ohxezc2.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3812.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3811.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u-tsyfnx.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES389E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC389D.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\du4w49ky.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvar4y2e.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES392B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC392A.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\504gvd--.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3979.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3978.tmp"
Network
Files
memory/1996-0-0x000007FEF59FE000-0x000007FEF59FF000-memory.dmp
memory/1996-1-0x0000000000650000-0x00000000006A6000-memory.dmp
memory/1996-14-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp
memory/1996-15-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\e1en5zkc.cmdline
| MD5 | bae3542094c46e98a7f59e11076dfc96 |
| SHA1 | b44a46ec266657cfe88b0a1c3b2d0a7d29eb1419 |
| SHA256 | 1e0c09db045444449636b50057a383574a3ca20b9e7466d42f05688e9e162178 |
| SHA512 | b481295d470737ce4ea617fe38163a250df46a0ef4acabd895fd0ccef30bc670200465b1ac82f22e55adafbbffcbc7b3ce25ff0f781297df3a5db841db536eb3 |
\??\c:\Users\Admin\AppData\Local\Temp\e1en5zkc.0.cs
| MD5 | 437cd2d9e1d60e175f5f2e16abdd5734 |
| SHA1 | a16e3175c91d994b71fddd1e5c1729d3c8243c41 |
| SHA256 | c753ecb23daccefb214f681adc53ef15794b4fde4acbc912e68a839fbb95b3e3 |
| SHA512 | ee06de87ca504f6abdd7168a673d6d9e41decad1a8e6fcec34587cf944dbfe7f61cbdac9dccf3254b3239015c9bbab0e1c73bb6e0460f6f15f595a29e41e4705 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC2A1C.tmp
| MD5 | a36576a83eadcec35e19c8032cbad671 |
| SHA1 | d0af584ff375e9b0c023e3545a032565b48dc62c |
| SHA256 | ce030c9e85a6f58b53ce3bcfa3124d4834ee9bc44302d7d004dd0f45995f0247 |
| SHA512 | 2cca25fe1c1e5a32e79c5f4f6cfffecc4c8be8d1af0c9ccde4f2fae4902ea34842692ae5009340a5e52396451555e8b5a532b3a133c978cbc561d1959a4d9d48 |
C:\Users\Admin\AppData\Local\Temp\RES2A1D.tmp
| MD5 | 82c3fcf2a8c500a24a0e13364b4dc636 |
| SHA1 | 3296dd2866030491c2fd6d25a4f22060d533a197 |
| SHA256 | e924f1a2c59f15cda4766f18f2277a0157de5fca306e70c55b6f7cb9fcfea059 |
| SHA512 | a76167892d2f080f68f89e161c7c60bbe812299e934d14ad6343481347d0aa8e5bf363d0433805a1af2fc08e4507337963a8ff185354bce107467a9f6da07836 |
C:\Users\Admin\AppData\Local\Temp\soymame1622.exe
| MD5 | 24a77f1ded6d435dbc15cd8f06176f72 |
| SHA1 | 581d5026232eaccff3272b2d2e119a4676ccc845 |
| SHA256 | 7462881170d8379aa1d353d060098b579307fab6a725a2297a84309bcdaeabcb |
| SHA512 | fe728f6e958563cbdfe994196d9b072297507ea35b8e9c82b74817ae395791ddeb0a32858d372b6095b41b74f590e648aaf258191ffd8847091258ac0e9e231b |
memory/1996-26-0x0000000000360000-0x000000000036A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\92c7b3sb.cmdline
| MD5 | 953c8eb2610c79a2bd4c4f510ef0a657 |
| SHA1 | aee623e135ce70912f679e805c3209906d45700a |
| SHA256 | 55872c892ff57c62c6229d1bf3a459813ed4a6df6813eab2be6a137173c71ef3 |
| SHA512 | db1d36951df73d5a03f8dff4920f848bbff95385f2525fea23e19de5ff2e787018bf843a986cbd6a2071d9fc273bcae021c59da0e1293f842139c11a59e9b19f |
\??\c:\Users\Admin\AppData\Local\Temp\92c7b3sb.0.cs
| MD5 | 686133a6a3368621fbdff6f28ce89c1a |
| SHA1 | 9836efd8e1a5e3339fef0137f50a3c6ce39b961e |
| SHA256 | 36a86af11f953c6d40ab22c44ac1e70677bedc4479a1a1159e82dae5242f75d7 |
| SHA512 | 69e2e00030c21bf3f768082273f9b34449194342b4f9ceb71720d93af3535e53e8185ee1b82884643bcbc05758845c684d767c69b1e984fba430bf33b73cfe60 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC2D48.tmp
| MD5 | e9e94fd44cec49fa3fa357e52fb109cc |
| SHA1 | 29abe7c8a3d9bbdeb573bcd6693563da77e128b1 |
| SHA256 | 2942322b0b04e3aa87f1898cb63a92d58118cb98ba994301fa77a747765fcd71 |
| SHA512 | 6eeddbbc566e230c7946b85cdd88965cde03a5f9e464e27fe01d66c12bc68af8c4040edb35197bf52e8b2811b7df975d91ddf059430d5dad170822747fe4a8c5 |
C:\Users\Admin\AppData\Local\Temp\eexrrzq475.exe
| MD5 | 2911e183e8e181deb5c3e12f92d7116d |
| SHA1 | 823cd006a932cbc569898c0dfab01a8656287be6 |
| SHA256 | 4d8677f173bb25513767c7485cb199565b91fe7e28aff3d70de9eb6b94ccb832 |
| SHA512 | 9ae8f37801ecff81d9997c23303d526c1393660c66989b4f63ebc00a64b5fa1f6b62b7ea770c6bfe186b43603d022aa98c78a035a610a84c0d365b176ea2d98b |
C:\Users\Admin\AppData\Local\Temp\RES2D49.tmp
| MD5 | e3a3bc1634bfa3cf30b8b871959f184a |
| SHA1 | d9ade22d00853554f23d1e68a167a8dea58c9cfb |
| SHA256 | 3c4779add0d2ed037743c92753f84b24ba78d14f28f0c9759f79ac5c6e31f25a |
| SHA512 | c44ae71a16d4909710d671778f3f189199221f1b2b39bc158d8a72eee293949b4e75b2d8383f4e4b93a8937ca110b2c77cedd52e82fdf3933cebf4c6abffe357 |
\??\c:\Users\Admin\AppData\Local\Temp\7rzhsaex.cmdline
| MD5 | 9a392aa11d4e91a46607fe39eeffd47a |
| SHA1 | 4fd3f3b9ab8e4d27dc137aef2c32b5598b5e920e |
| SHA256 | d3179acc2f4038b7dba34895b58a0d2fe192299198f4472b097aecc081afb523 |
| SHA512 | 595b090181a2a742a0ad1b7745ae49fb6c2d1bfa4c9abf10429575bf8cc0c98125136d19916d489edca61fd5efe455ce9f85470e1ba4fff5f7ceaff504f95e0f |
\??\c:\Users\Admin\AppData\Local\Temp\7rzhsaex.0.cs
| MD5 | 572d3b7014235fce53ae8af16cd43159 |
| SHA1 | 87520ecbdd0c1c39db3032edb9fbcaaef4c776d1 |
| SHA256 | 6ef06ebb960b5ab1ac721291379c79598b2623345c945b2ea14a77e899c3dd4e |
| SHA512 | e9bd4d03521f8d1f24fc7cb4709858526619b518e8e21971ef54af2c424ea277ae3b536e9fd18553c8ace3a3f67f0fd7b3f5af47cbe75361ed91da6b60b4a8f5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC3044.tmp
| MD5 | 940e8a15c8fd7fe3b5e56e8e1f54835f |
| SHA1 | 95fa6da674380d072ac36ba3ff8bfa40da6f014c |
| SHA256 | d443f001eb9cbc31f934ef8140d73ac983dff6db0693634e8e20b85ea97c7307 |
| SHA512 | 38523d36ba221e3de73078a91411cd86d256b6da57489431d28917f4d7bb010687b3ef995bf9c4e700bb352bb755eda24e02d4d63f151de606b94a1498043c1f |
C:\Users\Admin\AppData\Local\Temp\cyuniwh142.exe
| MD5 | cadf81e5a5c16c665c4fb3f0413b1a14 |
| SHA1 | 96fde5703b5f10b2e2f9a82aaf4e2b27b28211fe |
| SHA256 | 2bf31ae6810cda912d228b74888c6cde90faae44c4a232a6eee3c1f1da8c7ed1 |
| SHA512 | 40b8aaae7c4f01f59854f2640e91e1a2fc2d631f681bd419688b8348acd9d40f0d89dabcc6a659f2644f2cb62719852c95cdaf9f141a54405b02d0c4db7867d8 |
C:\Users\Admin\AppData\Local\Temp\RES3045.tmp
| MD5 | 5f7651e71ac52278739b034974bb56a7 |
| SHA1 | b9ef8825a41c0fc9bb53dd42f8c29ad2c0288f9f |
| SHA256 | 5726e4bafc4a22d0889547c14141163064a9fe3f9b074dbcebfa00462a549422 |
| SHA512 | df0ad2d2cbbb1cff19c56ff9de4beb49dff08b3895aa2a92a002ca83d1d4430dcef8e8d6223a6b2282a59917b202451a0be1aa761c3825370def5db40e38f51f |
memory/1996-55-0x0000000000610000-0x0000000000636000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\sf-ftc1g.cmdline
| MD5 | e6f80cf7a08a752a13d5c044c660dc78 |
| SHA1 | 30975c5eb8030af3d450c50508a1e93ad0212d91 |
| SHA256 | 6ccfa79d394fac366992e3af5f56244e948416ec7cd4d349a8280be7abe0564d |
| SHA512 | 513588f5f0957f134c6d32d98c2dbf0c7f2486287e3769db8e8f8eef0d0b97663cce9da9276881c32a7dc3e653c435fb939bc197de847df306d15ec7c397c8ba |
\??\c:\Users\Admin\AppData\Local\Temp\sf-ftc1g.0.cs
| MD5 | b493f1c82b0d32e0ac03bf272f312681 |
| SHA1 | 91d215782437dfa1d2e84af568e258c1cf7eeaa7 |
| SHA256 | 28af466eabedab19e4b84e79cdf4f90614ad1177ef7c5f76adb53d476cb102d0 |
| SHA512 | 90acdadbb84be8ba1ddbfcccba4838e55024eeb6d9ab9494dd5aed87d1b786ca51c32d808b67e107404c33b717ee362ede0eeca7775caea820ae71fb9280f940 |
C:\Users\Admin\AppData\Local\Temp\ruiyjzm905.exe
| MD5 | 56ca31aee45cfb562e75a9afb14ed6a0 |
| SHA1 | 2e5c804db254b2f88224fe81d7986fdd3d05fe4d |
| SHA256 | fc1b6737deeb0e32a3a8965a9442ef46eaf482e4bf8ba15e39928a5fbc20bf65 |
| SHA512 | dc1b24fa4c00f0e85e4479cfeb59606010b2bace4a8c139afdcf3979a4bd08c4d29497979e642b1c64db88e4f04534beb3c067f9da581c9385141c7fcedcd2cf |
C:\Users\Admin\AppData\Local\Temp\RES317D.tmp
| MD5 | f86b8e77a23ed5dc53182fc68357b310 |
| SHA1 | 1015798e05d4baf43f5b457855892776281865a5 |
| SHA256 | 95963980ec02886137c1c207a6be5e31239841d8ca7f58bcf15471605d9f2983 |
| SHA512 | ab068f630a00c0754419984721506920a2ef341d22453e3caec6142e9692e0cff6b374b5237e372a441a1e7fa666c8dc7dbd8b17eb5ed07cf933fd0ead510fbb |
\??\c:\Users\Admin\AppData\Local\Temp\CSC317C.tmp
| MD5 | 7a9bd4c6b99501ed5187ee123c8d4e9d |
| SHA1 | d1e4c630b2d0f9ea69444dc73693e072ada5e700 |
| SHA256 | 2d3db7abb795d39d632fada5bb2dd994f8e60f69e8476dda598b958b92d39643 |
