Analysis Overview
SHA256
5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897
Threat Level: Known bad
The file Client.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
Revengerat family
RevengeRAT
RevengeRat Executable
Drops startup file
Uses the VBS compiler for execution
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Executes dropped EXE
Modifies system executable filetype association
Checks computer location settings
Adds Run key to start application
Checks installed software on the system
Checks system information in the registry
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Modifies Internet Explorer settings
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 06:46
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 06:46
Reported
2024-10-12 06:52
Platform
win10-20240404-en
Max time kernel
299s
Max time network
299s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xdwd.vbs | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xdwd.url | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xdwd.js | C:\Windows\system32\taskmgr.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| N/A | N/A | C:\Recovery.exe | N/A |
| N/A | N/A | C:\xdwd\xdwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Users\\Admin\\AppData\\Roaming\\indexworm.exe" | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\xdwd\xdwd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\xdwd\xdwd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\ = "UpToDateCloudOverlayHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer\ = "OOBERequestHandler.OOBERequestHandler.1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Recovery.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ = "SyncEngineFileInfoProvider Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ = "IGetSpaceUsedCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_CLASSES\ODOPEN\SHELL\OPEN\COMMAND | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ = "ISyncEngineHoldFile" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\OOBERequestHandler.OOBERequestHandler.1\ = "OOBERequestHandler Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\grvopen\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /url:\"%1\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ = "ISetItemPropertiesCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ = "IContextMenuHandler" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID\ = "{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\ = "ErrorOverlayHandler2 Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\odopen\ = "URL: OneDrive Client Protocol" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ = "ISyncEngineCOMServer" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider.1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\xdwd\xdwd.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ctuqnx4s.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C928EB8389420DABB89754E6D868F3.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7fgxxnsj.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3EC2C3E76E14667BCC95BEB9536E682.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uyldj7hq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc982DBB0453514D079E3D20C227F9C0DB.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svnaose3.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE8C5EE6C41A4DF38416A3DBCF1E2.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xrau3evk.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53D98EA67EA44ADBBBB45C57F22E6E64.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p-gp2i43.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB74F39EA39294B5AA7DAD96E631ED0DF.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ghnmhwci.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc65369D76EFF04917A8B6C1DA3337411.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbcqk-rw.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD68FEB616831466595DE657882BD1ABE.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dg-rob3v.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBBC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA85ECCB42AFC483D92805FBAEAD51472.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vuvfwj7k.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAAFEC1073664A09919E38DDF3CCF50.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_boipoq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFED407644BDF4A18B084C1ECBCEFD6F.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\incndkav.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc23478D4BCEC746B8A23EF95CB53BA4E8.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\imuyujqp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDAABE233978440CB032979FEB7ED1A.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\74u_rd3u.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF6445FE88DB48A0BCD97A54913444D0.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_cupljv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD81.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5324A41283D049EE8FE38959C5F4C4.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\14s6mmqz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D677D23D6AD4028BF46CCFEEC398AD.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g7ya92q7.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A325A5D51074E1B84DA74E0E2D2E762.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wukviwxu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5C9442616F740D9831C33DBC13832E6.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a3pwktv-.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACCE8E4E892346BD9A3EFF8C57D59AA.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\agymx-tz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc625D6CF9D63465CB9BE502BD32D3D91.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7g9w3sah.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD021.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBBD49DCD885468DAAA428161A41EFE.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bqt-etuu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD06F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3276D314DC449079BB5EF0A5135B4.TMP"
C:\Users\Admin\AppData\Roaming\indexworm.exe
"C:\Users\Admin\AppData\Roaming\indexworm.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Recovery.exe
"C:\Recovery.exe"
C:\xdwd\xdwd.exe
