Malware Analysis Report

2025-01-18 04:47

Sample ID 241012-hj451stakq
Target Client.exe
SHA256 5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897
Tags
stealer guest revengerat discovery persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

stealer guest revengerat discovery persistence privilege_escalation trojan

RevengeRat Executable

Revengerat family

RevengeRAT

RevengeRat Executable

Drops startup file

Uses the VBS compiler for execution

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Checks computer location settings

Adds Run key to start application

Checks installed software on the system

Checks system information in the registry

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 06:46

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 06:46

Reported

2024-10-12 06:52

Platform

win10-20240404-en

Max time kernel

299s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xdwd.vbs C:\Windows\system32\taskmgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xdwd.url C:\Windows\system32\taskmgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xdwd.js C:\Windows\system32\taskmgr.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Users\\Admin\\AppData\\Roaming\\indexworm.exe" C:\Users\Admin\AppData\Roaming\indexworm.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\xdwd\xdwd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\xdwd\xdwd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\indexworm.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\ = "UpToDateCloudOverlayHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer\ = "OOBERequestHandler.OOBERequestHandler.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Recovery.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ = "SyncEngineFileInfoProvider Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ = "IGetSpaceUsedCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_CLASSES\ODOPEN\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ = "ISyncEngineHoldFile" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\ = "OOBERequestHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\grvopen\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /url:\"%1\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ = "ISetItemPropertiesCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ = "IContextMenuHandler" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID\ = "{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\ = "ErrorOverlayHandler2 Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\odopen\ = "URL: OneDrive Client Protocol" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider.1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\xdwd\xdwd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\indexworm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1532 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1532 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2424 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2424 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3052 wrote to memory of 448 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3052 wrote to memory of 448 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3504 wrote to memory of 5088 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3504 wrote to memory of 5088 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4264 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4264 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3160 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3160 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1796 wrote to memory of 2580 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1796 wrote to memory of 2580 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3636 wrote to memory of 5028 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3636 wrote to memory of 5028 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1256 wrote to memory of 4232 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1256 wrote to memory of 4232 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2820 wrote to memory of 5080 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2820 wrote to memory of 5080 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1916 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1916 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1300 wrote to memory of 4792 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1300 wrote to memory of 4792 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1772 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 64 wrote to memory of 1744 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 64 wrote to memory of 1744 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5016 wrote to memory of 4180 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5016 wrote to memory of 4180 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3724 wrote to memory of 5056 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3724 wrote to memory of 5056 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ctuqnx4s.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C928EB8389420DABB89754E6D868F3.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7fgxxnsj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3EC2C3E76E14667BCC95BEB9536E682.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uyldj7hq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc982DBB0453514D079E3D20C227F9C0DB.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svnaose3.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE8C5EE6C41A4DF38416A3DBCF1E2.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xrau3evk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53D98EA67EA44ADBBBB45C57F22E6E64.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p-gp2i43.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB74F39EA39294B5AA7DAD96E631ED0DF.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ghnmhwci.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc65369D76EFF04917A8B6C1DA3337411.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbcqk-rw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD68FEB616831466595DE657882BD1ABE.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dg-rob3v.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBBC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA85ECCB42AFC483D92805FBAEAD51472.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vuvfwj7k.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAAFEC1073664A09919E38DDF3CCF50.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_boipoq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFED407644BDF4A18B084C1ECBCEFD6F.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\incndkav.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc23478D4BCEC746B8A23EF95CB53BA4E8.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\imuyujqp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDAABE233978440CB032979FEB7ED1A.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\74u_rd3u.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF6445FE88DB48A0BCD97A54913444D0.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_cupljv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD81.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5324A41283D049EE8FE38959C5F4C4.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\14s6mmqz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D677D23D6AD4028BF46CCFEEC398AD.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g7ya92q7.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A325A5D51074E1B84DA74E0E2D2E762.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wukviwxu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5C9442616F740D9831C33DBC13832E6.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a3pwktv-.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACCE8E4E892346BD9A3EFF8C57D59AA.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\agymx-tz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc625D6CF9D63465CB9BE502BD32D3D91.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7g9w3sah.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD021.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBBD49DCD885468DAAA428161A41EFE.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bqt-etuu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD06F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3276D314DC449079BB5EF0A5135B4.TMP"

C:\Users\Admin\AppData\Roaming\indexworm.exe

"C:\Users\Admin\AppData\Roaming\indexworm.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

C:\Recovery.exe

"C:\Recovery.exe"

C:\xdwd\xdwd.exe

"C:\xdwd\xdwd.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

/updateInstalled /background

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bdulhlup.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB60C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C9F0D0B9778486CB840D71DDD918376.TMP"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Users\Admin\AppData\Roaming\indexworm.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_hv0eh_5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB699.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc981E6D677C844D8199EC20438F25805E.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdvays4o.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB716.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED3B3A5B45C5482CBA60BEA4742795B3.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hdvwoz2c.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AEC7C491AAC430CB980B445486347A6.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ble7mrss.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB84F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EFE2D4CB7D410B9F7DBDEE4AB5F985.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4pnvsski.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56D106AC152B40C487CB9A39F3A5F92.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zdlnlutw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5C3BB5CF29542A782315D563CE85314.TMP"

C:\Users\Admin\AppData\Roaming\indexworm.exe

"C:\Users\Admin\AppData\Roaming\indexworm.exe"

C:\Users\Admin\AppData\Roaming\indexworm.exe

C:\Users\Admin\AppData\Roaming\indexworm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 Pizd11337-26540.portmap.host udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 92.129.74.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 Pizd11337-26540.portmap.host udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 132.194.113.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/2304-0-0x00007FFD1D035000-0x00007FFD1D036000-memory.dmp

memory/2304-2-0x000000001C040000-0x000000001C50E000-memory.dmp

memory/2304-1-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp

memory/2304-3-0x000000001BA40000-0x000000001BAE6000-memory.dmp

memory/2304-4-0x000000001C580000-0x000000001C5E2000-memory.dmp

memory/2304-5-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp

memory/2304-6-0x000000001CEA0000-0x000000001CF3C000-memory.dmp

memory/2304-7-0x00007FFD1D035000-0x00007FFD1D036000-memory.dmp

memory/2304-8-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ctuqnx4s.cmdline

MD5 2aed3fc7ab699cacc32016f8d07cca41
SHA1 fe792c060c4efdf8fddf98de3f77430e869bcba2
SHA256 cb6d0c9713757f10e3afeff0b7bb15f73bc844878a71f01ca1612018dc10cd63
SHA512 e9b3ce44a5ac849bd986d6bce308e6042ac699cc73c2de697fb2a535d0d93f9b6526cd10d24b9e50864364b0a2df06696a8be5a2e2695d29bdd3fd8a6cbc0326

C:\Users\Admin\AppData\Local\Temp\ctuqnx4s.0.vb

MD5 ed48ecd501fd2ec90b9359de04fc1a18
SHA1 9dd35b37dac1f0908fdafbb971157f576cb31c22
SHA256 3454a8ec9826e999653b677ee666c64116c8881a13fdaf16dc3e4153fab0dad3
SHA512 0006bb695aadfe28b3f6005772d9d53700c01392abdb9f3eaf4a8c7a48af7efa7bdc47a8a569e609070476e7f8fe1afc2701c529edaa8d03ecf7343e843b0772

memory/1532-17-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c350868e60d3f85eb01b228b7e380daa
SHA1 6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e
SHA256 88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7
SHA512 47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

C:\Users\Admin\AppData\Local\Temp\vbc1C928EB8389420DABB89754E6D868F3.TMP

MD5 53aadde7d4dde82227b316b57a5a7209
SHA1 28076dd0bdf1724ec1293a7dc54f95fac210d974
SHA256 1c469b6462e5e53adfc7d23eb770264179ab167ce9dcb2814c51bb8730b6eb97
SHA512 95dd34a020812d7f888d66ff23e11327cbcc0d2217c02297b10373a5819763f2e00ef0dd2be2fea346303181ca8e19425e7d956f9ef18e9a41d89a1f3f2bf3f1

C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp

MD5 38876ef7f22cfd9af4972809e759e358
SHA1 b69cca140f8a3097d3e7000de03c18a8546c8808
SHA256 e83baa291a2ea38c59e840a171c3956d2001f84b662d6d8abe96c8ce028b1135
SHA512 b186a56f90a0c5db5005037075744f457af06c09cfc524641236ec972d887b1c5baca29f6b3445501aef6a6ec0da2a8b3526f815eb7e4c1ae7f31f702dbb149b

memory/1532-26-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7fgxxnsj.cmdline

MD5 58bfb7200c0c8616b57cc8aae3a028ef
SHA1 c83b8bf944de030c4dd665d371e3b5584b177e52
SHA256 91f3ff5d3b28c2f8a9bfddb0e16dd5833cbf1776d6c9183ba0a479f136df0fe7
SHA512 c32101342976cecf84721d5a892f25b05a673b901f0dadb6cef4baf41fd240478cf876ed9cc43a4bb9b61af17f99365a7b48acceb8e79aa92f5f260b8a6fa0d9

C:\Users\Admin\AppData\Local\Temp\7fgxxnsj.0.vb

MD5 2824033d9d2f8ee59347116377cf6d9b
SHA1 fa5ac5a217129274f3df610e90dedb13a5dfef82
SHA256 c5a03d253201eaad5738d91cd7a6d239348a2e54a8edb19c50c110466ebdb736
SHA512 a76a3b01d94964df9b48f254e0c8bdda5bef5291431f06fdf3c7c897c04c8ceeb8dbafa61d01dda153712247133104c870ef234f603e0c9a8e8c480c0692ef7a