| SHA512 | 7a13849046e4e9df571ccfbc852c6f4fdc8772946726e24a784d63ff9986bead56239eb37840ce0b4fc912a4ac5f7791d1beb31b478911fde01283b181591412 |
memory/1996-69-0x00000000003B0000-0x00000000003C8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\azkrqhjy.cmdline
| MD5 | 1d7a9c7312b879412d4108bb8a9c1879 |
| SHA1 | 88bd32d13f4c77fb87bdece4846c1d77adc87a40 |
| SHA256 | 280cc44087bc4195bfc8197043ada0b82473cbb74b9dbc8fe86a92a14c4c18a6 |
| SHA512 | 24ae26930b51fccd764ed8ef3db327357cd106622e4f2963f7fd8509d2344eda9b97f6b8442cbc9bd067c685f54d504efcd3d57384ad14e1d8e28e0fb3621965 |
\??\c:\Users\Admin\AppData\Local\Temp\azkrqhjy.0.cs
| MD5 | 28d569e3681db2d83220702cb1917383 |
| SHA1 | 87541688344fb72bba2e163f85081e5f8e1eaf85 |
| SHA256 | 867c0986b313539f471478dc347e73d1345be219dc4fc86de97f6b06c38b9ff5 |
| SHA512 | a2ddf1b34aae732f676f2e530437526ac93a74ce62b22e3387fd560a7e86c8343629d6c4d81534397b16c3d6ed611361ee61fcfe4fb2a1faf18a72dd355ca8bf |
\??\c:\Users\Admin\AppData\Local\Temp\CSC3208.tmp
| MD5 | 3c13923cb9d2496a868247a21906b02f |
| SHA1 | 9778be9482a65f963da94d76893ed1c78135991e |
| SHA256 | 797e6181599c744d60edd5a771476652abe241ea5532959bc005d984fef58d37 |
| SHA512 | 729caeedbfc4e5d6d988a4fd8a1e1198516a135a55c8986d59a778824b48de73615eaa16b82cef64804a1d92e0925b893e781c37140050db46356415bce5ee62 |
C:\Users\Admin\AppData\Local\Temp\RES3209.tmp
| MD5 | 486202328978c4a9d71d5f5a515b92d2 |
| SHA1 | eeaf4081550951c1d6b8342876891a66b5d5deac |
| SHA256 | 4673b7f77b8ce7c766482bce48d56f9aeddd5443d87ab1f2d9d4a4f055cc20eb |
| SHA512 | 2358e01ab7fd9a1a646454f3518eea004b49da978efd968d1e16110703039953d6fb502d7698b2ea0def1daf1586fc97c0764f8f4693bea95085b52f064bd39f |
C:\Users\Admin\AppData\Local\Temp\okkocaz1648.exe
| MD5 | fc4565548977b11fb6ccb7c447bc6faa |
| SHA1 | f524489e7613cf494dd16e15fe01684345015133 |
| SHA256 | 915617f40fc2ab26819637725fc27d34fec03dc6f181b9e92bc082c59ec007eb |
| SHA512 | b819a1b4c80587076af7fa7b8ed6f35893084fa624de35de7ca56c235cfad977084b4300747ac714e7ea23165571071f6823ba6a9654eea6e8f6b6995df5a83f |
memory/1996-83-0x00000000003B0000-0x00000000003EB000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\-g9g-iqv.cmdline
| MD5 | 57aa7a696cc63b5a7b95b6f7c9ac66c4 |
| SHA1 | 2c7eef3013351d10709c672af7d4dc4aec8435d1 |
| SHA256 | 9e51a037c35f3004e4adf7013aa5566215cdba4984aaf34d0a9c1c895d3db51e |
| SHA512 | a3cb09a13b032209c09c84cb30b049aed2b5ab84e1371505b0b2d29b820f7db241eaa928b9ddf5c7cb1c22b8684d2523d1bbd27b49d35f92e72c2c677280577e |
\??\c:\Users\Admin\AppData\Local\Temp\-g9g-iqv.0.cs
| MD5 | f80e98edc386427e4177b473f04796ba |
| SHA1 | a45508ecc249b1d0f44d7589c5e782ac67687935 |
| SHA256 | 7f0581a96d0da99068d49d5f9f1d9adcdda0fc72eeb5f39f495a7e42a026d211 |
| SHA512 | 95c8404318812d2e964662fd8f00fad8134336f3f3560338f27cb2704b6828a052d51a4badc01d075bfec6953d93c8056bb9ff360ba8e39ee67f266a6d1a21c3 |
C:\Users\Admin\AppData\Local\Temp\jxakybf1895.exe
| MD5 | 93a1f8ec9e8fd4f93c6aec42f7ab115a |
| SHA1 | 9d17d82d120935bfe5bb16e1339ad0031eca21fb |
| SHA256 | 036d4f43714b951b193732f7c25ebe16b551e20b5932349a5d2962b3ca039449 |
| SHA512 | 60204fb93b3e89f301509bce11a683835f5b35296dd6e4fe4a24c888ba6214a6ed36c69219a900f6665031723b444d02714eb986f1e9df7c6f4b5ac735a39e0d |
C:\Users\Admin\AppData\Local\Temp\RES3296.tmp
| MD5 | 3e8a412a5e6fcf56535ae277c243c4e5 |
| SHA1 | c4736da17855b09fb74c886a072762c90c33f5ef |
| SHA256 | b77eba4c0c5d0a08601c8658f34a4d7cdf50fa2103b769a7f4774c1cd1df4770 |
| SHA512 | 77b6e56b7d2f2810fdf1dc7348efb604b01f0f40d7d73bc3d0190cec762669e0af3e94b713857b0f7951c68ab2cc009440893152644ac84bce53f69e7cf587b2 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC3295.tmp
| MD5 | efe2e2d839965a55b435885489f631b2 |
| SHA1 | ebb155245ee7bcd14d8d63a97266b5963774fcc6 |
| SHA256 | 750d3dc05ac620a1fba1eadf84e0a2533df501b1cb251f852644a1d7d821cbe3 |
| SHA512 | 4dbdaad253dfebeff67856143554f835676f22229410bb2a234c81de26ee1bd79e254bb38df39a67e51eb1a0daa2b2b285895a8c23e4c23aeee0f68426dcdede |
memory/1996-97-0x00000000003B0000-0x00000000003C6000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vghv6blk.cmdline
| MD5 | 8e7a6e6996aea2aba1e7c97a9d570ebd |
| SHA1 | 10d1406b42587a64d751620dc5d9802aff56639f |
| SHA256 | f6d76c6d08515cfc72277cda481ce12e44c66bd05b53c265b18e077ceb3db85d |
| SHA512 | 1bd63a2192c7ec3f9011c6cb8ededa7d7211be0af4f64a7482914fe51101756c2031066c8b5140e2675733b808ff0c2e56deb4f618f682e64be338c49f71ae24 |
\??\c:\Users\Admin\AppData\Local\Temp\vghv6blk.0.cs
| MD5 | a27153164c39342b7d2b78ffdae3ccde |
| SHA1 | 79a45b1f3192be5c4c41320152fca837ade53380 |
| SHA256 | c7262f2e4e10a11b9564e74c3040a60aa1dee4fc243f5dfbbd0cd02b6ec78884 |
| SHA512 | 52a368b8cb5c42ff3cf4bb15bd12958a04eac41d66d5a7812a9c5ba2ab83dbfcecaf546722650c944b1bd068dfc7126b278561b686cb345fd95a7ae1809e16d4 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC3331.tmp
| MD5 | c5067e574a3abea925770e21d2d083d4 |
| SHA1 | 7d8d1320ae35bbac5f88c7a988f8f68059148458 |
| SHA256 | 3a92f255800d5892ee8eba800a283b0b1ffcd43b75ac649cb913cffd9911610f |
| SHA512 | 09fa48425fb47b190fdd56d199ca3792d3f59cd27c5b1c7503212f4ef95930ddd23e938fa0d3ae76f04f944cd82c90090f19ddefbc62b2e9a8c6092b1d04aa41 |
C:\Users\Admin\AppData\Local\Temp\RES3341.tmp
| MD5 | 9cee3e7e551514c9f0aa8d0900599818 |
| SHA1 | 9498940f7992bacacfdf0f116917d276fbed9461 |
| SHA256 | b7b513de4208c0b17d538b04a5c153e5afe815a82ba8c731dbd7f9234b5f81b2 |
| SHA512 | f919b45671507e42c3f1d70f27eeed8ad57bba9f5a319f1cbff2ed55b93057b5220e3f2a134d9c7e45d98545af9bfe79b72d841071a8069e866887e3547d46a4 |
C:\Users\Admin\AppData\Local\Temp\dbdghwa1018.exe
| MD5 | bf99de3981fe796323b9603910426872 |
| SHA1 | 03c5c0b0b5695db7e5fe5d1d6e358e1d20057364 |
| SHA256 | 3f02a77e5b0e2003df4096b1ff59d3a511bd7014d1d3dab8e578b88421cebbb8 |
| SHA512 | 460dd43ffdbdb8f8a64d7f53b7d3ff36f16c0043dfada5cef540f9132c1cbaa45d98bf3b09f8e3b44deb0d5504975969dad59fe73cebbc6eaf7f5186eae60e4e |
memory/1996-111-0x0000000000610000-0x000000000063A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\mfzkg2m0.cmdline
| MD5 | 033086d98f01ca00fb4b0aad15350442 |
| SHA1 | 9d583318c3bdc5961c10bf10dea0339e3874385d |
| SHA256 | 0587f1ea4646c9ec39a3439461e16644978b4260d69f29b34dd84c30b880bbef |
| SHA512 | f3e1f656a3bbab3a1de6bf1847da963c82675f07a29d143d277fcec684a3f49fb2d9c32efdcb30f1ca7ebe85162f6f40c931385e051fa464709c49bc1c87220a |
\??\c:\Users\Admin\AppData\Local\Temp\mfzkg2m0.0.cs
| MD5 | 0baa915fe08e920aa54833baef776ed2 |
| SHA1 | 1f2ead4134fe8da29dfc64b2a0917ad340174ccc |
| SHA256 | 0d7f75d97ce2ec2540a2986b846403068a3711532aaa16c4d2d975314517da10 |
| SHA512 | 521dde49aa2531b77ebd57bec5fecc82761a7a9a91d78633a3aefa7271c36d1376d58df5a460113af4a176ac437f6aa512dd81da2a764a9201b57e528f2a102d |
\??\c:\Users\Admin\AppData\Local\Temp\CSC340B.tmp
| MD5 | 1567f20958b2c70d40e0fff6a4a58c0f |
| SHA1 | 5bfccac4df7a71e6b178fef288df64d2cd9a80f6 |
| SHA256 | c44ccb7e4dbfddb777a57b9e31efbfe4ff44aeb36130e19d947201257687e7b7 |
| SHA512 | f4671a897d51d01f9c89cdc8194b5f8ecbb741a687755728195ee2f4a378a37ce5dd569cafafeca900f3159182dc3030b634cced36f6209eeb2517cb6846eb23 |
C:\Users\Admin\AppData\Local\Temp\RES340C.tmp
| MD5 | 76321a699b86dce9fc31dc2a78782c1e |
| SHA1 | 30a4e3d695e1f9cbde7cd0f7cd661bf8edeadb47 |
| SHA256 | 3f4bc830f226bebf43d7873a19b5104730568e533b1a8c78cf8451c231bd53fb |
| SHA512 | 052aef16fdeec1a2032f97087220ccb5bf68c226949d7b728cac16295d997eb2fd0e068352e272007ca09e08f0c378fada50607f5278bbde24df21a3fbab2c03 |
C:\Users\Admin\AppData\Local\Temp\mxldlpk352.exe
| MD5 | 6fafb486a0ae96c7acbf736cc0e26087 |
| SHA1 | 9ad19434d45d67dd7e563f2324fca6ba61678501 |
| SHA256 | a8534fbcf30eec10238ed1a66cb13272309c46248d87207cb394f510871d1fb3 |
| SHA512 | 8ac760365d1319503c0e288bd2e070ce6a33fcb453d71e7edcbadc067e422c7e46ec7cf8b576b0b9e0f7d8d74ba32e87a4dae20733b185f323e555438ed77cb5 |
memory/1996-125-0x0000000000360000-0x0000000000368000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\oxzuxtch.cmdline
| MD5 | f491a0fd20d24faa35209829820e6811 |
| SHA1 | f83a8126239a5c1b031278b5fc26371ee1ac47d4 |
| SHA256 | 461e20ffdd9a58306f7a9f32cfdf727b4f9e3e3a224a61aac0edee1d35b5383f |
| SHA512 | 532e89a7d575dc1c7d6b3d7b21442182b4d96233342318c308f79cb15b57197a72ef554ca666a307d1280ab5a2ad38ec7eebbddb8b04fde645c60f11d6b7e78b |
\??\c:\Users\Admin\AppData\Local\Temp\oxzuxtch.0.cs
| MD5 | 3e5b87984124fc03daaca9326ddcc12d |