"C:\xdwd\xdwd.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bdulhlup.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB60C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C9F0D0B9778486CB840D71DDD918376.TMP"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Users\Admin\AppData\Roaming\indexworm.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_hv0eh_5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB699.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc981E6D677C844D8199EC20438F25805E.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdvays4o.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB716.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED3B3A5B45C5482CBA60BEA4742795B3.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hdvwoz2c.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AEC7C491AAC430CB980B445486347A6.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ble7mrss.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB84F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EFE2D4CB7D410B9F7DBDEE4AB5F985.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4pnvsski.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56D106AC152B40C487CB9A39F3A5F92.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zdlnlutw.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5C3BB5CF29542A782315D563CE85314.TMP"
C:\Users\Admin\AppData\Roaming\indexworm.exe
"C:\Users\Admin\AppData\Roaming\indexworm.exe"
C:\Users\Admin\AppData\Roaming\indexworm.exe
C:\Users\Admin\AppData\Roaming\indexworm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Pizd11337-26540.portmap.host | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 92.129.74.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.197.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Pizd11337-26540.portmap.host | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.194.113.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/2304-0-0x00007FFD1D035000-0x00007FFD1D036000-memory.dmp
memory/2304-2-0x000000001C040000-0x000000001C50E000-memory.dmp
memory/2304-1-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp
memory/2304-3-0x000000001BA40000-0x000000001BAE6000-memory.dmp
memory/2304-4-0x000000001C580000-0x000000001C5E2000-memory.dmp
memory/2304-5-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp
memory/2304-6-0x000000001CEA0000-0x000000001CF3C000-memory.dmp
memory/2304-7-0x00007FFD1D035000-0x00007FFD1D036000-memory.dmp
memory/2304-8-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ctuqnx4s.cmdline
| MD5 | 2aed3fc7ab699cacc32016f8d07cca41 |
| SHA1 | fe792c060c4efdf8fddf98de3f77430e869bcba2 |
| SHA256 | cb6d0c9713757f10e3afeff0b7bb15f73bc844878a71f01ca1612018dc10cd63 |
| SHA512 | e9b3ce44a5ac849bd986d6bce308e6042ac699cc73c2de697fb2a535d0d93f9b6526cd10d24b9e50864364b0a2df06696a8be5a2e2695d29bdd3fd8a6cbc0326 |
C:\Users\Admin\AppData\Local\Temp\ctuqnx4s.0.vb
| MD5 | ed48ecd501fd2ec90b9359de04fc1a18 |
| SHA1 | 9dd35b37dac1f0908fdafbb971157f576cb31c22 |
| SHA256 | 3454a8ec9826e999653b677ee666c64116c8881a13fdaf16dc3e4153fab0dad3 |
| SHA512 | 0006bb695aadfe28b3f6005772d9d53700c01392abdb9f3eaf4a8c7a48af7efa7bdc47a8a569e609070476e7f8fe1afc2701c529edaa8d03ecf7343e843b0772 |
memory/1532-17-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp
C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c350868e60d3f85eb01b228b7e380daa |
| SHA1 | 6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e |
| SHA256 | 88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7 |
| SHA512 | 47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85 |
C:\Users\Admin\AppData\Local\Temp\vbc1C928EB8389420DABB89754E6D868F3.TMP
| MD5 | 53aadde7d4dde82227b316b57a5a7209 |
| SHA1 | 28076dd0bdf1724ec1293a7dc54f95fac210d974 |
| SHA256 | 1c469b6462e5e53adfc7d23eb770264179ab167ce9dcb2814c51bb8730b6eb97 |
| SHA512 | 95dd34a020812d7f888d66ff23e11327cbcc0d2217c02297b10373a5819763f2e00ef0dd2be2fea346303181ca8e19425e7d956f9ef18e9a41d89a1f3f2bf3f1 |
C:\Users\Admin\AppData\Local\Temp\RESC7D4.tmp
| MD5 | 38876ef7f22cfd9af4972809e759e358 |
| SHA1 | b69cca140f8a3097d3e7000de03c18a8546c8808 |
| SHA256 | e83baa291a2ea38c59e840a171c3956d2001f84b662d6d8abe96c8ce028b1135 |
| SHA512 | b186a56f90a0c5db5005037075744f457af06c09cfc524641236ec972d887b1c5baca29f6b3445501aef6a6ec0da2a8b3526f815eb7e4c1ae7f31f702dbb149b |
memory/1532-26-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7fgxxnsj.cmdline
| MD5 | 58bfb7200c0c8616b57cc8aae3a028ef |
| SHA1 | c83b8bf944de030c4dd665d371e3b5584b177e52 |
| SHA256 | 91f3ff5d3b28c2f8a9bfddb0e16dd5833cbf1776d6c9183ba0a479f136df0fe7 |
| SHA512 | c32101342976cecf84721d5a892f25b05a673b901f0dadb6cef4baf41fd240478cf876ed9cc43a4bb9b61af17f99365a7b48acceb8e79aa92f5f260b8a6fa0d9 |
C:\Users\Admin\AppData\Local\Temp\7fgxxnsj.0.vb
| MD5 | 2824033d9d2f8ee59347116377cf6d9b |
| SHA1 | fa5ac5a217129274f3df610e90dedb13a5dfef82 |
| SHA256 | c5a03d253201eaad5738d91cd7a6d239348a2e54a8edb19c50c110466ebdb736 |
| SHA512 | a76a3b01d94964df9b48f254e0c8bdda5bef5291431f06fdf3c7c897c04c8ceeb8dbafa61d01dda153712247133104c870ef234f603e0c9a8e8c480c0692ef7a |
C:\ProgramData\xdwd\vcredist2010_x64.log.ico
| MD5 | d5997b8f3f9665fe1cd7defb29cff584 |
| SHA1 | 7b281c8982b042d77e7a53ce282eab7f8417adc7 |
| SHA256 | ba40f96904ef649d30f9477d2e1b770b312832ba81e6345946645c15dd4ceabc |
| SHA512 | 88f66652b43ccdb551c9e876eab1e7f0bdbf2b8c19bb9b871402e94d1e826424b917495dd3b79c228724f49d1495cd3cea49fafb7a14f23e5e1eb6a29b68871c |
C:\Users\Admin\AppData\Local\Temp\vbcC3EC2C3E76E14667BCC95BEB9536E682.TMP
| MD5 | 56c0e1de5d54a9343c889512a081ad5e |
| SHA1 | e038b653980f9f8b9335922b4ef40d444234ef49 |
| SHA256 | 58c3ddf3785bab4658cf688008cd0ca6bac847b14558b4a4b5eee84cca6faee8 |
| SHA512 | a1fd2240584d067d9c657b3e30a108bad2980418c45292670ccf4d47ca89c930ec446ab972a9ceb1a4ad0a7b4408b4dc9c556c2cb681df0ccd6d150c3d767ae1 |
C:\Users\Admin\AppData\Local\Temp\RESC9B8.tmp
| MD5 | c663caace00277cb41b176eee4cf3660 |
| SHA1 | c2ff17ec76955ac3a24f7cba0262d3edfc139113 |
| SHA256 | 5eab3d93973e5d112a345fb031ea24a1a43ee61e0f60639d02ecf91de4a264f2 |
| SHA512 | 1708586ccb996aa6e47a37707fb337ea10e5858f7dd015aa220040809d2c6e006f2b1eefb13ff9286606f732aa3b1b7e4ab94184d49d1a2ea7ce7de38b672bf8 |
C:\Users\Admin\AppData\Local\Temp\uyldj7hq.cmdline
| MD5 | 19fbd27a91f4fcdc19f8554d1722fb7d |
| SHA1 | d581f11604757c98aca2ec803da908a24e6aa400 |
| SHA256 | ddaef066d5b9050eb0bfabd52893781e2b3b371f107dfdeae3a7dffc5ff40c05 |