C:\ProgramData\xdwd\vcredist2010_x64.log.ico

MD5 d5997b8f3f9665fe1cd7defb29cff584
SHA1 7b281c8982b042d77e7a53ce282eab7f8417adc7
SHA256 ba40f96904ef649d30f9477d2e1b770b312832ba81e6345946645c15dd4ceabc
SHA512 88f66652b43ccdb551c9e876eab1e7f0bdbf2b8c19bb9b871402e94d1e826424b917495dd3b79c228724f49d1495cd3cea49fafb7a14f23e5e1eb6a29b68871c

C:\Users\Admin\AppData\Local\Temp\vbcC3EC2C3E76E14667BCC95BEB9536E682.TMP

MD5 56c0e1de5d54a9343c889512a081ad5e
SHA1 e038b653980f9f8b9335922b4ef40d444234ef49
SHA256 58c3ddf3785bab4658cf688008cd0ca6bac847b14558b4a4b5eee84cca6faee8
SHA512 a1fd2240584d067d9c657b3e30a108bad2980418c45292670ccf4d47ca89c930ec446ab972a9ceb1a4ad0a7b4408b4dc9c556c2cb681df0ccd6d150c3d767ae1

C:\Users\Admin\AppData\Local\Temp\RESC9B8.tmp

MD5 c663caace00277cb41b176eee4cf3660
SHA1 c2ff17ec76955ac3a24f7cba0262d3edfc139113
SHA256 5eab3d93973e5d112a345fb031ea24a1a43ee61e0f60639d02ecf91de4a264f2
SHA512 1708586ccb996aa6e47a37707fb337ea10e5858f7dd015aa220040809d2c6e006f2b1eefb13ff9286606f732aa3b1b7e4ab94184d49d1a2ea7ce7de38b672bf8

C:\Users\Admin\AppData\Local\Temp\uyldj7hq.cmdline

MD5 19fbd27a91f4fcdc19f8554d1722fb7d
SHA1 d581f11604757c98aca2ec803da908a24e6aa400
SHA256 ddaef066d5b9050eb0bfabd52893781e2b3b371f107dfdeae3a7dffc5ff40c05
SHA512 1cef2f7a838912ec0c4a8dfffe60f57c60843a6b6d1dcadbcb675e8648ed425b39d7cfb408f451e2237f9f0b82c9136a7caf164280728f221816eef3398e8bc8

C:\Users\Admin\AppData\Local\Temp\uyldj7hq.0.vb

MD5 98c697d0135e14aac926c0701a8b72e7
SHA1 bd49384492450141bd14dd525dadaea8b83f9d81
SHA256 369bf94866b4cf4a4c47182d19b4bd94d47dd4282b761faee0c68e7523432697
SHA512 79a5631b25737b5debcda7a1d0b21a26e927457a65431c93dd372fdd90c745d2df6744e9451b0880767f6b635a47d62b606c7dc1127391a8dedd86411bd09fdd

C:\Users\Admin\AppData\Local\Temp\vbc982DBB0453514D079E3D20C227F9C0DB.TMP

MD5 ee633ce28424d18ab62d4010d5b7aa82
SHA1 677ff6edd3591c4d9b65171cfa381333caa8d546
SHA256 8b124412e72ce9b96ff8c55b65ac532cf3492f30743240de3cbc4c3217720f10
SHA512 46fefc85a49bae5176838b9b1001db58f4057ea6d1ada8a4c937aa34d7b395c5cbad78e7cace4d6b2d4d546e484aea694f09da520bacc4dc71e3f826d4bc2d9f

C:\Users\Admin\AppData\Local\Temp\RESCA07.tmp

MD5 c7385b75fea326ea434fc23bf5adc2a3
SHA1 e5a47880b17660385cd9ba9a899047e26ce53dd7
SHA256 66d5a97a8daf59a159143e157bb73a42435b575110b76421c3995ba0e7686a17
SHA512 3963a09f14bf63f46da725756d4a8ae5888416207937a8dd47517999f9a338f5bac48fdaa6e595e0b0aac34c9e567bab217093fc58d53aa4950683305eb481fe

C:\Users\Admin\AppData\Local\Temp\svnaose3.cmdline

MD5 4ac87dab8467a322363ff1795e8c24be
SHA1 05f8f07e6164a83b27b3159e1a33e47181451709
SHA256 c83a87bbd3cd40d6422381ade33dd7636648456cdf5dc9b8f8885a6df4a598ae
SHA512 b00bb389922d974394542fce553e6675ef1aac27ca11fac2f316b7eba3cc1ba4ae5b48819478050800b0a8a81df356bc7ce7abfca74a1c953f441b25c0bfd017

C:\Users\Admin\AppData\Local\Temp\svnaose3.0.vb

MD5 f9d79311b4cca4c591aa8cfec028a6a9
SHA1 2c4d63d2b94e8e33b0349bde75889478d8d972de
SHA256 78f7a23fa14b298de205e44ba5fdea765cf33a4f72cd63662c0ae2b077154996
SHA512 25c75f86e2dfb2c863833b898741e8c903e763cbf13d40695d0a92c4845f480dcfba42cf1fd22da60f337a507ce71031bbb536f2be6ae1b77af974d3513f226b

C:\Users\Admin\AppData\Local\Temp\vbcCE8C5EE6C41A4DF38416A3DBCF1E2.TMP

MD5 f08c3ceeb9f75b488c227a88321d14cf
SHA1 04304443dddf2eab88e2f8bd2d6f1e15cc145ebe
SHA256 ec0228fc119c787c57a4411f4ce65a5ade7af3d228fe8e7b1e3c248fdbd0abfc
SHA512 93d836a8014c2e9cf234194cfbb67b797b8b69257afaefc782c8077785f915b305187152845a0594e1e12cb7574dff6470dcb626476128528ca77cf2ff12d470

C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp

MD5 f8077f624ebbb78d58749abd339502d2
SHA1 78255c182d27ef6bac54a920e93deae3feb85973
SHA256 e5ac1918419a4669022c62ac94e535c187945da8af7d94d6db5c68eeb5299997
SHA512 373c4ae767c7dd37a9c6dbf3ac28d163c3bde05ad5ecfe2cdaf390892514a31e3f37f4b645bc415cc4b46be636170449aa73ad5b0a87fd6c4e29ba07973f42aa

C:\Users\Admin\AppData\Local\Temp\xrau3evk.cmdline

MD5 8d240f3a4da01d1a09db44c0e4f8da1e
SHA1 f6569aa5f59239dab5f58e414c8ebadf1aafc9d8
SHA256 6075e10cc1fbe291ab31fa2556b20978b038e43dbae0ff1057f00ca847623c85
SHA512 dac8872746fb2747541ead4b3450bffa43a4436c0aba7fc336e9b87d6a0b4b586ec2d4d1b4ea311b5569c57769df53831aec5b74db2b60dca61c53114c14d7ad

C:\Users\Admin\AppData\Local\Temp\xrau3evk.0.vb

MD5 b6f9730115de46756b567e8f913595dc
SHA1 cb8bdd820b9d9405b2a97af9219e08c85e375336
SHA256 099e93435c884d79a8c6e2f8ca3fa227c8870e93be10839fea687ea24bc3ef48
SHA512 aceb5f099294258276e49061cbda8098eab9ee2927318f27d07d35f7c8ea93c3056aa7a3e25faf28a810f20ed4fbf3137e1650086a45197891babb7cb0111732

C:\Users\Admin\AppData\Local\Temp\vbc53D98EA67EA44ADBBBB45C57F22E6E64.TMP

MD5 6109c8e816e691aa16df011af1b222e9
SHA1 3beafadd64c8b77c1bc10827d29ebdc784a55c73
SHA256 be380a83d0ebd463c21ca65a360ae9acf14bfa15e32d649e005c2cd3617c8acd
SHA512 a47ded32c0cef7910318f746221c3fc1facb23cd9232be30aacd83909a63c494133aff7c3147b87b5cb6207b92a8f0151e68e84359fd51101a9be888401d4031

C:\Users\Admin\AppData\Local\Temp\RESCAA3.tmp

MD5 a7182de80540a46666bf7e6e2501a168
SHA1 61d3e66475d4ed7f6051e21f475abd08918f973b
SHA256 4d3e6b805296e15ad788059e4504ebe1b721e79a6c449b8aab01cf818e546ef4
SHA512 a3e3c07e0bc8edf4195dab5e14b82de8fe71b1776857e2cbe400132b6f7ea9c583e516437a31fa65215dfd2bc2e2e04a82baec116ed98d9d7305621ddb49b247

C:\Users\Admin\AppData\Local\Temp\p-gp2i43.cmdline

MD5 0f9961a1325a1c9b9624a327e86caf61
SHA1 369269638afffe3c572dcfec6df19e8ed2e528ec
SHA256 3c3672f8b65fe977fd9139cafe114201e624cf76c7d2201d686d6462d6f826ba
SHA512 b478c982660e1700f23b23af1f19773e4206618632fa0ef460de431d87918e4354e93338085915db08c5016206d4b8302903b347e4e03e81f15ab0c27cfb1c1a

C:\Users\Admin\AppData\Local\Temp\p-gp2i43.0.vb

MD5 4776ddddec9bdbb929820fbaba208684
SHA1 cf10e4fbb3ce05c0b49f11a4d8167c5332809746
SHA256 3567c9e1bafcbf4f5bfb4913960fb5f6ca3b8c037cbf46053a2e1d9298de570b
SHA512 9a07faedfb1fe8c55f18bcf596d897d1ccad3ac173d5d24cc042722e684f21180511493fa21e76ecbb829d5cff5d4ad11a2c561534b26ce5f7a82d81b7598c67