| SHA1 | f246f38447bcc0324bfbe58c24cd1ad240334116 |
| SHA256 | 13b9bbb1a3dd8504c40694b9ad21703957346843100ec6469d33112f6e075751 |
| SHA512 | 81e7522a27a5cd9d1b4a99735dacdd6513578f6b2c3f8419f9ac80f9dfef7a27f7943abf40cd2b2c121181077606296abf757d3c396b024d110f6ae724db8ce1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC3469.tmp
| MD5 | 05b67a6ada9985ee04cf7fd7da81dd4b |
| SHA1 | 16cda6385d5c343b3446ca1536329bf54ebce0a8 |
| SHA256 | e4cab1e0c805ba2bf48d4582a9b8c26ecdf4f18267a51effd6e599073f957f37 |
| SHA512 | 18f451000b4955d01ac42b0552c802dde7fca4c4e8ca54ab8604c44c3a8cd1d2205e1fe8bc3686ae63f7ba494f1be7ac72a8312d72f9c4a3f93adaaa43824266 |
C:\Users\Admin\AppData\Local\Temp\RES346A.tmp
| MD5 | 98eafbd4f765c5d94cf8519e1ebb1e12 |
| SHA1 | 324376c79e7811340d44b6904aaa19f58c0ac5e5 |
| SHA256 | d68ee87045bc562882bc12890c5063dc177cea5b2223f896d090dc3237c7bf5d |
| SHA512 | b96749b0447a92b3470f972649dc6bc21101b7208fa249cf9234880d0339f79d2ca7e4209fc884882490da445e4bdecb6628414a1496fd38bb29cdf0357e0ff1 |
C:\Users\Admin\AppData\Local\Temp\yfgyhxa934.exe
| MD5 | 830042debf8f6eabc76dd7eb32fc0668 |
| SHA1 | 5bf292dce67fb4b4bc90554c5ddb65e87ad079e6 |
| SHA256 | 394d579ff963ef4a7a4d2fc70560689f3876b0acf476817de37a1e403809e926 |
| SHA512 | 71cbaa3962a4f4f50b6a8f13f88291f2db9747d0ff7b0fa52171c99ead95b231c41e50ff05dd5719c89512c1ce361770edbd81630ee605863ec5e15d5511870a |
memory/1996-139-0x0000000000610000-0x0000000000636000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\lxmfrqtv.cmdline
| MD5 | c1f3f9a7bd94a34939d48b1f6aef100e |
| SHA1 | 67155277058b11dfb0a5bc581a832e4d3ea38231 |
| SHA256 | 0e25a234d4af5764cf5cb8816388c71d9d1c2c6d914028c949ea8aaa7fd08bdd |
| SHA512 | 6c8af6823ad987bb9ab6c8504047d6101948bf935c2b50e532153364cbeb3181168c5a7a617a98876f7321f2e78e2a2d3cba46a00fb6ed435bfbe723f43581ce |
\??\c:\Users\Admin\AppData\Local\Temp\lxmfrqtv.0.cs
| MD5 | cbe21a47a5e28ff1c9a9b4efdb6e3099 |
| SHA1 | 202bfbbaaa4df87f21ec228a0e30923de57dfa59 |
| SHA256 | 202fadc38d5c6d3ad2779a95107cf426e96356fa2a752acdf3ecb5422a3164cc |
| SHA512 | e8d00adc96f0f65d7e9b4369ec35e64eb7ab9f0996af48d4f2a586bff67048361bceac71564b223f8e5ca0ca419bdbd6111633bc85c8d9b44d23a6486f992697 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC34A7.tmp
| MD5 | 9b390721f7593eda13efdc8d1564d7f3 |
| SHA1 | 74314585fffafc2c0f27d53ecc35c62dd7d735d0 |
| SHA256 | 5d7b8ec20857692c715ba3c48285d57e709559bc1883bff88cec674d46183122 |
| SHA512 | c242adcab0a26fd2f528cc0dd859e920a2e70c7db30b081ed43cf3a14572f2f197c50662a70bc8d4dc1d7b24f3c940475ba3ca7068f6c531e9b6467263c80920 |
C:\Users\Admin\AppData\Local\Temp\RES34A8.tmp
| MD5 | 36abdf82482fe43a9088fe460293391d |
| SHA1 | 79c0f87207f10854a72a01d7b403c88a32a63a9c |
| SHA256 | e2f008fec2177321018bc1cec0850456e394c48f56aa5ce9195e2d97d478a482 |
| SHA512 | 138327c6792bedafc824124caa21ba9cdfa3a79675cbb4a238859e8ec4593e8992547663948e09f0e525c606087face05b3bb22801f00c63786f8a960da52747 |
C:\Users\Admin\AppData\Local\Temp\mnjaqcm1598.exe
| MD5 | d35892eab1fabcec478654545ae3d4c2 |
| SHA1 | d5cde93f124bab00785030f570e54b9ad31e8e66 |
| SHA256 | 3b4132082b9552e12d244efcf1f6b51c2c24d2dc560ea2090e68c7e1e151e3bf |
| SHA512 | 6785a9aa723190c5e66acffea64b6fa397e65ad1963b3c9af31379f4c2e71cfa154b019a15e280ab226de7ffe495caa4755c12a26328966c24e4ada9a3f90227 |
memory/1996-153-0x00000000003B0000-0x00000000003CC000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\2jamua-y.cmdline
| MD5 | b5cea5f0d28c133120b2a4c77c28ceb7 |
| SHA1 | 6e8af667f3280b0e830cac5bef449565276019a9 |
| SHA256 | 9974b97f0ae349b8a95e74a99112dc234ecdcb056d9432ebbd16c729676b253d |
| SHA512 | 2922be92e03c96835a980b230314f7872f79cca88210ec495a1cf37e66f5f5bf3a1a51a23a86d6b19ddd6fde25fbd42540ace511bc1a0b15180177b907fae5b9 |
\??\c:\Users\Admin\AppData\Local\Temp\2jamua-y.0.cs
| MD5 | e83b063d2cc0e101c46b5e47ded0bbd5 |
| SHA1 | a685900a87a95e21305a9625fbdb3b0e1c3c9514 |
| SHA256 | 391f35eabe979548893af99fc9645fbba611e4dc9c46ca50525e5a183f925df7 |
| SHA512 | f5d08e21b8cc7c0e7d74c0f7056780e05cda6f6ef0c621e35e0289f40acd31cc32fba1e0d1150c26257be52132b1bf1971476ba0aad64f050a52b044848496af |
\??\c:\Users\Admin\AppData\Local\Temp\CSC3514.tmp
| MD5 | 784045c3843b13db7ea264bf70154f94 |
| SHA1 | a300640b2dbe2f7f7ad2e193c5f5be8f4b886f0f |
| SHA256 | fa2c166249a1964f91e9b1c7079dcaec36f51b316b1166289710bcad8933d239 |
| SHA512 | 6b36a9e152a6a1aaa5c24d3b5917b0f39f61bd7c09af6c9cfadf729b364760c14dfc95e5b6f78c9ec8c3ac36bb8767141d57badae1bf9a0998218eaab8094d5f |
C:\Users\Admin\AppData\Local\Temp\RES3525.tmp
| MD5 | 285314e5e517fa467b03d7a76ae8f9d9 |
| SHA1 | 6ff18274057d3c189c50af18144073cb9333897c |
| SHA256 | 8b53c765a28ccaa78f5f4c09a0f7590da10f086a68b4af612d9136e1a7d8657e |
| SHA512 | 2e6d8d3862d12b5a2cd7a60571211708c9a5c30bb6738a2b1c1ffb34a461727a65c27f644ed1594781494068e5b327a73213ac1fcedf51340d1758f7e318d401 |
C:\Users\Admin\AppData\Local\Temp\krtnbkk67.exe
| MD5 | 94689be646d5e3aa21c09b3d1d2d4bd2 |
| SHA1 | 579eb0809ad4a1e4ceef7bf912c88cc39dc926b9 |
| SHA256 | 9398573d9d74bff570441aa024ea894670c5f06b7f767af076edd80e80d24d60 |
| SHA512 | 89bbd4011fcec1d9991afb5e82c1147fd09160dd4628e3c4edeb8bb9340048e60b80f6da9a4e0b30e260386e9747e66673fb4bb3d0aa050bfd7455946f094569 |
memory/1996-167-0x000000001BF00000-0x000000001C00A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\zln05jij.cmdline
| MD5 | 5cbf68c59408b8d4db1a230606b22b0c |
| SHA1 | 48216b22f948b20dfe560b8c527396e1eb1bc342 |
| SHA256 | 855e50c669ab3c9a4c95df32d278d8250c7875afdb91d159c108a8d6341c3dc3 |
| SHA512 | a03e53e573ed783ed23a989b9bf5a217c43f444c85a17c0c9e9dc1a2596ab3fd08ab6ad05526ebf574a102fed7ee4d74347859cb38135a643e10caa525472610 |
\??\c:\Users\Admin\AppData\Local\Temp\zln05jij.0.cs
| MD5 | 7075206dd60b21611ceb1a3eed0213d1 |
| SHA1 | 0ce44b0de20058f7e23a42ae9038f2b7dd207c35 |
| SHA256 | f53876b3127c2abb90662741f9859dffa9768e4db669e4cc9ca7e1248c4abd71 |
| SHA512 | fc80bfae0e51354b1d5854034787a006a34d6d69b07ec80ce34c0fb833d8e31cf6b22b7a2111abaf7692e83616e96e4060b2385f34321e720e6a2c3d8f575028 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC362D.tmp
| MD5 | 9bde53c16bddcb059086a896d33244f1 |
| SHA1 | 52cab7cfbb00ec56dfcbfd51abf952621071b498 |
| SHA256 | a8add0d5b27a2f02b13c0c1168561c2f9fc0709bdbd6d444aa54674bcf65e62c |
| SHA512 | 895a46f79ab7b5d14efe3b7eec9946c8acf8cfe0ada03dc75d0e5e51ca616edaf628825d93923ce75536d924a5c1c177e354b73bc1d121a573a5c56857328189 |
C:\Users\Admin\AppData\Local\Temp\RES362E.tmp
| MD5 | 7190e2f5fa49a05409ccb446c12c3dc8 |
| SHA1 | 604c67db7d370d1248d646c507f482770b6cae1a |
| SHA256 | 4196f87f520c7adee8a107e383230bf0db4c4c05da044622710a851d849911d9 |
| SHA512 | aab6bbd92c9b08dca5c2eeccc49dce5d811fddf3aaf43c9a398690dbabb10ae679784f27c5122f14521f5d934c97f47e294fe5f5251ab36a52e49169ce94dbf2 |
C:\Users\Admin\AppData\Local\Temp\dfnygwu1893.exe
| MD5 | 957181a115c79f32d8b27aefd9807e41 |
| SHA1 | ed12ade0f4eb3637c2d5f2d6a462c716295a3dac |
| SHA256 | 1bbd8c0627f5e2c5cdf3da0c3180453a10b5008aa81e9f0fb6e5136dd55f6140 |
| SHA512 | 7f15b31940784195bad1d8a2c5bad2ef52daa57ee1cd051f9dd681e79b29e681e0796ba84da60ea21cd23497c9a0b461b12d548cae70bd404344788229530f35 |
memory/1996-181-0x0000000000360000-0x000000000036C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ezxqshkk.cmdline
| MD5 | 0930ce11d262956ac37931779b872905 |
| SHA1 | 0051a2574e5c76a805693c46a4f90c0e1d765040 |
| SHA256 | 1241a04fd2ece150426821585eaf6d8034fb5735551ad9d64a5d1a0819c0f13c |
| SHA512 | 36b27a9ba5c8158c10862401d5b657c177ba1621d0d0579d6e10fb927b682e0cd6e061491e5c4d2a8923dc6dcebf866ebf7bbaa5392fdef5729216268152af51 |
\??\c:\Users\Admin\AppData\Local\Temp\ezxqshkk.0.cs
| MD5 | 5cc58c4897f1845f11bdd55e162e48ed |
| SHA1 | 64953ed5d4ad82c4c1c1b01c26d1e83f3a1dacc2 |
| SHA256 | 0ba07edf4c798f00012b3cce42a57e9443cbc565b539a99acab36d0d5317e01d |
| SHA512 | c475d9ae086a794b4ba012ceca6a3fc3cbd2f27da0e67019fe5bc6a4b7a1301b639eb5a1afdd2cb839544087b1acc644a470b3e52f1b0bb0cf7e4b665d4d10c5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC36AA.tmp
| MD5 | 482c1557fa9f5dbd4ea440bd3d4c2210 |
| SHA1 | 8f19039549d528f77f5c404c39da38adbe114bc3 |
| SHA256 | 92fb3b6e914975be21e759fda872f2edf14b5574da9b75a5e661d63d1fdb8f70 |
| SHA512 | 3cec326f8ac15570fdedc7a45086325a98441cb23a11fbfd9f22891c054f4e0c644819257ff4705036575613c206b522e1a90cf1cab562253064a6e3f4103192 |
C:\Users\Admin\AppData\Local\Temp\RES36AB.tmp