| SHA512 | 1cef2f7a838912ec0c4a8dfffe60f57c60843a6b6d1dcadbcb675e8648ed425b39d7cfb408f451e2237f9f0b82c9136a7caf164280728f221816eef3398e8bc8 |
C:\Users\Admin\AppData\Local\Temp\uyldj7hq.0.vb
| MD5 | 98c697d0135e14aac926c0701a8b72e7 |
| SHA1 | bd49384492450141bd14dd525dadaea8b83f9d81 |
| SHA256 | 369bf94866b4cf4a4c47182d19b4bd94d47dd4282b761faee0c68e7523432697 |
| SHA512 | 79a5631b25737b5debcda7a1d0b21a26e927457a65431c93dd372fdd90c745d2df6744e9451b0880767f6b635a47d62b606c7dc1127391a8dedd86411bd09fdd |
C:\Users\Admin\AppData\Local\Temp\vbc982DBB0453514D079E3D20C227F9C0DB.TMP
| MD5 | ee633ce28424d18ab62d4010d5b7aa82 |
| SHA1 | 677ff6edd3591c4d9b65171cfa381333caa8d546 |
| SHA256 | 8b124412e72ce9b96ff8c55b65ac532cf3492f30743240de3cbc4c3217720f10 |
| SHA512 | 46fefc85a49bae5176838b9b1001db58f4057ea6d1ada8a4c937aa34d7b395c5cbad78e7cace4d6b2d4d546e484aea694f09da520bacc4dc71e3f826d4bc2d9f |
C:\Users\Admin\AppData\Local\Temp\RESCA07.tmp
| MD5 | c7385b75fea326ea434fc23bf5adc2a3 |
| SHA1 | e5a47880b17660385cd9ba9a899047e26ce53dd7 |
| SHA256 | 66d5a97a8daf59a159143e157bb73a42435b575110b76421c3995ba0e7686a17 |
| SHA512 | 3963a09f14bf63f46da725756d4a8ae5888416207937a8dd47517999f9a338f5bac48fdaa6e595e0b0aac34c9e567bab217093fc58d53aa4950683305eb481fe |
C:\Users\Admin\AppData\Local\Temp\svnaose3.cmdline
| MD5 | 4ac87dab8467a322363ff1795e8c24be |
| SHA1 | 05f8f07e6164a83b27b3159e1a33e47181451709 |
| SHA256 | c83a87bbd3cd40d6422381ade33dd7636648456cdf5dc9b8f8885a6df4a598ae |
| SHA512 | b00bb389922d974394542fce553e6675ef1aac27ca11fac2f316b7eba3cc1ba4ae5b48819478050800b0a8a81df356bc7ce7abfca74a1c953f441b25c0bfd017 |
C:\Users\Admin\AppData\Local\Temp\svnaose3.0.vb
| MD5 | f9d79311b4cca4c591aa8cfec028a6a9 |
| SHA1 | 2c4d63d2b94e8e33b0349bde75889478d8d972de |
| SHA256 | 78f7a23fa14b298de205e44ba5fdea765cf33a4f72cd63662c0ae2b077154996 |
| SHA512 | 25c75f86e2dfb2c863833b898741e8c903e763cbf13d40695d0a92c4845f480dcfba42cf1fd22da60f337a507ce71031bbb536f2be6ae1b77af974d3513f226b |
C:\Users\Admin\AppData\Local\Temp\vbcCE8C5EE6C41A4DF38416A3DBCF1E2.TMP
| MD5 | f08c3ceeb9f75b488c227a88321d14cf |
| SHA1 | 04304443dddf2eab88e2f8bd2d6f1e15cc145ebe |
| SHA256 | ec0228fc119c787c57a4411f4ce65a5ade7af3d228fe8e7b1e3c248fdbd0abfc |
| SHA512 | 93d836a8014c2e9cf234194cfbb67b797b8b69257afaefc782c8077785f915b305187152845a0594e1e12cb7574dff6470dcb626476128528ca77cf2ff12d470 |
C:\Users\Admin\AppData\Local\Temp\RESCA45.tmp
| MD5 | f8077f624ebbb78d58749abd339502d2 |
| SHA1 | 78255c182d27ef6bac54a920e93deae3feb85973 |
| SHA256 | e5ac1918419a4669022c62ac94e535c187945da8af7d94d6db5c68eeb5299997 |
| SHA512 | 373c4ae767c7dd37a9c6dbf3ac28d163c3bde05ad5ecfe2cdaf390892514a31e3f37f4b645bc415cc4b46be636170449aa73ad5b0a87fd6c4e29ba07973f42aa |
C:\Users\Admin\AppData\Local\Temp\xrau3evk.cmdline
| MD5 | 8d240f3a4da01d1a09db44c0e4f8da1e |
| SHA1 | f6569aa5f59239dab5f58e414c8ebadf1aafc9d8 |
| SHA256 | 6075e10cc1fbe291ab31fa2556b20978b038e43dbae0ff1057f00ca847623c85 |
| SHA512 | dac8872746fb2747541ead4b3450bffa43a4436c0aba7fc336e9b87d6a0b4b586ec2d4d1b4ea311b5569c57769df53831aec5b74db2b60dca61c53114c14d7ad |
C:\Users\Admin\AppData\Local\Temp\xrau3evk.0.vb
| MD5 | b6f9730115de46756b567e8f913595dc |
| SHA1 | cb8bdd820b9d9405b2a97af9219e08c85e375336 |
| SHA256 | 099e93435c884d79a8c6e2f8ca3fa227c8870e93be10839fea687ea24bc3ef48 |
| SHA512 | aceb5f099294258276e49061cbda8098eab9ee2927318f27d07d35f7c8ea93c3056aa7a3e25faf28a810f20ed4fbf3137e1650086a45197891babb7cb0111732 |
C:\Users\Admin\AppData\Local\Temp\vbc53D98EA67EA44ADBBBB45C57F22E6E64.TMP
| MD5 | 6109c8e816e691aa16df011af1b222e9 |
| SHA1 | 3beafadd64c8b77c1bc10827d29ebdc784a55c73 |
| SHA256 | be380a83d0ebd463c21ca65a360ae9acf14bfa15e32d649e005c2cd3617c8acd |
| SHA512 | a47ded32c0cef7910318f746221c3fc1facb23cd9232be30aacd83909a63c494133aff7c3147b87b5cb6207b92a8f0151e68e84359fd51101a9be888401d4031 |
C:\Users\Admin\AppData\Local\Temp\RESCAA3.tmp
| MD5 | a7182de80540a46666bf7e6e2501a168 |
| SHA1 | 61d3e66475d4ed7f6051e21f475abd08918f973b |
| SHA256 | 4d3e6b805296e15ad788059e4504ebe1b721e79a6c449b8aab01cf818e546ef4 |
| SHA512 | a3e3c07e0bc8edf4195dab5e14b82de8fe71b1776857e2cbe400132b6f7ea9c583e516437a31fa65215dfd2bc2e2e04a82baec116ed98d9d7305621ddb49b247 |
C:\Users\Admin\AppData\Local\Temp\p-gp2i43.cmdline
| MD5 | 0f9961a1325a1c9b9624a327e86caf61 |
| SHA1 | 369269638afffe3c572dcfec6df19e8ed2e528ec |
| SHA256 | 3c3672f8b65fe977fd9139cafe114201e624cf76c7d2201d686d6462d6f826ba |
| SHA512 | b478c982660e1700f23b23af1f19773e4206618632fa0ef460de431d87918e4354e93338085915db08c5016206d4b8302903b347e4e03e81f15ab0c27cfb1c1a |
C:\Users\Admin\AppData\Local\Temp\p-gp2i43.0.vb
| MD5 | 4776ddddec9bdbb929820fbaba208684 |
| SHA1 | cf10e4fbb3ce05c0b49f11a4d8167c5332809746 |
| SHA256 | 3567c9e1bafcbf4f5bfb4913960fb5f6ca3b8c037cbf46053a2e1d9298de570b |
| SHA512 | 9a07faedfb1fe8c55f18bcf596d897d1ccad3ac173d5d24cc042722e684f21180511493fa21e76ecbb829d5cff5d4ad11a2c561534b26ce5f7a82d81b7598c67 |
C:\Users\Admin\AppData\Local\Temp\vbcB74F39EA39294B5AA7DAD96E631ED0DF.TMP
| MD5 | 4ddc4c57fd1d38500f1e1e36d1c80dae |
| SHA1 | 037db607366a9f52bc9b60a6203bc4fc15b44419 |
| SHA256 | 2d69af28605b08d20d9b191b2849bc88cae1f6a7956b2b24f7c7b3721fbcb24e |
| SHA512 | 5d7e027c821429d0296126d12e9c6ad94c205b84940a12d9ff78f3b1a3d9a58a57342a427078ed6e9d3d8218cbd6665c84651e3d0a89cdce1f7123bbd4c23fe0 |
C:\Users\Admin\AppData\Local\Temp\RESCAE1.tmp
| MD5 | e2f7e4e39696c687004b77e45081d470 |
| SHA1 | 95b77fdad8aa420d4de647743da597e61ac04230 |
| SHA256 | 78c2aa9d872d6d155dd1d717ea5f8bfa7a1ff73e5009066dd0972f6accde9fe0 |
| SHA512 | 87cd66d8b0091e05f74e62ac34636df96964e14e7b68cac79d15f55238f5b83d77357f9e42d2919bb1f6b2f504b02b934123f2ad92cb4bb48360a9be885c25ff |
C:\Users\Admin\AppData\Local\Temp\ghnmhwci.cmdline
| MD5 | fe91cf8fe54343da5ca7bbfabcc38c55 |
| SHA1 | 7ce80498c1721602a98200659efc830ba796161d |
| SHA256 | f5f08d4f6a9779e6161612eb6d7b00a5b7748eb45769c675f7d670fcc0e79c53 |
| SHA512 | 46c801f34bf582512fcd7447fc877fcc77914a6d6fde9442801a511af269ae1d425ed005be36c7146d07d9022bfcd213830f4171fd04dc235f59b446c2df5129 |
C:\Users\Admin\AppData\Local\Temp\ghnmhwci.0.vb
| MD5 | 07b10a393c633ddfe03650829ac72adf |
| SHA1 | a91f5b666447054f750df3f10ca2f840a72243a2 |
| SHA256 | 064ddb8b8da7931744430a9dbb24375788074db63fe9f0e74ac75c1afe274e00 |
| SHA512 | 38880d1ad5442fa1fb55038c76f035031fe01f229eece65583774ce90c9f08fc34e5aa82f68d8cc587500f917d52e9eb47b29b989872359a803e0542f2f4dccc |
C:\Users\Admin\AppData\Local\Temp\vbc65369D76EFF04917A8B6C1DA3337411.TMP
| MD5 | f4b8ccb9a2218a7426563bf602dbb3ce |