C:\Users\Admin\AppData\Local\Temp\vbcB74F39EA39294B5AA7DAD96E631ED0DF.TMP

MD5 4ddc4c57fd1d38500f1e1e36d1c80dae
SHA1 037db607366a9f52bc9b60a6203bc4fc15b44419
SHA256 2d69af28605b08d20d9b191b2849bc88cae1f6a7956b2b24f7c7b3721fbcb24e
SHA512 5d7e027c821429d0296126d12e9c6ad94c205b84940a12d9ff78f3b1a3d9a58a57342a427078ed6e9d3d8218cbd6665c84651e3d0a89cdce1f7123bbd4c23fe0

C:\Users\Admin\AppData\Local\Temp\RESCAE1.tmp

MD5 e2f7e4e39696c687004b77e45081d470
SHA1 95b77fdad8aa420d4de647743da597e61ac04230
SHA256 78c2aa9d872d6d155dd1d717ea5f8bfa7a1ff73e5009066dd0972f6accde9fe0
SHA512 87cd66d8b0091e05f74e62ac34636df96964e14e7b68cac79d15f55238f5b83d77357f9e42d2919bb1f6b2f504b02b934123f2ad92cb4bb48360a9be885c25ff

C:\Users\Admin\AppData\Local\Temp\ghnmhwci.cmdline

MD5 fe91cf8fe54343da5ca7bbfabcc38c55
SHA1 7ce80498c1721602a98200659efc830ba796161d
SHA256 f5f08d4f6a9779e6161612eb6d7b00a5b7748eb45769c675f7d670fcc0e79c53
SHA512 46c801f34bf582512fcd7447fc877fcc77914a6d6fde9442801a511af269ae1d425ed005be36c7146d07d9022bfcd213830f4171fd04dc235f59b446c2df5129

C:\Users\Admin\AppData\Local\Temp\ghnmhwci.0.vb

MD5 07b10a393c633ddfe03650829ac72adf
SHA1 a91f5b666447054f750df3f10ca2f840a72243a2
SHA256 064ddb8b8da7931744430a9dbb24375788074db63fe9f0e74ac75c1afe274e00
SHA512 38880d1ad5442fa1fb55038c76f035031fe01f229eece65583774ce90c9f08fc34e5aa82f68d8cc587500f917d52e9eb47b29b989872359a803e0542f2f4dccc

C:\Users\Admin\AppData\Local\Temp\vbc65369D76EFF04917A8B6C1DA3337411.TMP

MD5 f4b8ccb9a2218a7426563bf602dbb3ce
SHA1 047e64c89bf897f2b908803c01e5767f0b3538da
SHA256 e78fa61a7dad18e3575466e634e76a8760f6e987c632b72140ada947fe7dfca9
SHA512 c057d11aa5821f0bf64a1c87ec3d48be4f0f3263b6d9d1b832a73d2e99372cef2457e0fff47696ce72e31f0969152c56132ab857371648d588c7e0f1ee9b4ce1

C:\Users\Admin\AppData\Local\Temp\RESCB2F.tmp

MD5 482aa0651bfd13f5b1ac99f5ef6628bc
SHA1 ab8065a7b9a14b051cb7f0dc9c1e18c2bae1dfd9
SHA256 5e1a0dee6dbc70bf45e2b7ec5ac6cccef0fe368e0e1a2885e233d24bb9151ec7
SHA512 79fede5fd0d1bfaeb9f61a104588e0626fc483869cd5e18cb9938d7cf0da58e29c4ec3cb89911005aa8793534cf0fb042a69f53757fc54ee5b3e42a2adabc1c7

C:\Users\Admin\AppData\Local\Temp\bbcqk-rw.cmdline

MD5 0d79d44abc2c86a8cf910f33ec8bf469
SHA1 98e6e99e8d9f7806ea52e56cc6c9ee768a8bf672
SHA256 7a51a3b7bd8e9d4f5d99df0d254192869d06a919f6c308d2fcf43a0ca393fa62
SHA512 749df5ae23f754bba4130647b4ca8210aeefd16c5b4ec7eff60eebce00ae8a30aac3779786144f758adeb429570715dc106d925e50543f6347663c0dee96fe76

C:\Users\Admin\AppData\Local\Temp\bbcqk-rw.0.vb

MD5 75088557db6e2a028811c00adbf5b987
SHA1 3804c2dce38b94228464e3d2fba2ea1e43298965
SHA256 28b93c7c4a19e5c158e45e40b5431129f7ba2a5b25e7991e01b1eb4b8077029a
SHA512 1e273bbe0252674e0658acf8d1aca6f359903dd607066f8053acfa60a573b07a8714cd6fc01b98c21422dad62c7c7a7177e45b9d019c7234724b29ab273122ed

C:\Users\Admin\AppData\Local\Temp\vbcD68FEB616831466595DE657882BD1ABE.TMP

MD5 2214c876093e68709179d742d5af1e95
SHA1 e67426c777b682b436c6addcd42fbee760f75ad7
SHA256 48cb47e939238a904a4eea243c4c0fd3ae383139513e418db024f23fd96ddffe
SHA512 08783085b534e1e107c4e9dfdc7698818989d36093efff3c9111691d8bc8f3927d0a652d2cc2ffb07f94f5681c67191340a3ae686a0581e36ad05b202bd2cf54

C:\Users\Admin\AppData\Local\Temp\RESCB6E.tmp

MD5 b4ad492bf84ba0c1593d41e25e988f77
SHA1 3768071b4111d6c3999d1bd9bf84c13d8c5697f0
SHA256 e401f108e55d966752cb4f2f22865e1db384b83b3d208d578f2fc81192ae1aa5
SHA512 ae7079e844cdcf47ea151b6fcc7c7dbd64a8125a20ccc742a1cbaa6131bbe1638d4ca7470a338b97cff0c9f088fbc360f4c8a82c51bcfc2bc50190867cdf750c

C:\Users\Admin\AppData\Local\Temp\dg-rob3v.cmdline

MD5 bb38b64af481d21704e2a37472bc76ab
SHA1 77038eab36c5d3b836ad6c423df37c3f950212db
SHA256 94502c756d7dd4325d78ddd4b1144974ab039fe604ae01e41f1ec2f6f3e14242
SHA512 638f42b88a6a83da1f5ec52171b9c00fb91d08e4573ca9395fd2b4516b35daa27139744c11d696fa3d5571a77c4e2fa2f3372ef4d5781682816009ae70b01245

C:\Users\Admin\AppData\Local\Temp\dg-rob3v.0.vb

MD5 5cc2df1b0de07a19c23de684597c5f07
SHA1 c868685bd6e87187e4a7d096a854de06e26c9ab1
SHA256 ec443d6c9ce9bfd961362da89d118060a10d309a3dd21b944805affe3fbe10cd
SHA512 3d541d6c7b9f470b34a61b6245277ce96d80f3cecaae7bab57980677ac7675abb9658f410bd6a1994f6cdbfa827b0209c83a11d1397298ba7238f002fe3c9828

C:\Users\Admin\AppData\Local\Temp\vbcA85ECCB42AFC483D92805FBAEAD51472.TMP

MD5 a95dc928661731a2886629b581abb171
SHA1 e681c1074892cbf7a07f9234a129a1afb6e26efa
SHA256 74ff7a7faf9652ac7ec7d5593154064a2ea692e9e2c8793f9f0cc8e7e73f31f6
SHA512 dc1cfa1b7a745f0190f7b6ad45ca72f21c6582a34429663f02459dadae476ecce720b1bf3fc62a3b1410b77a1de34ddcafb520f507fffa94b81864f599feb004

C:\Users\Admin\AppData\Local\Temp\RESCBBC.tmp

MD5 098b4acf78a0e9dc460c5204b905d0bf
SHA1 bac6bcf12c9f9e1f873e8f161cdb9982c6ccf4db
SHA256 77252adfeac953cc0e427778bedb63fb5c897155e77ad46cc5cc3b5def1ab0f7
SHA512 82cc8f2215eb37e6452b3e4638f336aea50c2282b31ac5eddbd68a9b6597550598f805e259bbec3ec361bd565fca03195b788c570518e89caf8e9a0165068cc3

C:\Users\Admin\AppData\Local\Temp\vuvfwj7k.cmdline

MD5 45e76c5496a775ac8be1ecc5813d1794
SHA1 7c0d3036d2e6d94468497960ccf29bec145cd300
SHA256 f84cf090badd59c92194fa8cb683aae1d2b9991c899dd5e5d6654fefe2a75229
SHA512 695579efb59b9f2955b2695d08b54143f23746ee6efa4b165995963b7bf2e109cc92263da339d03b2af3cbb3b242a0bede0062ad3821cdf39e990138c61cd2e5

C:\Users\Admin\AppData\Local\Temp\vuvfwj7k.0.vb

MD5 a03f23d29973b0c1ad52e9c77c713e98
SHA1 0c425f07f98a55674c1efad5ac33e0af65255f35
SHA256 ee182384e0363b2f14b3d7530c943d350f9923fb3f7381fc29b90ec513f9498d
SHA512 36673b6c81f8f3fac8fa46ab418df69304a2caed5cf4bc860fe36cb19a00ade06562121b6aadff9395681da497a82a433b9a821041e81b152fa0f3e0facae491

C:\Users\Admin\AppData\Local\Temp\vbcFAAFEC1073664A09919E38DDF3CCF50.TMP

MD5 ad7e0c7168ed15f96d343a38454d080a
SHA1 8fac85701ad6b2bbe60ccc5ea0a839d911d26f14
SHA256 6232a3d19aefb51a81502ada1177f6a6c4f26a909ad5aab3d86de51985f01cca
SHA512 4284ddf89e11affef3a8f00792a8b71a13f1684113e61cac7c309ba7e86c655d3fe45ff10d42abf0ad002876fef5617f00dd8f6a012b38b9df8c7d1d55ab7fd9