| MD5 | 9590fdfde65340f8e28c253cc18b5328 |
| SHA1 | d18fea1b38f4b1b85d610062f61fa564e4cb9eba |
| SHA256 | 5ec6892115501bc9f9bd67ad5a90b2c25daab91f4399e8c870cd3163aefd5e24 |
| SHA512 | afe60e9a5feb0e2d5ec7bc5ea261080a21a2cb7f44ef9e57d1680e89c05bb4aebdfadf5efde23018e138c9867d11b6bc896668bd5b495a725d91d7d98d57a16e |
memory/1996-194-0x00000000003B0000-0x00000000003D0000-memory.dmp
memory/1996-203-0x0000000000610000-0x0000000000636000-memory.dmp
memory/1996-256-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:19
Reported
2024-06-04 01:20
Platform
win10v2004-20240508-en
Max time kernel
25s
Max time network
14s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\TsWpfWrp.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TsWpfWrp.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.19041.1_none_e51212a36c631d23\CasPol.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_10.0.19041.1_none_c9157ddc38b83b1b\aspnet_regsql.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_installutil_b03f5f7f11d50a3a_10.0.19041.1_none_f4b2fffd9da4c90a\InstallUtil.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.19041.1_none_82a36c559596820a\aspnet_regbrowsers.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe
"C:\Users\Admin\AppData\Local\Temp\a940d7578a4abe09297029c8b31b52ddf25e180a66bf8c7836a4ef7a353b982c.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\waoym8kk.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B14.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4B13.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\adcbo3wx.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES598B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC598A.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t5ivymwt.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B9E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5B9D.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gdbipprv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C2B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C2A.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mwoioxsy.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D53.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D52.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mywd4znw.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DE0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5DDF.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxkuj9c5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EEA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5EE9.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8qx5j6y6.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F96.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F95.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uqq4pdhu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC60EC.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3hvr0mwu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6543.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6542.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ac5qvxzh.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65FE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC65FD.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3rj1bhvi.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6699.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ieqpti1q.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6727.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6726.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t-ijqja5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67A4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC67A3.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gh4dth5d.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6811.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6801.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k_6hgsuu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES687F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC687E.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mi-02bep.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68FC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC68FB.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qavsqdfh.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6988.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6978.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e36gkuj5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A15.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6A04.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcff1kyi.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AA2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6AA1.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eng-mf_w.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B4E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B4D.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9vqnlvb0.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BEA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6BE9.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\feylwdkt.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CA5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CA4.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-oio7htn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DCE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6DCD.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\525n0sx9.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E99.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6E89.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wzwibvb5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6F15.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9jm1wx6h.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FB3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6FB2.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mf-0po08.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES705E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC705D.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ktgadvcd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC70FA.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jd3le7hh.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC71A6.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kufe6obn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7233.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7232.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvxa8nap.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES732D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC732C.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a48qamdw.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73BA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC73B9.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vojdmg9c.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7427.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7426.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q9tlnxwg.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7495.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7494.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psyqxk5r.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7550.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC754F.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fgfhirz7.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75CD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC75CC.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\woxuafhi.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7669.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7659.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w6mublk2.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76E6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC76D6.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtpmhjlc.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7754.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7743.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bmfftmbv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77C1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC77C0.