| SHA1 | 047e64c89bf897f2b908803c01e5767f0b3538da |
| SHA256 | e78fa61a7dad18e3575466e634e76a8760f6e987c632b72140ada947fe7dfca9 |
| SHA512 | c057d11aa5821f0bf64a1c87ec3d48be4f0f3263b6d9d1b832a73d2e99372cef2457e0fff47696ce72e31f0969152c56132ab857371648d588c7e0f1ee9b4ce1 |
C:\Users\Admin\AppData\Local\Temp\RESCB2F.tmp
| MD5 | 482aa0651bfd13f5b1ac99f5ef6628bc |
| SHA1 | ab8065a7b9a14b051cb7f0dc9c1e18c2bae1dfd9 |
| SHA256 | 5e1a0dee6dbc70bf45e2b7ec5ac6cccef0fe368e0e1a2885e233d24bb9151ec7 |
| SHA512 | 79fede5fd0d1bfaeb9f61a104588e0626fc483869cd5e18cb9938d7cf0da58e29c4ec3cb89911005aa8793534cf0fb042a69f53757fc54ee5b3e42a2adabc1c7 |
C:\Users\Admin\AppData\Local\Temp\bbcqk-rw.cmdline
| MD5 | 0d79d44abc2c86a8cf910f33ec8bf469 |
| SHA1 | 98e6e99e8d9f7806ea52e56cc6c9ee768a8bf672 |
| SHA256 | 7a51a3b7bd8e9d4f5d99df0d254192869d06a919f6c308d2fcf43a0ca393fa62 |
| SHA512 | 749df5ae23f754bba4130647b4ca8210aeefd16c5b4ec7eff60eebce00ae8a30aac3779786144f758adeb429570715dc106d925e50543f6347663c0dee96fe76 |
C:\Users\Admin\AppData\Local\Temp\bbcqk-rw.0.vb
| MD5 | 75088557db6e2a028811c00adbf5b987 |
| SHA1 | 3804c2dce38b94228464e3d2fba2ea1e43298965 |
| SHA256 | 28b93c7c4a19e5c158e45e40b5431129f7ba2a5b25e7991e01b1eb4b8077029a |
| SHA512 | 1e273bbe0252674e0658acf8d1aca6f359903dd607066f8053acfa60a573b07a8714cd6fc01b98c21422dad62c7c7a7177e45b9d019c7234724b29ab273122ed |
C:\Users\Admin\AppData\Local\Temp\vbcD68FEB616831466595DE657882BD1ABE.TMP
| MD5 | 2214c876093e68709179d742d5af1e95 |
| SHA1 | e67426c777b682b436c6addcd42fbee760f75ad7 |
| SHA256 | 48cb47e939238a904a4eea243c4c0fd3ae383139513e418db024f23fd96ddffe |
| SHA512 | 08783085b534e1e107c4e9dfdc7698818989d36093efff3c9111691d8bc8f3927d0a652d2cc2ffb07f94f5681c67191340a3ae686a0581e36ad05b202bd2cf54 |
C:\Users\Admin\AppData\Local\Temp\RESCB6E.tmp
| MD5 | b4ad492bf84ba0c1593d41e25e988f77 |
| SHA1 | 3768071b4111d6c3999d1bd9bf84c13d8c5697f0 |
| SHA256 | e401f108e55d966752cb4f2f22865e1db384b83b3d208d578f2fc81192ae1aa5 |
| SHA512 | ae7079e844cdcf47ea151b6fcc7c7dbd64a8125a20ccc742a1cbaa6131bbe1638d4ca7470a338b97cff0c9f088fbc360f4c8a82c51bcfc2bc50190867cdf750c |
C:\Users\Admin\AppData\Local\Temp\dg-rob3v.cmdline
| MD5 | bb38b64af481d21704e2a37472bc76ab |
| SHA1 | 77038eab36c5d3b836ad6c423df37c3f950212db |
| SHA256 | 94502c756d7dd4325d78ddd4b1144974ab039fe604ae01e41f1ec2f6f3e14242 |
| SHA512 | 638f42b88a6a83da1f5ec52171b9c00fb91d08e4573ca9395fd2b4516b35daa27139744c11d696fa3d5571a77c4e2fa2f3372ef4d5781682816009ae70b01245 |
C:\Users\Admin\AppData\Local\Temp\dg-rob3v.0.vb
| MD5 | 5cc2df1b0de07a19c23de684597c5f07 |
| SHA1 | c868685bd6e87187e4a7d096a854de06e26c9ab1 |
| SHA256 | ec443d6c9ce9bfd961362da89d118060a10d309a3dd21b944805affe3fbe10cd |
| SHA512 | 3d541d6c7b9f470b34a61b6245277ce96d80f3cecaae7bab57980677ac7675abb9658f410bd6a1994f6cdbfa827b0209c83a11d1397298ba7238f002fe3c9828 |
C:\Users\Admin\AppData\Local\Temp\vbcA85ECCB42AFC483D92805FBAEAD51472.TMP
| MD5 | a95dc928661731a2886629b581abb171 |
| SHA1 | e681c1074892cbf7a07f9234a129a1afb6e26efa |
| SHA256 | 74ff7a7faf9652ac7ec7d5593154064a2ea692e9e2c8793f9f0cc8e7e73f31f6 |
| SHA512 | dc1cfa1b7a745f0190f7b6ad45ca72f21c6582a34429663f02459dadae476ecce720b1bf3fc62a3b1410b77a1de34ddcafb520f507fffa94b81864f599feb004 |
C:\Users\Admin\AppData\Local\Temp\RESCBBC.tmp
| MD5 | 098b4acf78a0e9dc460c5204b905d0bf |
| SHA1 | bac6bcf12c9f9e1f873e8f161cdb9982c6ccf4db |
| SHA256 | 77252adfeac953cc0e427778bedb63fb5c897155e77ad46cc5cc3b5def1ab0f7 |
| SHA512 | 82cc8f2215eb37e6452b3e4638f336aea50c2282b31ac5eddbd68a9b6597550598f805e259bbec3ec361bd565fca03195b788c570518e89caf8e9a0165068cc3 |
C:\Users\Admin\AppData\Local\Temp\vuvfwj7k.cmdline
| MD5 | 45e76c5496a775ac8be1ecc5813d1794 |
| SHA1 | 7c0d3036d2e6d94468497960ccf29bec145cd300 |
| SHA256 | f84cf090badd59c92194fa8cb683aae1d2b9991c899dd5e5d6654fefe2a75229 |
| SHA512 | 695579efb59b9f2955b2695d08b54143f23746ee6efa4b165995963b7bf2e109cc92263da339d03b2af3cbb3b242a0bede0062ad3821cdf39e990138c61cd2e5 |
C:\Users\Admin\AppData\Local\Temp\vuvfwj7k.0.vb
| MD5 | a03f23d29973b0c1ad52e9c77c713e98 |
| SHA1 | 0c425f07f98a55674c1efad5ac33e0af65255f35 |
| SHA256 | ee182384e0363b2f14b3d7530c943d350f9923fb3f7381fc29b90ec513f9498d |
| SHA512 | 36673b6c81f8f3fac8fa46ab418df69304a2caed5cf4bc860fe36cb19a00ade06562121b6aadff9395681da497a82a433b9a821041e81b152fa0f3e0facae491 |
C:\Users\Admin\AppData\Local\Temp\vbcFAAFEC1073664A09919E38DDF3CCF50.TMP
| MD5 | ad7e0c7168ed15f96d343a38454d080a |
| SHA1 | 8fac85701ad6b2bbe60ccc5ea0a839d911d26f14 |
| SHA256 | 6232a3d19aefb51a81502ada1177f6a6c4f26a909ad5aab3d86de51985f01cca |
| SHA512 | 4284ddf89e11affef3a8f00792a8b71a13f1684113e61cac7c309ba7e86c655d3fe45ff10d42abf0ad002876fef5617f00dd8f6a012b38b9df8c7d1d55ab7fd9 |
C:\Users\Admin\AppData\Local\Temp\RESCC0A.tmp
| MD5 | 7d1d4edcb74b5c0ed3d505c08314440e |
| SHA1 | 1df1e53d5461585bca3fbc6bba8d72659b2490bc |
| SHA256 | f58083d142a1eca96e8c0d94d236cbbc560a344534d60b2d449e2818b9fb49ff |
| SHA512 | 2484400ea34379e9cef0c31a504c098e7bd6be8b6d7c6ab7662261ae243fff02326bf5540889a53f7ba6d9e799496580c204781b4e4281365128b42f83bbe2ee |
C:\Users\Admin\AppData\Local\Temp\u_boipoq.cmdline
| MD5 | d71e85fab17c81da113b08b677620540 |
| SHA1 | 7147b652e25a867a9da292d0cb4283f13431946c |
| SHA256 | f660a97265fb0b654ea1ad007eb190713b6004ba7f9f751b62bfb6afd1cdfc65 |
| SHA512 | 0d62369381178e92802221c8418b4ed7c31f205f27a20f009e45ad2c46c5a196b9c645944ad76563c824fc7fb42b954c68416556f7bc1f8cc9e5a6a93042144b |
C:\Users\Admin\AppData\Local\Temp\u_boipoq.0.vb
| MD5 | 7e552aa475227fe451bbf11a52d9b811 |
| SHA1 | 933058d53d848d3daf1246ab7185beb9e101c302 |
| SHA256 | d23f1a481fd7538ff94e15558af73221d61e6bbc2eec208740c90bcb5fa0eb8e |
| SHA512 | dde6f810ada06beb517e583720afa3edad4ccc740e1ff6a4ac21403e1227487d6a8c4ed2b15dc2bc6eaa5b84a47b03ac6b20b356b0260d55a4ee64fe53aa6026 |
C:\Users\Admin\AppData\Local\Temp\vbcFED407644BDF4A18B084C1ECBCEFD6F.TMP
| MD5 | 548c704c2c8add1705f3e9e277982a99 |
| SHA1 | 2729f1c3ecb360275a1803097a1799fc0fe71b1d |
| SHA256 | a8c38a9119b97c59c2cde0cb10c171e32b69ea4cc5e27dc366d933a3d00ceca4 |
| SHA512 | 53cbdb43af99693b8d2fe78441b2fa3f8b6620f3fb569efef81bac2d92e7037427f8ff871606a7cc1bbec85ffa137bd8bdf2081d64cbc793302feb0f9418158a |
C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp
| MD5 | d21f62506146e18663b4308160a99a11 |
| SHA1 | fb970df2f28c8ca861d92d9c717fe114fde7df33 |
| SHA256 | 3ceda4ba4c443bc6bcd70c2a5de9abb9b9c6d5f05b5210334d1ab9aaf98fb143 |
| SHA512 | de619289692f846d9364ff9b29b06c306e84e7a3fc280e659e18879423ca1aced46f3caa86a6954267c2173236bbce3b2b92e680af1fc7f60b0b4c7d45da8091 |