C:\Users\Admin\AppData\Local\Temp\RESCC0A.tmp

MD5 7d1d4edcb74b5c0ed3d505c08314440e
SHA1 1df1e53d5461585bca3fbc6bba8d72659b2490bc
SHA256 f58083d142a1eca96e8c0d94d236cbbc560a344534d60b2d449e2818b9fb49ff
SHA512 2484400ea34379e9cef0c31a504c098e7bd6be8b6d7c6ab7662261ae243fff02326bf5540889a53f7ba6d9e799496580c204781b4e4281365128b42f83bbe2ee

C:\Users\Admin\AppData\Local\Temp\u_boipoq.cmdline

MD5 d71e85fab17c81da113b08b677620540
SHA1 7147b652e25a867a9da292d0cb4283f13431946c
SHA256 f660a97265fb0b654ea1ad007eb190713b6004ba7f9f751b62bfb6afd1cdfc65
SHA512 0d62369381178e92802221c8418b4ed7c31f205f27a20f009e45ad2c46c5a196b9c645944ad76563c824fc7fb42b954c68416556f7bc1f8cc9e5a6a93042144b

C:\Users\Admin\AppData\Local\Temp\u_boipoq.0.vb

MD5 7e552aa475227fe451bbf11a52d9b811
SHA1 933058d53d848d3daf1246ab7185beb9e101c302
SHA256 d23f1a481fd7538ff94e15558af73221d61e6bbc2eec208740c90bcb5fa0eb8e
SHA512 dde6f810ada06beb517e583720afa3edad4ccc740e1ff6a4ac21403e1227487d6a8c4ed2b15dc2bc6eaa5b84a47b03ac6b20b356b0260d55a4ee64fe53aa6026

C:\Users\Admin\AppData\Local\Temp\vbcFED407644BDF4A18B084C1ECBCEFD6F.TMP

MD5 548c704c2c8add1705f3e9e277982a99
SHA1 2729f1c3ecb360275a1803097a1799fc0fe71b1d
SHA256 a8c38a9119b97c59c2cde0cb10c171e32b69ea4cc5e27dc366d933a3d00ceca4
SHA512 53cbdb43af99693b8d2fe78441b2fa3f8b6620f3fb569efef81bac2d92e7037427f8ff871606a7cc1bbec85ffa137bd8bdf2081d64cbc793302feb0f9418158a

C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp

MD5 d21f62506146e18663b4308160a99a11
SHA1 fb970df2f28c8ca861d92d9c717fe114fde7df33
SHA256 3ceda4ba4c443bc6bcd70c2a5de9abb9b9c6d5f05b5210334d1ab9aaf98fb143
SHA512 de619289692f846d9364ff9b29b06c306e84e7a3fc280e659e18879423ca1aced46f3caa86a6954267c2173236bbce3b2b92e680af1fc7f60b0b4c7d45da8091

C:\Users\Admin\AppData\Local\Temp\incndkav.cmdline

MD5 e23e84f62a168c3af58785a4eaf90743
SHA1 e18110c551dd142682c270bd437dab0ea65b1e91
SHA256 e6edd0675bcc0ccc0c65bb1a3b7e4dbd0111204b0056485eb6a77b3b6cb5e9a0
SHA512 674ae61bcd95af294347bcbf59ef56da1024f3bc885a5b9384c78d17cab1f0529717ebd431beed124b6a705bc1a3170b2c01d548cfb9fa365b57506ea7aad05f

C:\Users\Admin\AppData\Local\Temp\incndkav.0.vb

MD5 102f791566f6024af32b6e4eb24614d5
SHA1 03b4cce2ab9c69efd37795f7a0265f898bef605f
SHA256 a3b30928d3848dc1c5ed6fba7dadc767ce3e6ba026460f76171a239defe92b76
SHA512 09c693c5c60d29834ec7bfa0012eee38afdc4ff0f3db41f54bac380e019db13e607c14503d3abec3abb5f73d82737137b05ff0ec316f082fc395b308406d62a7

C:\Users\Admin\AppData\Local\Temp\vbc23478D4BCEC746B8A23EF95CB53BA4E8.TMP

MD5 29c5a9e999a66e2a2c21bf393981b4d7
SHA1 f34fe08de19e1032819879e91988b1126eae207e
SHA256 17f40a3896dc18d0f928a701152bbd5086963dbbef39b35704730365fea5f4ee
SHA512 1a6ff42cd0e832509b6b1972947df8709009bbb952cc8d347aa2cca17b3ff74564c4e610626eceefebf8bac878663a9b97b428f22738f0c39b3b95ec7059da47

C:\Users\Admin\AppData\Local\Temp\RESCCB6.tmp

MD5 5a99a05fff6b5a0c9f044e2ff55244e7
SHA1 48fe5e82b067146eb587f014089f9b1a2555a30e
SHA256 f96ae275c3098dd35821ee3f6aefb6ee7d300dd5ebe7d07c9926b84a3ec5c8d6
SHA512 887e3aa91306a6906b1d240b3b01b052b42178f9cd732c68e3323be4512b3b9588d1fa3d0135748165f3fb4537529b6f038804f3b1b0ab034ecbb192536247eb

C:\Users\Admin\AppData\Local\Temp\imuyujqp.cmdline

MD5 e5f6fb55730ad0d2114c4558d149da44
SHA1 e0210a588faeac986840b332d33a5717ff19936c
SHA256 3b3c36a71690c8ddac6337bd776aa0ad541d763070c9ff1bf57f982bcc548dd5
SHA512 bcc5690cefc1e16af2e5bf4dd403dd4e96bc9d653efda6f352d3c25771b263deffee9359a2b4865a13f079b415d167a6c0a13b6f4e95ef9a0718547c027f64b4

C:\Users\Admin\AppData\Local\Temp\imuyujqp.0.vb

MD5 8c5c94ce9523fc00aa8f77ba9970c844
SHA1 fdca7988fb823d599eb00de2be871f7a3f557ba6
SHA256 22ca27df429206fffa3e79ebe49f4af70ffc6400b7957b07f26c0c2f37e28e69
SHA512 e4cd952f68a29a9b3705f413a6c272c871bfc5b6e24c3c96ce1d309975f83aa51885111182fa623d6780715825989d1111e4b7dce777b8dabc94e764f2e1eb7f

C:\Users\Admin\AppData\Local\Temp\vbcEDAABE233978440CB032979FEB7ED1A.TMP

MD5 6a6db771159557442920c503a43904b6
SHA1 8df46af5cf7d84e8f7817aba14b704a08ee16697
SHA256 19acca242ec156ef6483efae24486c3bc547a7d6add870e825ea30e6e7b140ca
SHA512 748a5e972b1c45246313dc2d9c7aa31f4434dee74946e41a6a1e90dccef7f38eb26d6e185cb772480e7bc24b4d896132966c602931e0d9dc7b4ad5a4b8628ec6

memory/2304-241-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp

memory/2304-295-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp

C:\Users\Admin\AppData\Roaming\indexworm.exe

MD5 72292b69bc9a8b6191cd4f83db9b8598
SHA1 944c73806a03a3eeaabab1ece053710ee613e1f9
SHA256 5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897
SHA512 ee1365626a806687cda20a8654e151fe92b4a78512ea97941aa9875ad8775c47ee6631c828739d6c72be7bf5fe547332084488ef964feeb45dec6507f5e67ccf

memory/2304-300-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IOKXFE4P\update100[1].xml

MD5 53244e542ddf6d280a2b03e28f0646b7
SHA1 d9925f810a95880c92974549deead18d56f19c37
SHA256 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA512 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

MD5 fb4aa59c92c9b3263eb07e07b91568b5
SHA1 6071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256 e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA512 60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

MD5 b406e3eaa34ec784e702b263576f7321
SHA1 8216157abcfd25ffd27a45dcb9d385d6e1dce8eb
SHA256 74fb4f98bccc83241fa428e1e778d01bfd3fceb6ef52cf9a946960f6cc96c095
SHA512 98bb842dfceddb2fa17ce7bdd3763d6fa8f7dd44e2d4c8234937f3f99ac79287114ace0ba0e97bf679bba1c3baae5e332bd16e26e711b940336d2475a74feb1e

C:\Users\Admin\AppData\Local\Temp\tmp9EFA.tmp

MD5 5b16ef80abd2b4ace517c4e98f4ff551
SHA1 438806a0256e075239aa8bbec9ba3d3fb634af55
SHA256 bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009
SHA512 69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

MD5 cc04d6015cd4395c9b980b280254156e
SHA1 87b176f1330dc08d4ffabe3f7e77da4121c8e749
SHA256 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e
SHA512 d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe

MD5 c2938eb5ff932c2540a1514cc82c197c
SHA1 2d7da1c3bfa4755ba0efec5317260d239cbb51c3
SHA256 5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665
SHA512 5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

MD5 72747c27b2f2a08700ece584c576af89
SHA1 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33
SHA256 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b
SHA512 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

MD5 b83ac69831fd735d5f3811cc214c7c43
SHA1 5b549067fdd64dcb425b88fabe1b1ca46a9a8124
SHA256 cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185
SHA512 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

MD5 e01cdbbd97eebc41c63a280f65db28e9
SHA1 1c2657880dd1ea10caf86bd08312cd832a967be1
SHA256 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f
SHA512 ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

MD5 09773d7bb374aeec469367708fcfe442
SHA1 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6
SHA256 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2
SHA512 f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

MD5 771bc7583fe704745a763cd3f46d75d2
SHA1 e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752
SHA256 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d
SHA512 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

MD5 de5ba8348a73164c66750f70f4b59663
SHA1 1d7a04b74bd36ecac2f5dae6921465fc27812fec
SHA256 a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73
SHA512 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

MD5 f1c75409c9a1b823e846cc746903e12c
SHA1 f0e1f0cf35369544d88d8a2785570f55f6024779
SHA256 fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6
SHA512 ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