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w6qcgsax.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES783E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC783D.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y6tsmuaq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78F9.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utaqvkg1.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7996.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7995.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cii7hfhh.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A32.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7A31.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bckp_a_d.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ACE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7ACD.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\czyjbqye.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B6B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7B6A.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\htx6olgg.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C15.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v3xigfws.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CB3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7CB2.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aoohl6eq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D4F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7D4E.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\crsonvqn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E0A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7E09.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddeuy3tl.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EB6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7EB5.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13ozdw3k.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F62.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F61.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trfgf1ke.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FD0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FCF.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lrb_dt4l.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC86E3.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7s39k6xm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D3D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D3C.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcancsmq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A5C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9A5B.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\loi_diak.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AF9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9AF8.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7geyg5xu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B76.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B75.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qsphs0h.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BF3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9BF2.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ieuk8sy7.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C7F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9C7E.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vryoxgzm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA29A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA299.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
Files
memory/3540-0-0x00007FFBFBF25000-0x00007FFBFBF26000-memory.dmp
memory/3540-1-0x00007FFBFBC70000-0x00007FFBFC611000-memory.dmp
memory/3540-2-0x000000001B9E0000-0x000000001B9EE000-memory.dmp
memory/3540-3-0x00007FFBFBC70000-0x00007FFBFC611000-memory.dmp
memory/3540-4-0x000000001B9D0000-0x000000001BA54000-memory.dmp
memory/3540-5-0x000000001B9E0000-0x000000001B9E8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\waoym8kk.cmdline
| MD5 | 12e4889ce00f8e897765df0c55a5f1a3 |
| SHA1 | 831612a45621ef32177169c13ae745b1a1ad3476 |
| SHA256 | ab3e6c3dbc9a13c3ddea247340f67e65bd13b17531dc0cd7f04bf70710900303 |
| SHA512 | 00273f59ed4838430a01f4b31ef00f9efb96be07f7ff6b12884ec9b0b218c75acd15672e55e0411e900b2d0e91b01feee5e6ce264d3f7ec2c2f7cde80bcf24bd |
\??\c:\Users\Admin\AppData\Local\Temp\waoym8kk.0.cs
| MD5 | 507a819d828b45004fa00e04602a4dd7 |
| SHA1 | 15b17c20d4b42b6173fa4fef8516f3c4c05d94e5 |
| SHA256 | 4e5a5652de65a92c4378c161d6b8298b7b1de1c21d137b951f4d4fb4947c31f7 |
| SHA512 | 68e884924760cdd3b4257ea6486f4045704747b7d05e2d6d543e7e704af902b74e7a7e424c3817794c79ff07f88fe7c65e905fcb070cb6fd26304ab63ca9cd51 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC4B13.tmp
| MD5 | 2f1f4e603ef1416dffa4033cd880ba7d |
| SHA1 | f6e39900feddc79b142313779a385de7a4e7d295 |
| SHA256 | 369d39df8bb6d1994359ee2cdee9a4462e2a59b9c2db3cd0ab6bd64e4f09e89a |
| SHA512 | 3c39a554d53d76fbb0d3f4596f4bdc32b87369ab073e7b8963ee76d3c335b7ca8d829ea31a46fbd1f59edd9229ac157975d8fe00102e3d3db8e5c4712be85b17 |
C:\Users\Admin\AppData\Local\Temp\RES4B14.tmp
| MD5 | 30b76e1f5f4f9886a92a17d20696d583 |
| SHA1 | 516736ceaa52d60ac270f5bcd51a0aa7a8b744f4 |
| SHA256 | 1dcce59f72a313cc623ff1e69185802505bb4a3a1f398b5a1bd2eece5f3c37fb |
| SHA512 | b1a4aadf51e270d327dbefdaafbeec6cf8a1e11729a4cff8d12d766a199159805b6b35e2b8c03736dc9f39d4a39e898cf02398dfd0f0417b5bd5fd6b5a3b3b54 |
C:\Users\Admin\AppData\Local\Temp\aqodjcq254.exe
| MD5 | eaa52cd5d145f4ea6129e812093106d9 |
| SHA1 | 5365f08e67d4ee16f5c6e3143c5ceb9e97330b2d |
| SHA256 | 35d1c8be53775565815a7fe00496e61bec382844c9bb5f7175c194001a97210e |
| SHA512 | ffb3f3bf80d29977ded1b5b560a1f49fd0138baa26dc66bb04fea5c6748ded73cef917aca2020678d20f31ee0509650a166d8c1948de76a52d6d92689dee9daf |
memory/3540-21-0x00000000012D0000-0x00000000012D8000-memory.dmp
memory/3540-22-0x00000000012D0000-0x00000000012D8000-memory.dmp
memory/3540-23-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-24-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-25-0x000000001BA30000-0x000000001BA60000-memory.dmp
memory/3540-26-0x000000001BFF0000-0x000000001C064000-memory.dmp
memory/3540-27-0x00000000012D0000-0x00000000012F0000-memory.dmp
memory/3540-28-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/3540-29-0x000000001C010000-0x000000001C0A4000-memory.dmp
memory/3540-30-0x0000000140000000-0x0000000140031000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\adcbo3wx.cmdline
| MD5 | 507aa9f7166c5934fe1da798cdb2c730 |
| SHA1 | 1348b0930fec93ca04fe09c16d36694ca75f273b |
| SHA256 | f8d9d8a6769c829a5649dc92b92fd6b28afa63c5d23f138ee4cd028563b3cb7a |
| SHA512 | a3123c370a85e0fdb41f993d10249e564ea3799e127cb2bfbc974334b1372f542d21ee178eacd56abda9a2c9a190292bf19602fb1c31d9d9fd972e6c0598620d |
\??\c:\Users\Admin\AppData\Local\Temp\adcbo3wx.0.cs
| MD5 | a7ad4bb27a490aa326581ca593260768 |
| SHA1 | f7de8419b7ed166ec502bf7fb5322899f4871902 |
| SHA256 | 4547fa567ef27ffe967f20230fe22076e42b1e578a19ff6398fe11874327f1ca |
| SHA512 | e9a39b5acbf54fe33212d22b1e82fc86e5362f0ee1934b92db354d5bd33b103aa2e3246254fb78e7ada0ad9fb7c07e991115a274fbb1f5a88677958af545f479 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC598A.tmp
| MD5 | 045a1a58c7ed1b6cf3c57e2779fad063 |
| SHA1 | 51dc1527c882f7a2a99e1894ac2157a1725c5d43 |
| SHA256 | ce5fb78ee5f147334fcc1dee3fff51df498e35bd631b1ba840d90ecf9106aaa1 |
| SHA512 | 8e5af146009fa4ecb69f4bac76ac582f151321c9d463f492af5e3100631b16207c9d95d372df6c40d4f80118caa7edb20098b78a045e7d9ad721cf188a983fba |
C:\Users\Admin\AppData\Local\Temp\RES598B.tmp
| MD5 | 1bcd4e2c19f2d07b705481a14a1e09ee |
| SHA1 | c9720cec4f85ed22867dd1fa0dac7cb737de66ff |
| SHA256 | b45e3bfb7f4b517bb06b06041eb2985a3637c6a69fdff198e5f3bd0db13bb647 |
| SHA512 | 13d2aa3f60b74ab322735fba2a79a3325202008e0e0f84a56b0c99a75c1fa5cb232490c129ee96a38e712bb9b52325e25b14437a172a461a53d591dd26840ee1 |
C:\Users\Admin\AppData\Local\Temp\jcewynx1507.exe
| MD5 | 5a288ab8cccfeaf9c942e3f5d5ffdba1 |
| SHA1 | ffeed6d2dfaa6e7b5380e38131709cffc055a4cb |
| SHA256 | 7d0b2e86bf788c8a3550c2de6ba516e9b2dd7ce2792dcb39dbc8e238613b811f |
| SHA512 | 3df4545d135659b669bff67cc6a7668eda5a5f92956c409222e616040e651777bf0051c758264de4472655594d44e66ade382f01dce4a45280ee31c860ae9252 |