C:\Users\Admin\AppData\Local\Temp\incndkav.cmdline
| MD5 | e23e84f62a168c3af58785a4eaf90743 |
| SHA1 | e18110c551dd142682c270bd437dab0ea65b1e91 |
| SHA256 | e6edd0675bcc0ccc0c65bb1a3b7e4dbd0111204b0056485eb6a77b3b6cb5e9a0 |
| SHA512 | 674ae61bcd95af294347bcbf59ef56da1024f3bc885a5b9384c78d17cab1f0529717ebd431beed124b6a705bc1a3170b2c01d548cfb9fa365b57506ea7aad05f |
C:\Users\Admin\AppData\Local\Temp\incndkav.0.vb
| MD5 | 102f791566f6024af32b6e4eb24614d5 |
| SHA1 | 03b4cce2ab9c69efd37795f7a0265f898bef605f |
| SHA256 | a3b30928d3848dc1c5ed6fba7dadc767ce3e6ba026460f76171a239defe92b76 |
| SHA512 | 09c693c5c60d29834ec7bfa0012eee38afdc4ff0f3db41f54bac380e019db13e607c14503d3abec3abb5f73d82737137b05ff0ec316f082fc395b308406d62a7 |
C:\Users\Admin\AppData\Local\Temp\vbc23478D4BCEC746B8A23EF95CB53BA4E8.TMP
| MD5 | 29c5a9e999a66e2a2c21bf393981b4d7 |
| SHA1 | f34fe08de19e1032819879e91988b1126eae207e |
| SHA256 | 17f40a3896dc18d0f928a701152bbd5086963dbbef39b35704730365fea5f4ee |
| SHA512 | 1a6ff42cd0e832509b6b1972947df8709009bbb952cc8d347aa2cca17b3ff74564c4e610626eceefebf8bac878663a9b97b428f22738f0c39b3b95ec7059da47 |
C:\Users\Admin\AppData\Local\Temp\RESCCB6.tmp
| MD5 | 5a99a05fff6b5a0c9f044e2ff55244e7 |
| SHA1 | 48fe5e82b067146eb587f014089f9b1a2555a30e |
| SHA256 | f96ae275c3098dd35821ee3f6aefb6ee7d300dd5ebe7d07c9926b84a3ec5c8d6 |
| SHA512 | 887e3aa91306a6906b1d240b3b01b052b42178f9cd732c68e3323be4512b3b9588d1fa3d0135748165f3fb4537529b6f038804f3b1b0ab034ecbb192536247eb |
C:\Users\Admin\AppData\Local\Temp\imuyujqp.cmdline
| MD5 | e5f6fb55730ad0d2114c4558d149da44 |
| SHA1 | e0210a588faeac986840b332d33a5717ff19936c |
| SHA256 | 3b3c36a71690c8ddac6337bd776aa0ad541d763070c9ff1bf57f982bcc548dd5 |
| SHA512 | bcc5690cefc1e16af2e5bf4dd403dd4e96bc9d653efda6f352d3c25771b263deffee9359a2b4865a13f079b415d167a6c0a13b6f4e95ef9a0718547c027f64b4 |
C:\Users\Admin\AppData\Local\Temp\imuyujqp.0.vb
| MD5 | 8c5c94ce9523fc00aa8f77ba9970c844 |
| SHA1 | fdca7988fb823d599eb00de2be871f7a3f557ba6 |
| SHA256 | 22ca27df429206fffa3e79ebe49f4af70ffc6400b7957b07f26c0c2f37e28e69 |
| SHA512 | e4cd952f68a29a9b3705f413a6c272c871bfc5b6e24c3c96ce1d309975f83aa51885111182fa623d6780715825989d1111e4b7dce777b8dabc94e764f2e1eb7f |
C:\Users\Admin\AppData\Local\Temp\vbcEDAABE233978440CB032979FEB7ED1A.TMP
| MD5 | 6a6db771159557442920c503a43904b6 |
| SHA1 | 8df46af5cf7d84e8f7817aba14b704a08ee16697 |
| SHA256 | 19acca242ec156ef6483efae24486c3bc547a7d6add870e825ea30e6e7b140ca |
| SHA512 | 748a5e972b1c45246313dc2d9c7aa31f4434dee74946e41a6a1e90dccef7f38eb26d6e185cb772480e7bc24b4d896132966c602931e0d9dc7b4ad5a4b8628ec6 |
memory/2304-241-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp
memory/2304-295-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp
C:\Users\Admin\AppData\Roaming\indexworm.exe
| MD5 | 72292b69bc9a8b6191cd4f83db9b8598 |
| SHA1 | 944c73806a03a3eeaabab1ece053710ee613e1f9 |
| SHA256 | 5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897 |
| SHA512 | ee1365626a806687cda20a8654e151fe92b4a78512ea97941aa9875ad8775c47ee6631c828739d6c72be7bf5fe547332084488ef964feeb45dec6507f5e67ccf |
memory/2304-300-0x00007FFD1CD80000-0x00007FFD1D720000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
| MD5 | e516a60bc980095e8d156b1a99ab5eee |
| SHA1 | 238e243ffc12d4e012fd020c9822703109b987f6 |
| SHA256 | 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7 |
| SHA512 | 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IOKXFE4P\update100[1].xml
| MD5 | 53244e542ddf6d280a2b03e28f0646b7 |
| SHA1 | d9925f810a95880c92974549deead18d56f19c37 |
| SHA256 | 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d |
| SHA512 | 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | fb4aa59c92c9b3263eb07e07b91568b5 |
| SHA1 | 6071a3e3c4338b90d892a8416b6a92fbfe25bb67 |
| SHA256 | e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9 |
| SHA512 | 60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
| MD5 | b406e3eaa34ec784e702b263576f7321 |
| SHA1 | 8216157abcfd25ffd27a45dcb9d385d6e1dce8eb |
| SHA256 | 74fb4f98bccc83241fa428e1e778d01bfd3fceb6ef52cf9a946960f6cc96c095 |
| SHA512 | 98bb842dfceddb2fa17ce7bdd3763d6fa8f7dd44e2d4c8234937f3f99ac79287114ace0ba0e97bf679bba1c3baae5e332bd16e26e711b940336d2475a74feb1e |
C:\Users\Admin\AppData\Local\Temp\tmp9EFA.tmp
| MD5 | 5b16ef80abd2b4ace517c4e98f4ff551 |
| SHA1 | 438806a0256e075239aa8bbec9ba3d3fb634af55 |
| SHA256 | bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009 |
| SHA512 | 69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | cc04d6015cd4395c9b980b280254156e |
| SHA1 | 87b176f1330dc08d4ffabe3f7e77da4121c8e749 |
| SHA256 | 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e |
| SHA512 | d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe
| MD5 | c2938eb5ff932c2540a1514cc82c197c |
| SHA1 | 2d7da1c3bfa4755ba0efec5317260d239cbb51c3 |
| SHA256 | 5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665 |
| SHA512 | 5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
| MD5 | 72747c27b2f2a08700ece584c576af89 |
| SHA1 | 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33 |
| SHA256 | 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b |
| SHA512 | 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
| MD5 | b83ac69831fd735d5f3811cc214c7c43 |
| SHA1 | 5b549067fdd64dcb425b88fabe1b1ca46a9a8124 |
| SHA256 | cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185 |
| SHA512 | 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
| MD5 | e01cdbbd97eebc41c63a280f65db28e9 |
| SHA1 | 1c2657880dd1ea10caf86bd08312cd832a967be1 |
| SHA256 | 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f |
| SHA512 | ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
| MD5 | 09773d7bb374aeec469367708fcfe442 |
| SHA1 | 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6 |
| SHA256 | 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2 |
| SHA512 | f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
| MD5 | 771bc7583fe704745a763cd3f46d75d2 |
| SHA1 | e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752 |
| SHA256 | 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d |
| SHA512 | 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
| MD5 | de5ba8348a73164c66750f70f4b59663 |
| SHA1 | 1d7a04b74bd36ecac2f5dae6921465fc27812fec |
| SHA256 | a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73 |
| SHA512 | 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
| MD5 | f1c75409c9a1b823e846cc746903e12c |