MD5 19876b66df75a2c358c37be528f76991
SHA1 181cab3db89f416f343bae9699bf868920240c8b
SHA256 a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425
SHA512 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

MD5 8347d6f79f819fcf91e0c9d3791d6861
SHA1 5591cf408f0adaa3b86a5a30b0112863ec3d6d28
SHA256 e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750
SHA512 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png

MD5 d03b7edafe4cb7889418f28af439c9c1
SHA1 16822a2ab6a15dda520f28472f6eeddb27f81178
SHA256 a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665
SHA512 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png

MD5 57a6876000151c4303f99e9a05ab4265
SHA1 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794
SHA256 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4
SHA512 c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

MD5 adbbeb01272c8d8b14977481108400d6
SHA1 1cc6868eec36764b249de193f0ce44787ba9dd45
SHA256 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85
SHA512 c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png

MD5 a23c55ae34e1b8d81aa34514ea792540
SHA1 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf
SHA256 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd
SHA512 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

MD5 f4e9f958ed6436aef6d16ee6868fa657
SHA1 b14bc7aaca388f29570825010ebc17ca577b292f
SHA256 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b
SHA512 cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png

MD5 e593676ee86a6183082112df974a4706
SHA1 c4e91440312dea1f89777c2856cb11e45d95fe55
SHA256 deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb
SHA512 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png

MD5 13e6baac125114e87f50c21017b9e010
SHA1 561c84f767537d71c901a23a061213cf03b27a58
SHA256 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e
SHA512 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

MD5 2c7a9e323a69409f4b13b1c3244074c4
SHA1 3c77c1b013691fa3bdff5677c3a31b355d3e2205
SHA256 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2
SHA512 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

MD5 552b0304f2e25a1283709ad56c4b1a85
SHA1 92a9d0d795852ec45beae1d08f8327d02de8994e
SHA256 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535
SHA512 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

MD5 22e17842b11cd1cb17b24aa743a74e67
SHA1 f230cb9e5a6cb027e6561fabf11a909aa3ba0207
SHA256 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42
SHA512 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

MD5 3c29933ab3beda6803c4b704fba48c53
SHA1 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c
SHA256 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633
SHA512 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png

MD5 1f156044d43913efd88cad6aa6474d73
SHA1 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26
SHA256 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816
SHA512 df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png

MD5 ed306d8b1c42995188866a80d6b761de
SHA1 eadc119bec9fad65019909e8229584cd6b7e0a2b
SHA256 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301
SHA512 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png

MD5 09f3f8485e79f57f0a34abd5a67898ca
SHA1 e68ae5685d5442c1b7acc567dc0b1939cad5f41a
SHA256 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3
SHA512 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png

MD5 096d0e769212718b8de5237b3427aacc
SHA1 4b912a0f2192f44824057832d9bb08c1a2c76e72
SHA256 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef
SHA512 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png

MD5 d9d00ecb4bb933cdbb0cd1b5d511dcf5
SHA1 4e41b1eda56c4ebe5534eb49e826289ebff99dd9
SHA256 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89
SHA512 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri

MD5 7473be9c7899f2a2da99d09c596b2d6d
SHA1 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac
SHA256 e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3
SHA512 a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml

MD5 5ae2d05d894d1a55d9a1e4f593c68969
SHA1 a983584f58d68552e639601538af960a34fa1da7
SHA256 d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c
SHA512 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe

MD5 9cdabfbf75fd35e615c9f85fedafce8a
SHA1 57b7fc9bf59cf09a9c19ad0ce0a159746554d682
SHA256 969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673
SHA512 348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL

MD5 bebc72eac54f0f26b6cdcad4bf5f7d5e
SHA1 d3648c192692f88917a18272e6d88d001a7a6554
SHA256 207668f0389121676e9a5120b5711e5e51860ea52703b8a0b7871622f85ffa2c
SHA512 8324834152024cf249092adcc2dbc70065bf1e40f1e05baab803454720d4445c731cb20d5c003a9b366e31f9389aca573ed82375d801b8621bbeeecf49c2eba6

C:\Users\Admin\AppData\Local\Temp\vbc1EFE2D4CB7D410B9F7DBDEE4AB5F985.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\vbc56D106AC152B40C487CB9A39F3A5F92.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

MD5 62d4f80f78d2298a93c2f6fc1ae8eba0
SHA1 429e6b34179d4f68e08c291502e79bf1c752a6be
SHA256 0157ff297ae79cd1c8e5336171a391600dae775e291a071b090daf12d15efa52
SHA512 48aa6237036080f7385a5e044b8acf4abd63476110b634f3221dcdb518c7ae7fefe488bc37d578c0e9af685dd75289c18679cd36a1a6b8af2109d4ea27f61b5f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 06:46

Reported

2024-10-12 06:52

Platform

win10v2004-20241007-en

Max time kernel

292s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe C:\Users\Admin\AppData\Roaming\indexworm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\indexworm.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Users\\Admin\\AppData\\Roaming\\indexworm.exe" C:\Users\Admin\AppData\Roaming\indexworm.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\indexworm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\indexworm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\indexworm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4072 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4072 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 816 wrote to memory of 1972 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 816 wrote to memory of 1972 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4432 wrote to memory of 3440 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4432 wrote to memory of 3440 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2832 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2832 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 756 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 756 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4060 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4060 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4944 wrote to memory of 3920 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4944 wrote to memory of 3920 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 4948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1792 wrote to memory of 4948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 852 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 852 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 432 wrote to memory of 112 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 432 wrote to memory of 112 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 380 wrote to memory of 400 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 380 wrote to memory of 400 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4960 wrote to memory of 2324 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4960 wrote to memory of 2324 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2940 wrote to memory of 3284 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2940 wrote to memory of 3284 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4648 wrote to memory of 3440 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4648 wrote to memory of 3440 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3776 wrote to memory of 1680 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3776 wrote to memory of 1680 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g1gdahtd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4908D26E9E5944938F6B7AB025FBF31.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uylyzrrx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6E8B9FDFBB940D1BEF9BFAA1CB4DF32.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBCC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB3CBC2B7BA9471AA429C5E376C4B5A7.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-sjvnlua.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F035B83288E4D3FB4E0C09C2E6092A.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\scztj-kj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64AD0A1E35564572BB722E4BC28DCA46.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x034ge93.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDB0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB43D82FA07948BC85BAE53E265E6E8.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D90BDD2162843869EF2EC27C17F1CB7.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E6E0CF5DF85437784641620864A13B.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zelprae6.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA168AACAF542758D6EEB1CE7E33D4C.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g26toir4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5421A20A7DF54F85883772E309E22.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ktulmwhe.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF00E7DCCFC5641D599B2183C44C84CED.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD002.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69E53D2A34854D7DA7B5F3C1BE33FE79.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iru5k0nq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD060.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF0A03D22BDF4DB580813EA2A55D41C7.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vktxbrpd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0F42330CA6E405BB1AED8B08F76E1E6.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kiyply37.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD11B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc416B8A6CD9644227AB28BB801E14371A.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_zwscesd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD169.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3945F6F0B15841AFBDBDBE2494AC5ED3.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y5men_le.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD282.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF504FE3C6947CF9F7CFFE1A2EF1CA2.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5e3uegv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD33E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B29F0B9D3AF421C92ED5C5315385F47.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oheq3tll.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD39C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE494BFCA95E1419E9A417ACC89B2A6C.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xq5y9gjf.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD428.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AF795D52C9C4078A287034C98A1E7D.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgt5lf3n.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD467.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc455FEB92B5884A668279987EBBEF4672.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmi7s_cn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70B6523356424D47B7E9E2A7F514773D.TMP"

C:\Users\Admin\AppData\Roaming\indexworm.exe

"C:\Users\Admin\AppData\Roaming\indexworm.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vsix_yra.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA97A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc209C5BD173B5427C835E428EFE239CAF.TMP"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Users\Admin\AppData\Roaming\indexworm.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a3htymvg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7800E785B0B4A8680A1858F43504A8.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r3w5eg9w.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD56DDA4B5434A25A9612E965D9C32B3.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lthj0dzm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50F220FCF2834DA6BA6CA7CD90289478.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzt_pc3u.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58129BFEE4B549A4BE356716AF1C2792.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\udrvb50z.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B38C610BC6847759A25B82EE8849D7.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\used2k7l.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA124E70763B945B5BC18CF18602AA0F7.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s_j1p67f.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC27B5A4461CE44D09173C8467FAA4CA0.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0pqthrfu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB34EACBFFF1D434AA7282A14DD515A2C.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ytcz8gc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8ABD8ECEDC6C4B87BBEAE4201B15FFCB.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ykqxysyu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F5D6904B07A498CB88DB11C1FCAA259.TMP"

C:\Users\Admin\AppData\Roaming\indexworm.exe

C:\Users\Admin\AppData\Roaming\indexworm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 Pizd11337-26540.portmap.host udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 Pizd11337-26540.portmap.host udp
DE 193.161.193.99:26540 Pizd11337-26540.portmap.host tcp

Files

memory/4724-0-0x00007FFB81315000-0x00007FFB81316000-memory.dmp

memory/4724-1-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

memory/4724-2-0x000000001C350000-0x000000001C81E000-memory.dmp

memory/4724-3-0x000000001C820000-0x000000001C8C6000-memory.dmp

memory/4724-4-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

memory/4724-5-0x000000001CA00000-0x000000001CA62000-memory.dmp

memory/4724-6-0x000000001D3D0000-0x000000001D46C000-memory.dmp

memory/4724-7-0x00007FFB81315000-0x00007FFB81316000-memory.dmp

memory/4724-8-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g1gdahtd.cmdline