memory/3540-49-0x00000000012D0000-0x00000000012E8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\t5ivymwt.cmdline
| MD5 | 8c3ccd1531d5004ef05cd314fc1d51e9 |
| SHA1 | a759427d485666d835313e49976386057ccb0020 |
| SHA256 | 7d2e8b170164a7b72e836970e92c6bf20c44c4dfb153fa68dec46f6ded23bb72 |
| SHA512 | 301a48459389c08d0225f2f081ae7141e3fc929eb686d79591fbd82a3006f3a251227cb66f7037ce24e294305476cec5c6e6ee1fc327a99546cc9431219c1f35 |
\??\c:\Users\Admin\AppData\Local\Temp\t5ivymwt.0.cs
| MD5 | cfa27504f82e6cae31621c52632755ac |
| SHA1 | dc67841e2d2b73d0c45b38e2fa78eeecae102819 |
| SHA256 | 792dc724da8ae3356108b9ca6f46f372f4492fe546a23f8005c7e08814f818c8 |
| SHA512 | ef6daf411324841d822de6bc7997a7c33f18c807b4d9338117fc4a9be23f737fc8102f36db917764de43db8ec93a135269ead1b02880fcfa8f86ca0896c6252e |
\??\c:\Users\Admin\AppData\Local\Temp\CSC5B9D.tmp
| MD5 | 964f768baf738f831a2a085e49e7b3ad |
| SHA1 | 5f7a9458c64f3c49391694860768a7cd19af0ec4 |
| SHA256 | bf0b3529f6b56944b143da856094037626466fb1446b5672eb717aa80bfc0d13 |
| SHA512 | 7dff18f58975ee773c758daed37ff53230fb011db37501c69f796e0968afd4a2f39a20ab7958801a7cde81593c7a4b5bc9f6282d0195e93193e4332ec659e256 |
C:\Users\Admin\AppData\Local\Temp\RES5B9E.tmp
| MD5 | 408188f5cbd746b31a06b81c517bc337 |
| SHA1 | 1211d7b09a3dbf87694bf2eea77983b29f583dae |
| SHA256 | 3d37380c1d1c03874db091f79c7428df51dd8aa84112008928f12dc9806dd38f |
| SHA512 | c92f0883dc7c41926a306e9f7916e23d7f92c413e44ecd10d17f69019dd2d306ebe70a58b7e3c35bf00ea58feba663e0cea0d58d35de53ce9572a010972008af |
C:\Users\Admin\AppData\Local\Temp\rnyhsqv1246.exe
| MD5 | 18c80f5147350af6c675f462f6abfd49 |
| SHA1 | 546fdf0b33af5dce1207d15cf297c53978de6605 |
| SHA256 | d3856fe70d049739a22c9fe5b905798f09375413743e375ab3497dffb5e0d238 |
| SHA512 | 2fb78ea4d39172a7974777eeedbde34781a9b5984064ee2a169a0d3d3464dc311c7fde80b6297e11d472e8721e5929261814e0258998c52c01e131ccea37baca |
\??\c:\Users\Admin\AppData\Local\Temp\gdbipprv.0.cs
| MD5 | 1d88f2ae5d88ff04b6fc245422fbea17 |
| SHA1 | c5414cc8e1c42ddf47a78e790fa30ea500401c11 |
| SHA256 | 5e9848ee4f6bf0ec4246be42fc59d615199d7b13897de86bb795b6c78d2f77c9 |
| SHA512 | 1a75cbbe9f65067daa10a990e54bca250ee983008d7a44c0d513b209641f4ed30b0fded31aaadcc5360220e966647c2a47a2a572d6e08127251dbc6ebbe0eb65 |
C:\Users\Admin\AppData\Local\Temp\RES5C2B.tmp
| MD5 | 99eaa30cf0e7cc661d8dc2a8ec59ca24 |
| SHA1 | e0ee933420d69e6206fb9bb44990859a8b527c2d |
| SHA256 | 00b8d218306be2c296826d1f3796726320a59bd56f26249d99a16f720ac2daec |
| SHA512 | f2cb7491e19c9878b1c0b7161ee974caa9118acb762531eb55c8c373ec9cac6c2e0ae2a0690b6d00a8738a8255257437a1cb6291001d96556cb3bcc5cd79e1a0 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC5C2A.tmp
| MD5 | d371d7bebcdfeb89b7bbfc09b3c03648 |
| SHA1 | 2bb06559bf69c1373bf5d1c99f37a2c11368e032 |
| SHA256 | 2f72b332d9ec221c2203ae97881944860dc2f75eda673e5ceb08630e4cc707a2 |
| SHA512 | aadee5362f087d5713f0af1e7205a35fd5816cb4d5404f9ae2a572656e477ef2bb7e5916f91e2a466d90ad26cf08af28e87d7cee3a1b6b46fa5abe6f93040c63 |
\??\c:\Users\Admin\AppData\Local\Temp\gdbipprv.cmdline
| MD5 | fa73101e0cdd3eda247c509b638be4e4 |
| SHA1 | 9f2ef9c6e6f889723d1bfe0f8d5acd5527792b71 |
| SHA256 | 4d04361ab8fb9d2541b90fe7985276c59decce36f4f557ba8125f586eedc3cfa |
| SHA512 | 8973f526d0d732ba7b16d8a4b222e1a250635e8140a367578a5cb42a54f13ecd3c3c7f652908afa86ecd4f76c77e76b22f68d7f7f0360ad4333d20f85bcfdd97 |
memory/3540-63-0x00000000012D0000-0x00000000012E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hahmmez147.exe
| MD5 | 0cdb85403bcde849d8a178d922e50892 |
| SHA1 | 3c72cc02899fc5a40abe17499d0ba643da1fa1e2 |
| SHA256 | e8643fcd117fd5d950600f3ec28c2fdc8364461c060a08b674060874c94b6d38 |
| SHA512 | 62a13bef6a4b4bd31561229e15e8fb15a8d6bf06c644d8d1c59ad3bbf8ed0e62cceaed6b68fd5188d596019f6e889dda836bb4fecd3004f86165410ad1c4c806 |
memory/3540-77-0x000000001BA30000-0x000000001BA5A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\mwoioxsy.cmdline
| MD5 | 1299c0a3b5a40abd1ad8858f8681ad4c |
| SHA1 | 5ce3e8562746a0e292a3ff12749c1dbbe13681b2 |
| SHA256 | ab2da89fc70e869efda2fd061452cfbd93034894bdb18ac1797230eb86f2267b |
| SHA512 | 9b32488d28261f2a445c84b9da0f3320b1f17e85adfb9b16f9f06605e5eb9b304d0e316ef2e93f42c0bde87e844ecf8a764c3a817411a3201924dcfcf4b46196 |
\??\c:\Users\Admin\AppData\Local\Temp\mwoioxsy.0.cs
| MD5 | be328d36479e75c7a642aa83fd74d1ca |
| SHA1 | e52b5acb04fb873f08851cb030cf636d6964ce3a |
| SHA256 | 24a522a3fd21be7da207b04a6751a309a91111a1d218cdd4137000db9c65512b |
| SHA512 | f22ad4d4781fe50fe1818a8dd2bbae8abdf22db4f7e44a3c4fbfded73f27eb0162cd17e7cf0e8c795d421477b7f2736459c577c5091893514b0bce5cf8ec5bdf |
\??\c:\Users\Admin\AppData\Local\Temp\CSC5D52.tmp
| MD5 | f0c969a36498e125b5166e34b799f77e |
| SHA1 | 7f0544c1c3bade15932f4ee39b37e6caaaacaa76 |
| SHA256 | 411cd9403b3c115a116fb831646895774d7e148c21e2b0b486198be5317ed5be |
| SHA512 | df9b942f75e78e00f0608a44d4242cd45327428aa4b49250d52fc9b829a40720f8bb40a06793a9c45b72a638350913d01fd13ebe752c186ba6beb5477d6c7e14 |
C:\Users\Admin\AppData\Local\Temp\RES5D53.tmp
| MD5 | d379a9471d27a87cb43db0cd665039c2 |
| SHA1 | fecad0287228afcc4e21deb4f035541ddfaf703e |
| SHA256 | 081868a8d928d0205f6c513267a8b0291b26d1981f0de41f5996fb63aaa962ac |
| SHA512 | 1715b7ae6c04aa7c61b45441e04a196f0bccda9b447c012f4857d0d2a509e6a3f2a9bbfd25a1bd83b0cebac5efb77e7931e146f97cd81e021828cee5a80532bf |
C:\Users\Admin\AppData\Local\Temp\rxqxcak1051.exe
| MD5 | a5ef7606670541dc1be53ebfd04ef6b1 |
| SHA1 | 049c445e21005a839ea172c71d44bd38bd427be5 |
| SHA256 | 714ff0a6363de9da720c1ed677521be87eefcf853ffc4303a2fcde586f4d89fd |
| SHA512 | 6d9e2caedb58b73fc0b3d92a5d730acd7693c6c04dbfc116ae738d096041dbab686ee2c7a11875bd5c5792e74e696f188a046029bc3804ee79f6dbb7605cd438 |
memory/3540-91-0x00000000012C0000-0x00000000012C8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\mywd4znw.cmdline
| MD5 | c6617374b500f4895293becccf6b30f6 |
| SHA1 | 6732cfe41b4b609ebbc49be3ca6296ddf1120a4b |
| SHA256 | d34f34dfb57b712ac8e60ba6060417af7fae98705253d079b5c99827673b279c |
| SHA512 | 6823859e9b431e5a4fbb020555d0ecaeee7fe0f86b26beb7dedb2f4dd4887f00354aff8ad8b518800b59cfe90ec370486d992800dc7a1e502c281c23d24116b3 |
\??\c:\Users\Admin\AppData\Local\Temp\mywd4znw.0.cs
| MD5 | 268de2682201b8b213b38bcc2ea035b7 |
| SHA1 | 4604e71fa54fcee58b971f05c0d490e38bb5c84d |
| SHA256 | f9e1b4f3703c08aa53e019116012e4ef01317bdc8b66f4ef6e284cb5e653fb2a |
| SHA512 | dc96a969a035f3eeef26356b5da00219afd0d4df9197ddec8e36da8bafe27be3be9558e86311057ff35f2ab8ce233157ebce927dfd7e71f422fda31ca8fb2ccf |
\??\c:\Users\Admin\AppData\Local\Temp\CSC5DDF.tmp
| MD5 | 777aebcba6320f29342f58238dda9946 |
| SHA1 | e0a9f569d1c95673731f1f465ba7f574b662bac6 |
| SHA256 | 756e24c55f973c63a907a701f4859c78b7639892d855ac3951805e81ece48852 |
| SHA512 | 7933c1359d313dba96345bf9a7a1611f9a45b88a9bf3b073b6e0ae9253ddc452237bbb69a18c967142eb2841b4243e584883fb82fdd3e4e8110df89fb3a0ba74 |
C:\Users\Admin\AppData\Local\Temp\RES5DE0.tmp
| MD5 | 2400ebe930136febad39d472af3c6477 |
| SHA1 | abff619c5f5813d795d6bd3e1b78e06f3fefcba8 |
| SHA256 | dede81540056e0a99db0005e6fd6330386efa4e524be5c6e8e77c6747f949c0a |
| SHA512 | 566c0b60771d9773fd5b9045dd6f1cb6f4f3902ac99954dfdbf217ffe069879889d40ee208ddf5a0c9a07d10acce88d73aac8cffd94c82b6e69dc5f5ad71cb20 |
C:\Users\Admin\AppData\Local\Temp\klvkizd456.exe
| MD5 | c3dc7bbfe22957c2e0f613c935d2b0a3 |
| SHA1 | 3296593230fa805d8d106bf7e0661952598a7e5e |
| SHA256 | 88054406478d88b3bd9371af1820f2d70dec1a5b99a37cc0edc8a36101f4fa93 |
| SHA512 | 985b70ce5302386d8c11d19320546aadfe6ffc7c562688c2af98d8029a7eb9dcb9e57e913e8b721031b842344e45dfd207f473ad3bc11c5009d8fa3e8b2469a7 |
memory/3540-105-0x00000000012C0000-0x00000000012CC000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\uxkuj9c5.cmdline
| MD5 | 6c362ec514d44345d4bdf3df0d84493d |
| SHA1 | 22a54f8323955c356dd8084dabdaeaa51c4f99f4 |
| SHA256 | 4d0f0bc5b57d8ec3e1e0e3cff324d6e9440703d1f684cd3290a6cfa7099214ed |
| SHA512 | 35ebea066c88aa0962a4497efe7b5f6a555aee758028758e56f7567953da6e9900d791232f641efa07ca636ae232e0ca2dfeac1d1bd0e0791c6636721a0f5c66 |
\??\c:\Users\Admin\AppData\Local\Temp\uxkuj9c5.0.cs
| MD5 | 422941fb7652c5909267ac5db3b060ac |
| SHA1 | ade3117201ec480e4693a17cb3237caf84ec7e9c |
| SHA256 | b4a7ec9d9c5d422d1b3a7444ce30d71ee6c7349b82d616d00f22331654bf040e |