| SHA1 | f0e1f0cf35369544d88d8a2785570f55f6024779 |
| SHA256 | fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6 |
| SHA512 | ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
| MD5 | 19876b66df75a2c358c37be528f76991 |
| SHA1 | 181cab3db89f416f343bae9699bf868920240c8b |
| SHA256 | a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425 |
| SHA512 | 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
| MD5 | 8347d6f79f819fcf91e0c9d3791d6861 |
| SHA1 | 5591cf408f0adaa3b86a5a30b0112863ec3d6d28 |
| SHA256 | e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750 |
| SHA512 | 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
| MD5 | d03b7edafe4cb7889418f28af439c9c1 |
| SHA1 | 16822a2ab6a15dda520f28472f6eeddb27f81178 |
| SHA256 | a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665 |
| SHA512 | 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
| MD5 | 57a6876000151c4303f99e9a05ab4265 |
| SHA1 | 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794 |
| SHA256 | 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4 |
| SHA512 | c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
| MD5 | adbbeb01272c8d8b14977481108400d6 |
| SHA1 | 1cc6868eec36764b249de193f0ce44787ba9dd45 |
| SHA256 | 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85 |
| SHA512 | c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
| MD5 | a23c55ae34e1b8d81aa34514ea792540 |
| SHA1 | 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf |
| SHA256 | 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd |
| SHA512 | 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
| MD5 | f4e9f958ed6436aef6d16ee6868fa657 |
| SHA1 | b14bc7aaca388f29570825010ebc17ca577b292f |
| SHA256 | 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b |
| SHA512 | cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
| MD5 | e593676ee86a6183082112df974a4706 |
| SHA1 | c4e91440312dea1f89777c2856cb11e45d95fe55 |
| SHA256 | deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb |
| SHA512 | 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
| MD5 | 13e6baac125114e87f50c21017b9e010 |
| SHA1 | 561c84f767537d71c901a23a061213cf03b27a58 |
| SHA256 | 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e |
| SHA512 | 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
| MD5 | 2c7a9e323a69409f4b13b1c3244074c4 |
| SHA1 | 3c77c1b013691fa3bdff5677c3a31b355d3e2205 |
| SHA256 | 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2 |
| SHA512 | 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
| MD5 | 552b0304f2e25a1283709ad56c4b1a85 |
| SHA1 | 92a9d0d795852ec45beae1d08f8327d02de8994e |
| SHA256 | 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535 |
| SHA512 | 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
| MD5 | 22e17842b11cd1cb17b24aa743a74e67 |
| SHA1 | f230cb9e5a6cb027e6561fabf11a909aa3ba0207 |
| SHA256 | 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42 |
| SHA512 | 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
| MD5 | 3c29933ab3beda6803c4b704fba48c53 |
| SHA1 | 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c |
| SHA256 | 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633 |
| SHA512 | 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
| MD5 | 1f156044d43913efd88cad6aa6474d73 |
| SHA1 | 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26 |
| SHA256 | 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816 |
| SHA512 | df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
| MD5 | ed306d8b1c42995188866a80d6b761de |
| SHA1 | eadc119bec9fad65019909e8229584cd6b7e0a2b |
| SHA256 | 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301 |
| SHA512 | 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
| MD5 | 09f3f8485e79f57f0a34abd5a67898ca |
| SHA1 | e68ae5685d5442c1b7acc567dc0b1939cad5f41a |
| SHA256 | 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3 |
| SHA512 | 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
| MD5 | 096d0e769212718b8de5237b3427aacc |
| SHA1 | 4b912a0f2192f44824057832d9bb08c1a2c76e72 |
| SHA256 | 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef |
| SHA512 | 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
| MD5 | d9d00ecb4bb933cdbb0cd1b5d511dcf5 |
| SHA1 | 4e41b1eda56c4ebe5534eb49e826289ebff99dd9 |
| SHA256 | 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89 |
| SHA512 | 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri
| MD5 | 7473be9c7899f2a2da99d09c596b2d6d |
| SHA1 | 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac |
| SHA256 | e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3 |
| SHA512 | a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
| MD5 | 5ae2d05d894d1a55d9a1e4f593c68969 |
| SHA1 | a983584f58d68552e639601538af960a34fa1da7 |
| SHA256 | d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c |
| SHA512 | 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe
| MD5 | 9cdabfbf75fd35e615c9f85fedafce8a |
| SHA1 | 57b7fc9bf59cf09a9c19ad0ce0a159746554d682 |
| SHA256 | 969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673 |
| SHA512 | 348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL
| MD5 | bebc72eac54f0f26b6cdcad4bf5f7d5e |
| SHA1 | d3648c192692f88917a18272e6d88d001a7a6554 |
| SHA256 | 207668f0389121676e9a5120b5711e5e51860ea52703b8a0b7871622f85ffa2c |
| SHA512 | 8324834152024cf249092adcc2dbc70065bf1e40f1e05baab803454720d4445c731cb20d5c003a9b366e31f9389aca573ed82375d801b8621bbeeecf49c2eba6 |
C:\Users\Admin\AppData\Local\Temp\vbc1EFE2D4CB7D410B9F7DBDEE4AB5F985.TMP
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Temp\vbc56D106AC152B40C487CB9A39F3A5F92.TMP
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | 62d4f80f78d2298a93c2f6fc1ae8eba0 |
| SHA1 | 429e6b34179d4f68e08c291502e79bf1c752a6be |
| SHA256 | 0157ff297ae79cd1c8e5336171a391600dae775e291a071b090daf12d15efa52 |
| SHA512 | 48aa6237036080f7385a5e044b8acf4abd63476110b634f3221dcdb518c7ae7fefe488bc37d578c0e9af685dd75289c18679cd36a1a6b8af2109d4ea27f61b5f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 06:46
Reported
2024-10-12 06:52
Platform
win10v2004-20241007-en
Max time kernel
292s
Max time network