MD5 df353d73902126b4a19a166013daf039
SHA1 da732900d6cd7ad32dc1350189a8f952ab3284b1
SHA256 bd2b1b8560c19e4c84deb2bb8ab3a6ccc206495a44f4a1fc99715e0f8119b456
SHA512 e549f79bd0b1e1a4dceed95ca802ca7bcf263532b2877d84aba7beb214522efde2f93db0d75fbe815acf1a3f4f9e89fe6bd8031d1b7cfab9395b62ef261388e8

C:\Users\Admin\AppData\Local\Temp\g1gdahtd.0.vb

MD5 ed48ecd501fd2ec90b9359de04fc1a18
SHA1 9dd35b37dac1f0908fdafbb971157f576cb31c22
SHA256 3454a8ec9826e999653b677ee666c64116c8881a13fdaf16dc3e4153fab0dad3
SHA512 0006bb695aadfe28b3f6005772d9d53700c01392abdb9f3eaf4a8c7a48af7efa7bdc47a8a569e609070476e7f8fe1afc2701c529edaa8d03ecf7343e843b0772

memory/4072-17-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c350868e60d3f85eb01b228b7e380daa
SHA1 6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e
SHA256 88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7
SHA512 47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

C:\Users\Admin\AppData\Local\Temp\vbc4908D26E9E5944938F6B7AB025FBF31.TMP

MD5 53aadde7d4dde82227b316b57a5a7209
SHA1 28076dd0bdf1724ec1293a7dc54f95fac210d974
SHA256 1c469b6462e5e53adfc7d23eb770264179ab167ce9dcb2814c51bb8730b6eb97
SHA512 95dd34a020812d7f888d66ff23e11327cbcc0d2217c02297b10373a5819763f2e00ef0dd2be2fea346303181ca8e19425e7d956f9ef18e9a41d89a1f3f2bf3f1

C:\Users\Admin\AppData\Local\Temp\RESCA35.tmp

MD5 3eae52002ad24b42cea2f99397f93711
SHA1 df84a5edaf3ef670e7f3bec6d081ab93707d061e
SHA256 5b0fc7762bf411c6390aba60e37100f4788a845073da5c205fd0bb8ac9e64e15
SHA512 1cff5685fa83824ffa5fe7fb790f904a258d95a471a92b48cb8c1e1d39713f45ab9d1595070329c693c2bb2ec49ed2ad1b1e46ac99595d9c5742ecf43c8676ca

memory/4072-26-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uylyzrrx.cmdline

MD5 a31e4bbe481719a51ef780e00da3592c
SHA1 8a4f2315672276d64e734dc6ea7acc0f2c1c7a34
SHA256 7ce63aaab885d6fdd6cfaeb724cf61609fc6525cf0e1f467f8291745b552ac58
SHA512 05cc4d4e615545031989928a1c635a5cdb1b4af670e8831daaa59bafa1ca897ef5fedeae54864ba0d517228966e4d41c0b2a7adb1422ca8b6e275f02bc3c6098

C:\ProgramData\xdwd\vcredist2010_x64.log.ico

MD5 64f9afd2e2b7c29a2ad40db97db28c77
SHA1 d77fa89a43487273bed14ee808f66acca43ab637
SHA256 9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292
SHA512 7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

C:\Users\Admin\AppData\Local\Temp\uylyzrrx.0.vb

MD5 2824033d9d2f8ee59347116377cf6d9b
SHA1 fa5ac5a217129274f3df610e90dedb13a5dfef82
SHA256 c5a03d253201eaad5738d91cd7a6d239348a2e54a8edb19c50c110466ebdb736
SHA512 a76a3b01d94964df9b48f254e0c8bdda5bef5291431f06fdf3c7c897c04c8ceeb8dbafa61d01dda153712247133104c870ef234f603e0c9a8e8c480c0692ef7a

C:\Users\Admin\AppData\Local\Temp\vbcD6E8B9FDFBB940D1BEF9BFAA1CB4DF32.TMP

MD5 e3ab9b497329f477b1d8bedaa815ec55
SHA1 5507ad2d252d0a773861c24882f7a40cd99350d5
SHA256 6c6717347f8251193c5b78ab8d4a0a9ab470ed65f3e65a2873fe08959383bb32
SHA512 d1681ba8937717541e3a5e7f2a58dc869e4e15f67ec35f9af22c97d017f851f731b6fafd0bb4e723fd07551e9764c2fcc7e21982a1f1ff7ce1fbb3207603a276

C:\Users\Admin\AppData\Local\Temp\RESCB20.tmp

MD5 11f77c0e0a6aa42f0bcf36ab12c126c7
SHA1 f11f8c2f76bd6e9cdff275a3bda985d04945867a
SHA256 6bcf61407f5dd32f2d4a7f9bf973225712ded85876593107c57ff4c7896674ae
SHA512 b6a750cd52f7d51a82e905f0fc0d83c7d5ea53a2a18e56f18a1102d1c8e47d227a7c7f4c99cdd7c36cd340aa85af2de547bc20278b281a9cdbafb54386e83953

C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.cmdline

MD5 e799390a9b96e23771b64f93f59bdeff
SHA1 4de11783036af0fa6a8f032788da4778fc371e00
SHA256 fd3fbee274db7302abf86c96b34f2c89bbd5b5c76f809ed8dbf228986fc39355
SHA512 845cf6899f2a288d36542fc17b980bfebf9baba83a197ad3404b776bc3d2c2e0c7c3365fd7aac70f31ca254e6fca8b986f7e6afc96024791c375fa219576d657

C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.0.vb

MD5 98c697d0135e14aac926c0701a8b72e7
SHA1 bd49384492450141bd14dd525dadaea8b83f9d81
SHA256 369bf94866b4cf4a4c47182d19b4bd94d47dd4282b761faee0c68e7523432697
SHA512 79a5631b25737b5debcda7a1d0b21a26e927457a65431c93dd372fdd90c745d2df6744e9451b0880767f6b635a47d62b606c7dc1127391a8dedd86411bd09fdd

C:\Users\Admin\AppData\Local\Temp\vbcBB3CBC2B7BA9471AA429C5E376C4B5A7.TMP

MD5 ee633ce28424d18ab62d4010d5b7aa82
SHA1 677ff6edd3591c4d9b65171cfa381333caa8d546
SHA256 8b124412e72ce9b96ff8c55b65ac532cf3492f30743240de3cbc4c3217720f10
SHA512 46fefc85a49bae5176838b9b1001db58f4057ea6d1ada8a4c937aa34d7b395c5cbad78e7cace4d6b2d4d546e484aea694f09da520bacc4dc71e3f826d4bc2d9f

C:\Users\Admin\AppData\Local\Temp\RESCBCC.tmp

MD5 ec08191d59afdc3400481d25e3065ca1
SHA1 431d79913d7257e2f056f961fb338773618ded23
SHA256 22e7d9edf141d7ba5ce5c34342f7d3d33bccd3ff8207dfdabe0174a5b9801db6
SHA512 5133f9ef4951dc474dc226ca49d24a34065e46fb47884686ed11018f5ad207aea80adc93f99e13e450f97baa10349bde5ef1dd687336241e6c642016198a0762

C:\Users\Admin\AppData\Local\Temp\-sjvnlua.cmdline

MD5 918d4a52718b564d255fc045573dc296
SHA1 707a39cbc44e813dfefaa46c0a9d3b286863cb97
SHA256 7e309469fc0cf844a53f93fc2de04798692f4f6049b9cb61e88ed0ef6da11061
SHA512 206d2c88f96e055f4bb68e3d64d9ac2fd6032a32e893c83d06d74393648832f762ecb1de7933b511176814f0a261270acb4ad258b22a282a269931c46ce50ea7

C:\Users\Admin\AppData\Local\Temp\-sjvnlua.0.vb

MD5 f9d79311b4cca4c591aa8cfec028a6a9
SHA1 2c4d63d2b94e8e33b0349bde75889478d8d972de
SHA256 78f7a23fa14b298de205e44ba5fdea765cf33a4f72cd63662c0ae2b077154996
SHA512 25c75f86e2dfb2c863833b898741e8c903e763cbf13d40695d0a92c4845f480dcfba42cf1fd22da60f337a507ce71031bbb536f2be6ae1b77af974d3513f226b

C:\Users\Admin\AppData\Local\Temp\vbc1F035B83288E4D3FB4E0C09C2E6092A.TMP

MD5 60091d6d3610e52a0e67d2688352c36d
SHA1 268dae47b36857e990ec61de1cae3b8cfeac3d08
SHA256 bb4eb21cdc430e3ff988d2ea0c5e1fe0bc0667e4c1339fc65ab032234294d7a9
SHA512 c09b48aceac7b3bcebd3814d933cb6dbb89ef2fa73b1813d86d380d670a823df9e085050af990823c468e3b0349f40cba89a1964a12c6844816926caa458ec1e

C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp

MD5 e7091877c53c1f74da2ae5fecfc37f4b
SHA1 8c5de952efa263739d42d5838bba5e85cc072aba
SHA256 3c901c35bdcd9cec7a2e913c14464b57ecab6ed9ae51a7dd81a16aaa88e3476c
SHA512 71368f9f25ac17bdaf36a1f0341dbb508206a690f492ce5e103f7f1c157b1817dfe2457967c3b108ad3acff7e77d5b2164ef0d58fa74a92e14e288730567cfe9

C:\Users\Admin\AppData\Local\Temp\scztj-kj.cmdline

MD5 c0d4cc4ba50e61cecfc43976630edb62
SHA1 99256f3d23d9af14c462034ba38ad2e5bc2667e7
SHA256 6ada058a6c42b4e6ae45266d7b3a3bf5999d5c85409d28b7247f7021c21dc123
SHA512 111f99224312debbb537efcce94b9608969e814ebd183e57ba999bfc1820512da85afe8dc12143d6c03250393c92a1291cab17c441235a4a6786697115993b72