| SHA512 | 5ed471c853feb583c4caf1e780ab4664f4fcd1aacad492c547e1cb0db01e44d8cfb746532b3d044f314a29f0165ebdd77bd58042bf85379514f85fbc650b18e1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC5EE9.tmp
| MD5 | 40e82d8d27662157cd57ad9410ad628a |
| SHA1 | b5818c443ca0b8307102d2788bff6f6687f8a083 |
| SHA256 | eaf9a651741fb7a0e05c345b576533b714c23d48320a2b0d18494e7363f7d1d2 |
| SHA512 | 84da7c948cd3704c38f2c1db12ad68ca261c6f328ed52500ac12a1ef304d61353083243f3f937f9c2708cb96564cf4b8e43c75b8aafdc1959b2fee06f5cb3a4c |
C:\Users\Admin\AppData\Local\Temp\RES5EEA.tmp
| MD5 | 59f98f3ba6a62145f290f0a5e4760d17 |
| SHA1 | c3ba6245421fcf708616f01f6eab0106f70ec77a |
| SHA256 | cd25c93371e974315a7897209bdec444e1ffbeae03a22a46c27a42b23a129a28 |
| SHA512 | af257a03f2d6871e28796927d5478f45b4f1db83c5f8a300f460b42995edd22f38fee2e75a5545fd518363d3624884c78f73584f15796fb6bc931665ef48b564 |
C:\Users\Admin\AppData\Local\Temp\bjwslgx1632.exe
| MD5 | e1275b4b2d1addfd42fae17a5452c863 |
| SHA1 | a395582bec748d8eceaed253332297751a696293 |
| SHA256 | 98b39dd16be10d1205d106d8985ba9ba242599666796bd978d9234e8caa4b57d |
| SHA512 | 8cc4b4313307f432badde708c8b3d814ce224b9789b522de9f89eb1e68c529176385e46fb0ad0a906006cd8d4dd1af7454f48ab65d8fedba24d17894e97b0a0c |
memory/3540-119-0x00000000012D0000-0x00000000012F0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\8qx5j6y6.cmdline
| MD5 | c7d0bbfad382f17b60e02799844bf40e |
| SHA1 | d43fb1f2ebad603dc9845ca8e3d47af75c1cb582 |
| SHA256 | 8cd676b1d761e4bdcf218a886da92f91c566c92785d58fea0e32cb534e7332b2 |
| SHA512 | ca900116f9ff850d08eccce0b921ec9cf2b96c2d3fdc12d9af18e94828148037c633b09f81ce85542b6ba5e9397bbd802409177a9f0094e6d009d91dd3b4711c |
\??\c:\Users\Admin\AppData\Local\Temp\8qx5j6y6.0.cs
| MD5 | 635ddc5e0b3b61e8b803d0b4f03a652f |
| SHA1 | 3e7948fe0af4a621ee291abf2349e3348988f7fa |
| SHA256 | 8c2d3336c28ed859abe8634be4e1ebcb9751eca33f82cc4db8cc40ad8aa4da3b |
| SHA512 | 30804e925e6844f928ccb60c485a3050f1d0f560c80fc74a84a0bc33149f547a61b561f8e7b75f71f75b2481873c7c3bae7e2aa685b120ff9e5ad81e2018cafc |
\??\c:\Users\Admin\AppData\Local\Temp\CSC5F95.tmp
| MD5 | b526e1ceebc9b951e34a54fd5ce0d98f |
| SHA1 | 03fed033eef4ccfa1ce2a7a13b358edca1edbf67 |
| SHA256 | bdfbd340597565c34a643ce5364c3a67a752d0808ada1e877ff3e1cde3d01fdb |
| SHA512 | 22b38ad3d3560bb805c857f655952f8fe981710af56e0cabb2f9c07d24603782092badc5b385a609a37efc88aee51173f354ec306e1e11cb252ab408d08cea29 |
C:\Users\Admin\AppData\Local\Temp\RES5F96.tmp
| MD5 | 8f5c28530cb4bfe31fcc49fc31a16730 |
| SHA1 | 11461874514e74930e5e18e56ac0df3d200af08a |
| SHA256 | a6591ad9cd59ebac7c06828abade5da4b6752d28947e2c786f34a5e587182730 |
| SHA512 | c3a595aab0766317b522979f9ff33d908eb616691ff769b587ac9807e6017e7469f72c94ceefd9e30dca292b3ea9a0f7a0c294172a110542e12c5e851c7c7343 |
C:\Users\Admin\AppData\Local\Temp\srkbfjp1222.exe
| MD5 | a2c3e6c1c6226e890c36880edc917c05 |
| SHA1 | efcff2674b1219458d3be1f576aa7d66bbfb0544 |
| SHA256 | cc06db2fefa6ba1127a5efb6d3b800e96a994dd8768000171b23b5c0dad63aa4 |
| SHA512 | 32675bde2f881f62127ba2e55e0f2ea1b201e5915721276dc26d5c443c8482b42c2b75b36d9f9b24128327d011c4ced4dd5c309ab99e16ede0dd1742250063c9 |
memory/3540-133-0x000000001BA30000-0x000000001BA56000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\uqq4pdhu.cmdline
| MD5 | d7ec4e39e8c28676ebf59119c13210b8 |
| SHA1 | d33d04dbc55de98858f768d5872b7b21cf151681 |
| SHA256 | 0f69f662addc0e76c0baaedd3f627ab837ad2aa36fbd792d5f5f810902fa8fc2 |
| SHA512 | 670998a3f498e29cdf0709372695b51e0bc5df6544c22bd39c16716e1425256635b62225ce4934b0cb0a096fac5ffa8481aab91c828e67f2de7a5653a8992895 |
\??\c:\Users\Admin\AppData\Local\Temp\uqq4pdhu.0.cs
| MD5 | 30651e8983e01e780d963144a6ca4e17 |
| SHA1 | 5813a71bd21ec77669f441fbb5643f6389c30ddc |
| SHA256 | 177b99ce4874984ce896d0e1899c2883ea76b08fb61b14c0373604ec2209e648 |
| SHA512 | 83548d0f5ce202e407f5cf908fd46b953e9485741eef6903f6bcb0c3b4ddd8543349064834fc0df70ee84c003d0d28471fc451e60c3a8a10fed7a83c278be532 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC60EC.tmp
| MD5 | 831eb5906cfa025c6010bb8265783df0 |
| SHA1 | 539a165d5af6014bf5f7cca8e9baddd37d21fabd |
| SHA256 | 2cf3b64b6d57774ed389524dd892118926a71607391acc2fc8b66047c55b77dd |
| SHA512 | 61bd308e16e7a17273a1ff68d5a89490e3df124ee6fed5aa4923258de30172c5c1ffe6379d5c45ca2d45abd5c01f5879687b8bec439eaf6a68f48062564aa553 |
C:\Users\Admin\AppData\Local\Temp\RES60ED.tmp
| MD5 | 758c2d689ef834a8bee2525a0e16ae1e |
| SHA1 | de8bd9dc3bf108a13064aaa1126ff0afc5bf2b7a |
| SHA256 | 96857533c634c4d792b96d91c457f5b4a0a37c93f0847927d6219f6bdaf2a655 |
| SHA512 | f3ae46ed8a17f584665cac3f6f8a986042ceaaba9478bf4bc8b128bd54f4b30e2f263bc6c096a6047bd98ac88fa879a46b1101939c7daac60fcba40be4a52277 |
C:\Users\Admin\AppData\Local\Temp\guvwsyg867.exe
| MD5 | b52b04ba31638c440addaae72c7883d1 |
| SHA1 | 6b4beeb2732c8fdce56608c33a3431cb8df39128 |
| SHA256 | 71428dbaed970d0142819ed89b5a232368165205183f1e61b2db08e5f5144e76 |
| SHA512 | 12f6b2a8853354e734a24a3e8fe92627e399e348e1fc01b5ba691b2282e91fb534374f1f84ae499e0cb0b767f543b276355bd7bef142cc252a5ebb13e0968431 |
memory/3540-147-0x000000001C0B0000-0x000000001C0F0000-memory.dmp
memory/3540-148-0x000000001C0B0000-0x000000001C0EE000-memory.dmp
memory/3540-149-0x000000001BA30000-0x000000001BA5C000-memory.dmp
memory/3540-150-0x00000000012C0000-0x00000000012C8000-memory.dmp
memory/3540-151-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-152-0x000000001BA30000-0x000000001BA54000-memory.dmp
memory/3540-153-0x000000001BA30000-0x000000001BA58000-memory.dmp
memory/3540-154-0x00000000012C0000-0x00000000012CC000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\3hvr0mwu.cmdline
| MD5 | 3691c68acfe40928e5c0c20e7fea202d |
| SHA1 | a9eba9815550afaf43a73cda28b19b00df071f37 |
| SHA256 | a80d111b423b02d402525a1833f2496d65995f18a1be92a311df0ee6b67e5298 |
| SHA512 | f2858afaed50dc8ca445f8a23035006f1881df074ca6804cebfea8e3670ecc86bcb8b99069d3e2546f70563d64321b781ae57913cb1a41bef79ba2d4ee6d29f1 |
\??\c:\Users\Admin\AppData\Local\Temp\3hvr0mwu.0.cs
| MD5 | b3bdb678282b9e882e287e05d750b921 |
| SHA1 | ee3258a4fa3a80f486bd1e46f139a60438ab0a8e |
| SHA256 | d8c50a50e2d8fa934420aa14bca017e9169023f77942582e48fed2f598d3ca80 |
| SHA512 | 66f318a7843e8b1481c3211bf94e51ed6b0219031f1397868c9b9ec956769091fb536261f29540b2bcd6c4384d8a7f438ae7e299334af111a16b8929d1aeb1cd |
\??\c:\Users\Admin\AppData\Local\Temp\CSC6542.tmp
| MD5 | 8b45b3a9ba9845237db00ba833197a04 |
| SHA1 | 0cca346d0736bf047e53361e5816067246b97835 |
| SHA256 | a00cce43cbfb24ee9907eb7f7378ce099d92f1ff5b243bd84a748827439ca651 |
| SHA512 | d1a9af06e22e6c6356a84752ea145fac39c7a01f59a5d4028d074a1bebadda53c978c0d4ade7231d9f2ee269c85aaec21c7171ee00b40b24948d3ccc5afe7119 |
C:\Users\Admin\AppData\Local\Temp\RES6543.tmp
| MD5 | 0b1984643a00f5884f60d55bc4b54ec7 |
| SHA1 | f10fddff12fc59906ef161c3252f6b0620419c47 |
| SHA256 | 5839cf6b5b760b8b86d220bb6fa6fe0eb9b7e485699fc13f91136c271af087e3 |
| SHA512 | 074803e22c9096c5cb14008ab98f4f96d5940bedb54a4a90bb7f0b29c447d8e503e1d5c7d609c4a134bfaf7318d510afd8ca9bc0fd5f730b071a80c609afbd82 |
C:\Users\Admin\AppData\Local\Temp\jycxsbp1347.exe
| MD5 | dcca04149de612028b873ae7d9aa97b6 |
| SHA1 | 9ae343dd6c1d785ecd77daff8e19611c68f3fd71 |
| SHA256 | 60c74ae2fcb0b4350f03b09a13d13d9ddcae08074dd2e76282b443bdbeae8235 |
| SHA512 | 6b9930f2f78db28ebc053a037fc053f31247be2f596684bced1f1e2244c6d1ff6d46e9ae9559b8c748fc4581eee315dc6721dc155845c93a5b2a065982b51b7a |
memory/3540-168-0x00000000012C0000-0x00000000012CA000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ac5qvxzh.cmdline
| MD5 | 3246906fef056d154db88b738a1c7862 |
| SHA1 | d9a7745e104cc4b060962abc687baed9503b6ab5 |
| SHA256 | da9b63ebd282b34f7e3c80b8fa809fdad9b836cf75ae3e78fa6a9f76ded7c422 |
| SHA512 | 4f02fab500ecbc5d1eb7e9e32ea6652fb8ca45b4f9461516b80a652c03d11ab7aafe57fee4f6a0f11f6a625bdb7fda60e6551c67af462f6669279393d21ca5ed |
\??\c:\Users\Admin\AppData\Local\Temp\ac5qvxzh.0.cs
| MD5 | 9f0a5f7a8d3632889cfc040618fc7968 |
| SHA1 | fe1bbb4dff1cd3bc8523fae73de26bd324194c4f |
| SHA256 | b458fbeb96c04b80f6a2763d23baeb792930d5127bb64102694aba86d2a37c88 |
| SHA512 | ea2f188fdd5f7649e01239c623345842dd23af4420cfbf405f7087c91623ec00c7333f1f47f4df8657fe95d2d0c85c12cfd141522ecf2e590939ed7163d8ba96 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC65FD.tmp
| MD5 | 3766d6318b898cc3b79c859ad7d4cf39 |
| SHA1 | 457721497b7ce1a835536340ffdb08f0f2749741 |