203s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Users\\Admin\\AppData\\Roaming\\indexworm.exe" | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\indexworm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g1gdahtd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4908D26E9E5944938F6B7AB025FBF31.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uylyzrrx.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6E8B9FDFBB940D1BEF9BFAA1CB4DF32.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBCC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB3CBC2B7BA9471AA429C5E376C4B5A7.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-sjvnlua.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F035B83288E4D3FB4E0C09C2E6092A.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\scztj-kj.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64AD0A1E35564572BB722E4BC28DCA46.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x034ge93.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDB0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB43D82FA07948BC85BAE53E265E6E8.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D90BDD2162843869EF2EC27C17F1CB7.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E6E0CF5DF85437784641620864A13B.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zelprae6.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA168AACAF542758D6EEB1CE7E33D4C.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g26toir4.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5421A20A7DF54F85883772E309E22.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ktulmwhe.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF00E7DCCFC5641D599B2183C44C84CED.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD002.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69E53D2A34854D7DA7B5F3C1BE33FE79.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iru5k0nq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD060.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF0A03D22BDF4DB580813EA2A55D41C7.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vktxbrpd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0F42330CA6E405BB1AED8B08F76E1E6.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kiyply37.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD11B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc416B8A6CD9644227AB28BB801E14371A.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_zwscesd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD169.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3945F6F0B15841AFBDBDBE2494AC5ED3.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y5men_le.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD282.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF504FE3C6947CF9F7CFFE1A2EF1CA2.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5e3uegv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD33E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B29F0B9D3AF421C92ED5C5315385F47.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oheq3tll.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD39C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE494BFCA95E1419E9A417ACC89B2A6C.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xq5y9gjf.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD428.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AF795D52C9C4078A287034C98A1E7D.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgt5lf3n.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD467.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc455FEB92B5884A668279987EBBEF4672.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmi7s_cn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70B6523356424D47B7E9E2A7F514773D.TMP"
C:\Users\Admin\AppData\Roaming\indexworm.exe
"C:\Users\Admin\AppData\Roaming\indexworm.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vsix_yra.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA97A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc209C5BD173B5427C835E428EFE239CAF.TMP"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Users\Admin\AppData\Roaming\indexworm.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a3htymvg.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7800E785B0B4A8680A1858F43504A8.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r3w5eg9w.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD56DDA4B5434A25A9612E965D9C32B3.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lthj0dzm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50F220FCF2834DA6BA6CA7CD90289478.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzt_pc3u.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58129BFEE4B549A4BE356716AF1C2792.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\udrvb50z.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B38C610BC6847759A25B82EE8849D7.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\used2k7l.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA124E70763B945B5BC18CF18602AA0F7.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s_j1p67f.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC27B5A4461CE44D09173C8467FAA4CA0.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0pqthrfu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB34EACBFFF1D434AA7282A14DD515A2C.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ytcz8gc.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8ABD8ECEDC6C4B87BBEAE4201B15FFCB.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ykqxysyu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F5D6904B07A498CB88DB11C1FCAA259.TMP"
C:\Users\Admin\AppData\Roaming\indexworm.exe
C:\Users\Admin\AppData\Roaming\indexworm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Pizd11337-26540.portmap.host | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Pizd11337-26540.portmap.host | udp |
| DE | 193.161.193.99:26540 | Pizd11337-26540.portmap.host | tcp |
Files
memory/4724-0-0x00007FFB81315000-0x00007FFB81316000-memory.dmp
memory/4724-1-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
memory/4724-2-0x000000001C350000-0x000000001C81E000-memory.dmp
memory/4724-3-0x000000001C820000-0x000000001C8C6000-memory.dmp
memory/4724-4-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
memory/4724-5-0x000000001CA00000-0x000000001CA62000-memory.dmp
memory/4724-6-0x000000001D3D0000-0x000000001D46C000-memory.dmp
memory/4724-7-0x00007FFB81315000-0x00007FFB81316000-memory.dmp
memory/4724-8-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\g1gdahtd.cmdline
| MD5 | df353d73902126b4a19a166013daf039 |
| SHA1 | da732900d6cd7ad32dc1350189a8f952ab3284b1 |
| SHA256 | bd2b1b8560c19e4c84deb2bb8ab3a6ccc206495a44f4a1fc99715e0f8119b456 |
| SHA512 | e549f79bd0b1e1a4dceed95ca802ca7bcf263532b2877d84aba7beb214522efde2f93db0d75fbe815acf1a3f4f9e89fe6bd8031d1b7cfab9395b62ef261388e8 |