C:\Users\Admin\AppData\Local\Temp\scztj-kj.0.vb

MD5 b6f9730115de46756b567e8f913595dc
SHA1 cb8bdd820b9d9405b2a97af9219e08c85e375336
SHA256 099e93435c884d79a8c6e2f8ca3fa227c8870e93be10839fea687ea24bc3ef48
SHA512 aceb5f099294258276e49061cbda8098eab9ee2927318f27d07d35f7c8ea93c3056aa7a3e25faf28a810f20ed4fbf3137e1650086a45197891babb7cb0111732

C:\Users\Admin\AppData\Local\Temp\vbc64AD0A1E35564572BB722E4BC28DCA46.TMP

MD5 6109c8e816e691aa16df011af1b222e9
SHA1 3beafadd64c8b77c1bc10827d29ebdc784a55c73
SHA256 be380a83d0ebd463c21ca65a360ae9acf14bfa15e32d649e005c2cd3617c8acd
SHA512 a47ded32c0cef7910318f746221c3fc1facb23cd9232be30aacd83909a63c494133aff7c3147b87b5cb6207b92a8f0151e68e84359fd51101a9be888401d4031

C:\Users\Admin\AppData\Local\Temp\RESCD52.tmp

MD5 330e59ea0f57416d07436fae4720ec21
SHA1 2af357dbf65d6e66712249d26755591e79d89dfa
SHA256 2565524ea81380047e32f18620888a66bf546ffc26dbc7e08369f23870e1aea2
SHA512 7bedba0fd403844a6237d578946925c3231f1a0e7b2c11613515b7c4ec7fa1327b35449710306d0f9a9785d4697278e4afdf381709f150a62e638d9a8061720c

C:\Users\Admin\AppData\Local\Temp\x034ge93.cmdline

MD5 0fd320010ec890958eb3b87c8daf0f8d
SHA1 f50c755e794427b0ceeec58eb1553dbc4d7283a9
SHA256 b03a43c7d56afeda6a8970dc3700a24643ee3ee0693da83ab67548b480a0d585
SHA512 06d881582ddaae9715b04b010692ab06cc0bbca8ac627e1180833c3b32375a6998d2b269285c3a608c84c0b98558ea0410ca373129b390ff969fea48d96b91e8

C:\Users\Admin\AppData\Local\Temp\x034ge93.0.vb

MD5 4776ddddec9bdbb929820fbaba208684
SHA1 cf10e4fbb3ce05c0b49f11a4d8167c5332809746
SHA256 3567c9e1bafcbf4f5bfb4913960fb5f6ca3b8c037cbf46053a2e1d9298de570b
SHA512 9a07faedfb1fe8c55f18bcf596d897d1ccad3ac173d5d24cc042722e684f21180511493fa21e76ecbb829d5cff5d4ad11a2c561534b26ce5f7a82d81b7598c67

C:\Users\Admin\AppData\Local\Temp\vbcEB43D82FA07948BC85BAE53E265E6E8.TMP

MD5 4ddc4c57fd1d38500f1e1e36d1c80dae
SHA1 037db607366a9f52bc9b60a6203bc4fc15b44419
SHA256 2d69af28605b08d20d9b191b2849bc88cae1f6a7956b2b24f7c7b3721fbcb24e
SHA512 5d7e027c821429d0296126d12e9c6ad94c205b84940a12d9ff78f3b1a3d9a58a57342a427078ed6e9d3d8218cbd6665c84651e3d0a89cdce1f7123bbd4c23fe0

C:\Users\Admin\AppData\Local\Temp\RESCDB0.tmp

MD5 4edfca9411c2ab392720e2235fa7357a
SHA1 a6831ac76229c64ad93894a6a4457b519715b863
SHA256 9b9788840c7e2229562b56f06b9fd3518e226e209576f5e4a4d65504260f0d74
SHA512 82d75c940d7f467a3cbb0d86df348511514ce2fe230403a2fee20460de6b1044faa2268c774d501c1b358655a0199f9af03c71169153a1dc760d2eb1613bae9a

C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.cmdline

MD5 f5fa64569512299163c5dd5acf6f6d40
SHA1 d1d6733a090c41ceeabbaeb0d7f914b6d584165d
SHA256 9841144c1e9c4ad5fbb5213214600ddcf4e5588f663f6636ad3b26b8d5981c5a
SHA512 4e5b5ac165a49e6fa30d4fe57b94fd3c61fe6cbb11879d2e6e91f61503ca5cbd9377f90de6dd21d4e41ebc29ac7f8c54a75f24e3ac5f54b959a94bae1fac8c01

C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.0.vb

MD5 07b10a393c633ddfe03650829ac72adf
SHA1 a91f5b666447054f750df3f10ca2f840a72243a2
SHA256 064ddb8b8da7931744430a9dbb24375788074db63fe9f0e74ac75c1afe274e00
SHA512 38880d1ad5442fa1fb55038c76f035031fe01f229eece65583774ce90c9f08fc34e5aa82f68d8cc587500f917d52e9eb47b29b989872359a803e0542f2f4dccc

C:\Users\Admin\AppData\Local\Temp\vbc5D90BDD2162843869EF2EC27C17F1CB7.TMP

MD5 f4b8ccb9a2218a7426563bf602dbb3ce
SHA1 047e64c89bf897f2b908803c01e5767f0b3538da
SHA256 e78fa61a7dad18e3575466e634e76a8760f6e987c632b72140ada947fe7dfca9
SHA512 c057d11aa5821f0bf64a1c87ec3d48be4f0f3263b6d9d1b832a73d2e99372cef2457e0fff47696ce72e31f0969152c56132ab857371648d588c7e0f1ee9b4ce1

C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp

MD5 93f83dff60ab23024e92753509780c66
SHA1 fd432abcc0d443c64dfbd8d945c72fd77146b1f7
SHA256 e2b24c04c14f094f1e650144671758dc630c198485ee519057156eec9a2d3546
SHA512 3dec72b8ba6ab4d9b893aeda48ed8c0592f35a665186154b5edfe1b68ac7b0e7f7f05311d7d609b4fc370ff6d5d984d6a9236613827ec81ce2ca252d08aa49ce

C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.cmdline

MD5 f7fa858facf4f84e4b788c68af734414
SHA1 db6615c23a1583a76d89cc2ce35b3121e4b901e3
SHA256 3d6352169e0ea265baef800d6e38cd8e2b7c84ff276f72b94118457d002935d7
SHA512 3774d10dfdb7c271aa4dea65f02a98182d22127ec2a48b300da2d4e55668d27924eab08afdf0350f8dffdba5f842e4bfcba0fce519d4311c5d84e77d343e2c7e

C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.0.vb

MD5 75088557db6e2a028811c00adbf5b987
SHA1 3804c2dce38b94228464e3d2fba2ea1e43298965
SHA256 28b93c7c4a19e5c158e45e40b5431129f7ba2a5b25e7991e01b1eb4b8077029a
SHA512 1e273bbe0252674e0658acf8d1aca6f359903dd607066f8053acfa60a573b07a8714cd6fc01b98c21422dad62c7c7a7177e45b9d019c7234724b29ab273122ed

C:\Users\Admin\AppData\Local\Temp\vbc1E6E0CF5DF85437784641620864A13B.TMP

MD5 2214c876093e68709179d742d5af1e95
SHA1 e67426c777b682b436c6addcd42fbee760f75ad7
SHA256 48cb47e939238a904a4eea243c4c0fd3ae383139513e418db024f23fd96ddffe
SHA512 08783085b534e1e107c4e9dfdc7698818989d36093efff3c9111691d8bc8f3927d0a652d2cc2ffb07f94f5681c67191340a3ae686a0581e36ad05b202bd2cf54

C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp

MD5 b08eee47d5c37c62fe1e9417a5496a6f
SHA1 5b0ca036d45b8bcf4ac9011722f758b668c6e97d
SHA256 13188157e218b1154afde793ba6ccd1d89d3d23c4bb5f881f3abb19d5b6e4001
SHA512 ef05dee58aac6cd24c4267ead1578f7421862c82989c4b4301ecd592ebcb8899c6009aba55d40e7d7501b9f3fd96c8d23f08e5b264ae1561c3219549364f3ad6

C:\Users\Admin\AppData\Local\Temp\zelprae6.cmdline

MD5 0669380f3a062b42d07b8ced9180c15c
SHA1 64fcd0324968b812128834c8be93a7a7b0c1c248
SHA256 a10f9b3025ebf4be06fb0ead65102c315f97989e87012890a8d9010260be3d9e
SHA512 87a8da55294a9e37aaa571310c01d7389c4c3a2e2091c3fd3eb547b015b901481c874a9a802d842967c1cbac1b28497a8ca70df6c6a0815ec03b4668588d2243

C:\Users\Admin\AppData\Local\Temp\zelprae6.0.vb

MD5 5cc2df1b0de07a19c23de684597c5f07
SHA1 c868685bd6e87187e4a7d096a854de06e26c9ab1
SHA256 ec443d6c9ce9bfd961362da89d118060a10d309a3dd21b944805affe3fbe10cd
SHA512 3d541d6c7b9f470b34a61b6245277ce96d80f3cecaae7bab57980677ac7675abb9658f410bd6a1994f6cdbfa827b0209c83a11d1397298ba7238f002fe3c9828

C:\Users\Admin\AppData\Local\Temp\vbcAA168AACAF542758D6EEB1CE7E33D4C.TMP

MD5 a95dc928661731a2886629b581abb171
SHA1 e681c1074892cbf7a07f9234a129a1afb6e26efa
SHA256 74ff7a7faf9652ac7ec7d5593154064a2ea692e9e2c8793f9f0cc8e7e73f31f6
SHA512 dc1cfa1b7a745f0190f7b6ad45ca72f21c6582a34429663f02459dadae476ecce720b1bf3fc62a3b1410b77a1de34ddcafb520f507fffa94b81864f599feb004