| SHA256 | 075cc3dbaa46f183d5c116b6939581054b387b5f6ec5dff4c89809be3bdbadb1 |
| SHA512 | 4f4e1eedd1ffa4de8dc38823295c10d54e6054f691e2497d694e498d87e43b52a576f4f798a966f71640bb602439bcd6273af56fa5b660b1e84ef8dfe410ced2 |
C:\Users\Admin\AppData\Local\Temp\RES65FE.tmp
| MD5 | 86e6241b3f5f8c295e17e16192ec0b16 |
| SHA1 | 3d7342ea54a2d619a0418c42e2ac8bee3390dd20 |
| SHA256 | 2ba606b7bb4bea6ce578dd15d8ec87cef24679a9297287fe8b425732801c0b1f |
| SHA512 | 1f0806600f03dab2cd9df1237c43e32d40d3be35d95621b4d3d079cbb57f6d5041c1d2b9047b004cd9fff5a83399893db98f77502b774f4e9e9cb5f50683682d |
C:\Users\Admin\AppData\Local\Temp\jswrxyc1905.exe
| MD5 | 7b8b68a595be04c392cc30340a9c0212 |
| SHA1 | 5f9efc81de7ae8fa000a547aa96335e18724b4fe |
| SHA256 | 12d047dd1420632022da4ea0dc3d92e9aab475a5fa63293cd67dac18416844ec |
| SHA512 | a1ab2e2fb68d0a0d405a95ab99f4514d5317764b0fe04fce6b691cae966481d0e6ffab3e682a2589b04e8f0f10500a5ad840ff465c88c426145fd64ce57c0b04 |
memory/3540-182-0x00000000012D0000-0x00000000012EE000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\3rj1bhvi.cmdline
| MD5 | 763e5b3ec0f9d1ed372e3ea68bcef98f |
| SHA1 | c4ce449e7c2a7dda5cc16ccf044f408c6b3f690d |
| SHA256 | 5066c631c2ee368dcda2251c655613cfc79236710b96dc4cd06d3c4131127973 |
| SHA512 | 98f4630c093d8d9d19c494f9abc09236e30de66f60147f4e61d2fafc0b4f45766a06f58f8146f063ee0a95a0458b1c30c39cdb02145a16e285f57e1ad835059c |
\??\c:\Users\Admin\AppData\Local\Temp\3rj1bhvi.0.cs
| MD5 | 01fa76eb413f7a0b400f1641442f3ab8 |
| SHA1 | c7b684f36313894377172c2b53629bf4006b8a21 |
| SHA256 | e9511387c7c9e48d75ed936b6401609d3c2897e290f230bc1cd4aeb76741e0d4 |
| SHA512 | c369bb60364998168a0613eac5efbb8b909dbbdb758279f6370ee3702e991f24ca62ede700384fe8c0f00f08337555527d641f70be5e15efe319e1aadb7be7ea |
\??\c:\Users\Admin\AppData\Local\Temp\CSC6699.tmp
| MD5 | 6bfb230a7c18cff8a42dc8925a7d9566 |
| SHA1 | f12f67bda95dfb34ee9f5ac6ea670ced5e3bc36c |
| SHA256 | 21e2a311da9efa3e9f99ccedb668d2e33993591fb3f8a4e9842c6ddd75d3199d |
| SHA512 | 96f6f4473d658c8d6e6bc8cf5cf8d04f6cf25f349c7f641bc95e33d73d487ab24bf83c58522536dc270da665f046124e4b528931997d2ea83f45d328d02f4ad7 |
C:\Users\Admin\AppData\Local\Temp\RES66AA.tmp
| MD5 | e9a057c60ebb821f6c3a2f05fe024ac0 |
| SHA1 | c387986dbf6568db6b05ccfec0ce10cba1476b55 |
| SHA256 | 02be9208e8bac47736c6fb3ef762be7fc611eab86683f6234184c183517b591d |
| SHA512 | 67c93fc13bb64a91f1bda1ca47bcae0f9d09e8ee23d7233838dfdd161c74af3184ecc05efbce25a27f6ccf2fd482f24f3e069488fcd54af286fdeb3f1bc99e94 |
C:\Users\Admin\AppData\Local\Temp\aajzrbv1495.exe
| MD5 | eaa63083d1ca42acafc2d576dfbae922 |
| SHA1 | 34a16ee47f87683124bf20076b8ad8351e354e91 |
| SHA256 | f4c37708b94eb282a1a5f42552b31e1016dcbcdb878921b10c34cfbb68cea6ab |
| SHA512 | 6d2e5036891476fcf500239e213cccea63496dc7f3dc8a91761ad42e57807e6a1bf94ca60d33d65219ba7d2994c43ceb5abb63de6fad569af38f8ccf143bc55b |
memory/3540-196-0x00000000012D0000-0x00000000012EE000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ieqpti1q.cmdline
| MD5 | 583b9ddb4a5f4839312b9aaee32013d3 |
| SHA1 | b8517043bb7d60f15013ce465c8adaeda0d6628c |
| SHA256 | f4a0c1a0266dba2882d6a168db9148162912280478fbbf6f04b6e44aa731a7c5 |
| SHA512 | cec4e99b07fbfe746b768f60d24cf81b50f5d84bfa589439b6d9921c4a535218af2d9f1da0c1f5f973c88ed7981fff0c7161fd58e9e2fa213cb7e4e5ba42d3ea |
\??\c:\Users\Admin\AppData\Local\Temp\ieqpti1q.0.cs
| MD5 | cb7a62bfcd7fa1e43dae3fe6d4d2c77c |
| SHA1 | c1291962d189fb9ce282310e6ffc826f0822010a |
| SHA256 | a5201d0d08166402f77abaa9cdcc1efc3e689ddd4879780fc676dc6668f4b006 |
| SHA512 | e1a091a6b728f5c8154eb2fcf25761ffee68fc44de853fdf5e52327905607552f20a6660488cf44da91b9df73c5faeda4f2c15e22067f865fd1de2f25a725c77 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC6726.tmp
| MD5 | af887718c10447e4654ec386bf48b1be |
| SHA1 | 17de598d53c3346b58c59b578d85429a2e51f8f1 |
| SHA256 | 4430c6cdd6c0a7e494fbd4c4a868a0980301a1c5c745f1ad225a92a3ef3be25c |
| SHA512 | 4e6cb064708ff60f608d25b11ce78378362b187574a62a364c01f0db8f9f7427986ecae350a9748591e29bc03745f9dbd99b6ff9c73bc647b46fe8b31ac1df8a |
C:\Users\Admin\AppData\Local\Temp\RES6727.tmp
| MD5 | c88c921de1b33481e79534f08a226bcc |
| SHA1 | fd9fa190f187f85fbaf01cb88de741d47ad0cd99 |
| SHA256 | a8275f088d6e3e391280aa54a1ef0daf4541a69edfc0add58d4a09f06c6649ee |
| SHA512 | 6b21a845488bdcfd811dc93d259b1d64633adf70b5fe0cac48b921f2721b788f753c2ccede890442b0a6c8ec645b1a0763c8405985166cc70d254ad6530aec5e |
memory/3540-217-0x00000000012C0000-0x00000000012C8000-memory.dmp
memory/3540-226-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-235-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/3540-244-0x00000000012D0000-0x00000000012E4000-memory.dmp
memory/3540-253-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/3540-262-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-279-0x000000001BA30000-0x000000001BA58000-memory.dmp
memory/3540-306-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-315-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-324-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-333-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-342-0x00000000012D0000-0x00000000012E4000-memory.dmp
memory/3540-351-0x00000000012D0000-0x00000000012E8000-memory.dmp
memory/3540-368-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-369-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-370-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-371-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/3540-372-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/3540-373-0x000000001BA30000-0x000000001BA52000-memory.dmp
memory/3540-374-0x00000000012D0000-0x00000000012EC000-memory.dmp
memory/3540-375-0x00000000012D0000-0x00000000012E4000-memory.dmp
memory/3540-376-0x00000000012D0000-0x00000000012EA000-memory.dmp
memory/3540-377-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-378-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/3540-379-0x00000000012D0000-0x00000000012E8000-memory.dmp
memory/3540-380-0x00000000012D0000-0x00000000012E2000-memory.dmp
memory/3540-381-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/3540-382-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-391-0x00000000012C0000-0x00000000012C8000-memory.dmp
memory/3540-400-0x00000000012D0000-0x00000000012EC000-memory.dmp
memory/3540-409-0x00000000012D0000-0x00000000012EC000-memory.dmp
memory/3540-418-0x00000000012C0000-0x00000000012C8000-memory.dmp
memory/3540-427-0x00000000012C0000-0x00000000012C8000-memory.dmp
memory/3540-436-0x00000000012C0000-0x00000000012C8000-memory.dmp
memory/3540-445-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/3540-454-0x00000000012D0000-0x00000000012E2000-memory.dmp
memory/3540-463-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/3540-472-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-481-0x000000001BA30000-0x000000001BA5A000-memory.dmp
memory/3540-490-0x000000001BA30000-0x000000001BA58000-memory.dmp
memory/3540-499-0x00000000012D0000-0x00000000012EE000-memory.dmp
memory/3540-508-0x000000001BA30000-0x000000001BA56000-memory.dmp
memory/3540-517-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-526-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-535-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-544-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-553-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-562-0x00000000012D0000-0x00000000012E4000-memory.dmp
memory/3540-571-0x00000000012D0000-0x00000000012E8000-memory.dmp
memory/3540-588-0x00000000012C0000-0x00000000012CE000-memory.dmp
memory/3540-589-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-590-0x00000000012D0000-0x00000000012F0000-memory.dmp
memory/3540-591-0x00000000012D0000-0x00000000012EA000-memory.dmp
memory/3540-592-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-593-0x00000000012D0000-0x00000000012E6000-memory.dmp
memory/3540-594-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/3540-595-0x00000000012C0000-0x00000000012CC000-memory.dmp
memory/3540-596-0x00000000012B0000-0x00000000012F3000-memory.dmp
memory/3540-597-0x00000000012D0000-0x00000000012EA000-memory.dmp
memory/3540-598-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-599-0x000000001BA30000-0x000000001BA52000-memory.dmp
memory/3540-600-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/3540-609-0x00000000012D0000-0x00000000012E6000-memory.dmp