C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp

MD5 ef123ba63e30670b2c49a30ec1ecb048
SHA1 69ce2d1a378f087d2d99830143d73f327876e9b8
SHA256 e52cd395c8041218ff6ec03bd797ecc6d59a39dade80af3a1c645c9a4dbc2dc5
SHA512 4d6d95c422869b3816b259f4b0509c1da176765abc30c32e402b6e6d5e2326c24c61bd77c46638e8fd40688e38881162b89681b9b0721eee97881c2f2eee6518

C:\Users\Admin\AppData\Local\Temp\g26toir4.cmdline

MD5 c241be41fa44155a1ec8add6956a73e2
SHA1 f6f33e10dd7c299fd5267b732378778fa3965e45
SHA256 81ef493d821fa18dcea7ea10d3310b6ec32a3d9a35f7906a5d9e826bd4e2b9d5
SHA512 7e1ea70896b90fb1e608a0b13508eed84083867296cbe7a7de2440d67126398904ee8d72e22be4f7346e2706e4a59a6bc49e9258d50629d2bc8ddb128187e738

C:\Users\Admin\AppData\Local\Temp\g26toir4.0.vb

MD5 a03f23d29973b0c1ad52e9c77c713e98
SHA1 0c425f07f98a55674c1efad5ac33e0af65255f35
SHA256 ee182384e0363b2f14b3d7530c943d350f9923fb3f7381fc29b90ec513f9498d
SHA512 36673b6c81f8f3fac8fa46ab418df69304a2caed5cf4bc860fe36cb19a00ade06562121b6aadff9395681da497a82a433b9a821041e81b152fa0f3e0facae491

C:\Users\Admin\AppData\Local\Temp\vbc5421A20A7DF54F85883772E309E22.TMP

MD5 ad7e0c7168ed15f96d343a38454d080a
SHA1 8fac85701ad6b2bbe60ccc5ea0a839d911d26f14
SHA256 6232a3d19aefb51a81502ada1177f6a6c4f26a909ad5aab3d86de51985f01cca
SHA512 4284ddf89e11affef3a8f00792a8b71a13f1684113e61cac7c309ba7e86c655d3fe45ff10d42abf0ad002876fef5617f00dd8f6a012b38b9df8c7d1d55ab7fd9

C:\Users\Admin\AppData\Local\Temp\RESCF46.tmp

MD5 f79b6f578b2959be03ab683203d56ae4
SHA1 4179add616d75b35ac5435d791a726ad6a4612cc
SHA256 2ccf3be7c29cf8c7c6e7ad62596bd1911c764aaeb9e126b7c59d539a90531c46
SHA512 9cc28ae82f272878f54efe7e0d245d6f2700c7d6ac86713265828b7ed6336b0c1f24c5494f47a038be3c48ee771ad07b32a57ac206c0a6f051dd9d4f90b470ba

C:\Users\Admin\AppData\Local\Temp\ktulmwhe.cmdline

MD5 0b10df4e43a199886b7a5dff8972fdc2
SHA1 89bb32a7cc896482463ca8267b87712275fd6755
SHA256 7efff7b6a4b80d8567d13fd178c60f59c9d4d4ab30ba3b1ec3cca530da6adc93
SHA512 b7b4411293566cbef3c2c91d56b5467a09e11edafce4113c9bb8eab8bd4852c0962ef8d6ebcd4c3b57ff136ec4f7a8c9b673dfb89854b42fae17a644874976fa

C:\Users\Admin\AppData\Local\Temp\ktulmwhe.0.vb

MD5 7e552aa475227fe451bbf11a52d9b811
SHA1 933058d53d848d3daf1246ab7185beb9e101c302
SHA256 d23f1a481fd7538ff94e15558af73221d61e6bbc2eec208740c90bcb5fa0eb8e
SHA512 dde6f810ada06beb517e583720afa3edad4ccc740e1ff6a4ac21403e1227487d6a8c4ed2b15dc2bc6eaa5b84a47b03ac6b20b356b0260d55a4ee64fe53aa6026

C:\Users\Admin\AppData\Local\Temp\vbcF00E7DCCFC5641D599B2183C44C84CED.TMP

MD5 548c704c2c8add1705f3e9e277982a99
SHA1 2729f1c3ecb360275a1803097a1799fc0fe71b1d
SHA256 a8c38a9119b97c59c2cde0cb10c171e32b69ea4cc5e27dc366d933a3d00ceca4
SHA512 53cbdb43af99693b8d2fe78441b2fa3f8b6620f3fb569efef81bac2d92e7037427f8ff871606a7cc1bbec85ffa137bd8bdf2081d64cbc793302feb0f9418158a

C:\Users\Admin\AppData\Local\Temp\RESCFB4.tmp

MD5 fc8fae02841567164eedfbf6b9088a70
SHA1 82778b0cffab42e4c20285d1b3653556ffa606ca
SHA256 3fe02bcf3340b81caa0e0568d4a1f7783ac992c6aeb569df8f029ee856c25dfa
SHA512 2f549159a35f2660b4272bcd610eb26ad3e71dd39da307affaf6cfa1c10d5150c4aa52b43beb034c22c7c23b5f476d0fdf12bf93c13f246d2ccf7dc68b659d20

C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.cmdline

MD5 bd534c796d2526862b7f0a98880b7191
SHA1 b18c824435af825387696e4646812c05f3996fd8
SHA256 4ba1b8c0716689c07836b47185fdace42415aa2c516cfb5449c6761340ed4a47
SHA512 d6291ca9e86159e4caf45e8eca2dfbc54b70aa6d70929c535e0431f68eb385435d060015bdb5adcf31791c9f0ac10639368d22838fe2ecd81eb5cad89095b9b3

C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.0.vb

MD5 102f791566f6024af32b6e4eb24614d5
SHA1 03b4cce2ab9c69efd37795f7a0265f898bef605f
SHA256 a3b30928d3848dc1c5ed6fba7dadc767ce3e6ba026460f76171a239defe92b76
SHA512 09c693c5c60d29834ec7bfa0012eee38afdc4ff0f3db41f54bac380e019db13e607c14503d3abec3abb5f73d82737137b05ff0ec316f082fc395b308406d62a7

C:\Users\Admin\AppData\Local\Temp\vbc69E53D2A34854D7DA7B5F3C1BE33FE79.TMP

MD5 29c5a9e999a66e2a2c21bf393981b4d7
SHA1 f34fe08de19e1032819879e91988b1126eae207e
SHA256 17f40a3896dc18d0f928a701152bbd5086963dbbef39b35704730365fea5f4ee
SHA512 1a6ff42cd0e832509b6b1972947df8709009bbb952cc8d347aa2cca17b3ff74564c4e610626eceefebf8bac878663a9b97b428f22738f0c39b3b95ec7059da47

C:\Users\Admin\AppData\Local\Temp\RESD002.tmp

MD5 2f831dca9bf79695c0a498c5338dc3b1
SHA1 af86378b045cdda1b39a8d90505b85446240e76e
SHA256 9ca4f3a4b85cab7f2b418b22e43fabb91d35c56cb57c15464aecd376fa929104
SHA512 a47da80ae8a2dadfe73cfbfe1c8a854f819e47a5613e5bdc084ebaf876ddb2ec1e6f6326176d5ecb8e19db6b678426974ee94fb3a6871cb85b643f33e406990c

C:\Users\Admin\AppData\Local\Temp\iru5k0nq.cmdline

MD5 6972fe3153ed6f5af8c4c4a5c06d8f79
SHA1 0a35a2830ae9c2f7c3be4ec0446e8de2882297b4
SHA256 70650ccb78eb84975711369847654e7694e443947c3f975bc3f80339559f4039
SHA512 2433892b9aa3b276f9b1a04b4301411d4b9f3fa34139b8197985c9cae0a18a806a29a3214e353dc12a2db7f5bde54ec5fa01c322d56d1878cc180f17bba1689e

C:\Users\Admin\AppData\Local\Temp\iru5k0nq.0.vb

MD5 8c5c94ce9523fc00aa8f77ba9970c844
SHA1 fdca7988fb823d599eb00de2be871f7a3f557ba6
SHA256 22ca27df429206fffa3e79ebe49f4af70ffc6400b7957b07f26c0c2f37e28e69
SHA512 e4cd952f68a29a9b3705f413a6c272c871bfc5b6e24c3c96ce1d309975f83aa51885111182fa623d6780715825989d1111e4b7dce777b8dabc94e764f2e1eb7f

C:\Users\Admin\AppData\Local\Temp\vbcEF0A03D22BDF4DB580813EA2A55D41C7.TMP

MD5 6a6db771159557442920c503a43904b6
SHA1 8df46af5cf7d84e8f7817aba14b704a08ee16697
SHA256 19acca242ec156ef6483efae24486c3bc547a7d6add870e825ea30e6e7b140ca
SHA512 748a5e972b1c45246313dc2d9c7aa31f4434dee74946e41a6a1e90dccef7f38eb26d6e185cb772480e7bc24b4d896132966c602931e0d9dc7b4ad5a4b8628ec6

memory/4724-241-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

memory/4724-295-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

C:\Users\Admin\AppData\Roaming\indexworm.exe

MD5 72292b69bc9a8b6191cd4f83db9b8598
SHA1 944c73806a03a3eeaabab1ece053710ee613e1f9
SHA256 5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897
SHA512 ee1365626a806687cda20a8654e151fe92b4a78512ea97941aa9875ad8775c47ee6631c828739d6c72be7bf5fe547332084488ef964feeb45dec6507f5e67ccf

memory/4724-303-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc58129BFEE4B549A4BE356716AF1C2792.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\vbc8B38C610BC6847759A25B82EE8849D7.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\vbcB34EACBFFF1D434AA7282A14DD515A2C.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084