C:\Users\Admin\AppData\Local\Temp\g1gdahtd.0.vb
| MD5 | ed48ecd501fd2ec90b9359de04fc1a18 |
| SHA1 | 9dd35b37dac1f0908fdafbb971157f576cb31c22 |
| SHA256 | 3454a8ec9826e999653b677ee666c64116c8881a13fdaf16dc3e4153fab0dad3 |
| SHA512 | 0006bb695aadfe28b3f6005772d9d53700c01392abdb9f3eaf4a8c7a48af7efa7bdc47a8a569e609070476e7f8fe1afc2701c529edaa8d03ecf7343e843b0772 |
memory/4072-17-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c350868e60d3f85eb01b228b7e380daa |
| SHA1 | 6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e |
| SHA256 | 88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7 |
| SHA512 | 47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85 |
C:\Users\Admin\AppData\Local\Temp\vbc4908D26E9E5944938F6B7AB025FBF31.TMP
| MD5 | 53aadde7d4dde82227b316b57a5a7209 |
| SHA1 | 28076dd0bdf1724ec1293a7dc54f95fac210d974 |
| SHA256 | 1c469b6462e5e53adfc7d23eb770264179ab167ce9dcb2814c51bb8730b6eb97 |
| SHA512 | 95dd34a020812d7f888d66ff23e11327cbcc0d2217c02297b10373a5819763f2e00ef0dd2be2fea346303181ca8e19425e7d956f9ef18e9a41d89a1f3f2bf3f1 |
C:\Users\Admin\AppData\Local\Temp\RESCA35.tmp
| MD5 | 3eae52002ad24b42cea2f99397f93711 |
| SHA1 | df84a5edaf3ef670e7f3bec6d081ab93707d061e |
| SHA256 | 5b0fc7762bf411c6390aba60e37100f4788a845073da5c205fd0bb8ac9e64e15 |
| SHA512 | 1cff5685fa83824ffa5fe7fb790f904a258d95a471a92b48cb8c1e1d39713f45ab9d1595070329c693c2bb2ec49ed2ad1b1e46ac99595d9c5742ecf43c8676ca |
memory/4072-26-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uylyzrrx.cmdline
| MD5 | a31e4bbe481719a51ef780e00da3592c |
| SHA1 | 8a4f2315672276d64e734dc6ea7acc0f2c1c7a34 |
| SHA256 | 7ce63aaab885d6fdd6cfaeb724cf61609fc6525cf0e1f467f8291745b552ac58 |
| SHA512 | 05cc4d4e615545031989928a1c635a5cdb1b4af670e8831daaa59bafa1ca897ef5fedeae54864ba0d517228966e4d41c0b2a7adb1422ca8b6e275f02bc3c6098 |
C:\ProgramData\xdwd\vcredist2010_x64.log.ico
| MD5 | 64f9afd2e2b7c29a2ad40db97db28c77 |
| SHA1 | d77fa89a43487273bed14ee808f66acca43ab637 |
| SHA256 | 9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292 |
| SHA512 | 7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da |
C:\Users\Admin\AppData\Local\Temp\uylyzrrx.0.vb
| MD5 | 2824033d9d2f8ee59347116377cf6d9b |
| SHA1 | fa5ac5a217129274f3df610e90dedb13a5dfef82 |
| SHA256 | c5a03d253201eaad5738d91cd7a6d239348a2e54a8edb19c50c110466ebdb736 |
| SHA512 | a76a3b01d94964df9b48f254e0c8bdda5bef5291431f06fdf3c7c897c04c8ceeb8dbafa61d01dda153712247133104c870ef234f603e0c9a8e8c480c0692ef7a |
C:\Users\Admin\AppData\Local\Temp\vbcD6E8B9FDFBB940D1BEF9BFAA1CB4DF32.TMP
| MD5 | e3ab9b497329f477b1d8bedaa815ec55 |
| SHA1 | 5507ad2d252d0a773861c24882f7a40cd99350d5 |
| SHA256 | 6c6717347f8251193c5b78ab8d4a0a9ab470ed65f3e65a2873fe08959383bb32 |
| SHA512 | d1681ba8937717541e3a5e7f2a58dc869e4e15f67ec35f9af22c97d017f851f731b6fafd0bb4e723fd07551e9764c2fcc7e21982a1f1ff7ce1fbb3207603a276 |
C:\Users\Admin\AppData\Local\Temp\RESCB20.tmp
| MD5 | 11f77c0e0a6aa42f0bcf36ab12c126c7 |
| SHA1 | f11f8c2f76bd6e9cdff275a3bda985d04945867a |
| SHA256 | 6bcf61407f5dd32f2d4a7f9bf973225712ded85876593107c57ff4c7896674ae |
| SHA512 | b6a750cd52f7d51a82e905f0fc0d83c7d5ea53a2a18e56f18a1102d1c8e47d227a7c7f4c99cdd7c36cd340aa85af2de547bc20278b281a9cdbafb54386e83953 |
C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.cmdline
| MD5 | e799390a9b96e23771b64f93f59bdeff |
| SHA1 | 4de11783036af0fa6a8f032788da4778fc371e00 |
| SHA256 | fd3fbee274db7302abf86c96b34f2c89bbd5b5c76f809ed8dbf228986fc39355 |
| SHA512 | 845cf6899f2a288d36542fc17b980bfebf9baba83a197ad3404b776bc3d2c2e0c7c3365fd7aac70f31ca254e6fca8b986f7e6afc96024791c375fa219576d657 |
C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.0.vb
| MD5 | 98c697d0135e14aac926c0701a8b72e7 |
| SHA1 | bd49384492450141bd14dd525dadaea8b83f9d81 |
| SHA256 | 369bf94866b4cf4a4c47182d19b4bd94d47dd4282b761faee0c68e7523432697 |
| SHA512 | 79a5631b25737b5debcda7a1d0b21a26e927457a65431c93dd372fdd90c745d2df6744e9451b0880767f6b635a47d62b606c7dc1127391a8dedd86411bd09fdd |
C:\Users\Admin\AppData\Local\Temp\vbcBB3CBC2B7BA9471AA429C5E376C4B5A7.TMP
| MD5 | ee633ce28424d18ab62d4010d5b7aa82 |
| SHA1 | 677ff6edd3591c4d9b65171cfa381333caa8d546 |
| SHA256 | 8b124412e72ce9b96ff8c55b65ac532cf3492f30743240de3cbc4c3217720f10 |
| SHA512 | 46fefc85a49bae5176838b9b1001db58f4057ea6d1ada8a4c937aa34d7b395c5cbad78e7cace4d6b2d4d546e484aea694f09da520bacc4dc71e3f826d4bc2d9f |
C:\Users\Admin\AppData\Local\Temp\RESCBCC.tmp
| MD5 | ec08191d59afdc3400481d25e3065ca1 |
| SHA1 | 431d79913d7257e2f056f961fb338773618ded23 |
| SHA256 | 22e7d9edf141d7ba5ce5c34342f7d3d33bccd3ff8207dfdabe0174a5b9801db6 |
| SHA512 | 5133f9ef4951dc474dc226ca49d24a34065e46fb47884686ed11018f5ad207aea80adc93f99e13e450f97baa10349bde5ef1dd687336241e6c642016198a0762 |
C:\Users\Admin\AppData\Local\Temp\-sjvnlua.cmdline
| MD5 | 918d4a52718b564d255fc045573dc296 |
| SHA1 | 707a39cbc44e813dfefaa46c0a9d3b286863cb97 |
| SHA256 | 7e309469fc0cf844a53f93fc2de04798692f4f6049b9cb61e88ed0ef6da11061 |
| SHA512 | 206d2c88f96e055f4bb68e3d64d9ac2fd6032a32e893c83d06d74393648832f762ecb1de7933b511176814f0a261270acb4ad258b22a282a269931c46ce50ea7 |
C:\Users\Admin\AppData\Local\Temp\-sjvnlua.0.vb
| MD5 | f9d79311b4cca4c591aa8cfec028a6a9 |
| SHA1 | 2c4d63d2b94e8e33b0349bde75889478d8d972de |
| SHA256 | 78f7a23fa14b298de205e44ba5fdea765cf33a4f72cd63662c0ae2b077154996 |
| SHA512 | 25c75f86e2dfb2c863833b898741e8c903e763cbf13d40695d0a92c4845f480dcfba42cf1fd22da60f337a507ce71031bbb536f2be6ae1b77af974d3513f226b |
C:\Users\Admin\AppData\Local\Temp\vbc1F035B83288E4D3FB4E0C09C2E6092A.TMP
| MD5 | 60091d6d3610e52a0e67d2688352c36d |
| SHA1 | 268dae47b36857e990ec61de1cae3b8cfeac3d08 |
| SHA256 | bb4eb21cdc430e3ff988d2ea0c5e1fe0bc0667e4c1339fc65ab032234294d7a9 |
| SHA512 | c09b48aceac7b3bcebd3814d933cb6dbb89ef2fa73b1813d86d380d670a823df9e085050af990823c468e3b0349f40cba89a1964a12c6844816926caa458ec1e |
C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp
| MD5 | e7091877c53c1f74da2ae5fecfc37f4b |
| SHA1 | 8c5de952efa263739d42d5838bba5e85cc072aba |
| SHA256 | 3c901c35bdcd9cec7a2e913c14464b57ecab6ed9ae51a7dd81a16aaa88e3476c |
| SHA512 | 71368f9f25ac17bdaf36a1f0341dbb508206a690f492ce5e103f7f1c157b1817dfe2457967c3b108ad3acff7e77d5b2164ef0d58fa74a92e14e288730567cfe9 |
C:\Users\Admin\AppData\Local\Temp\scztj-kj.cmdline
| MD5 | c0d4cc4ba50e61cecfc43976630edb62 |
| SHA1 | 99256f3d23d9af14c462034ba38ad2e5bc2667e7 |
| SHA256 | 6ada058a6c42b4e6ae45266d7b3a3bf5999d5c85409d28b7247f7021c21dc123 |
| SHA512 | 111f99224312debbb537efcce94b9608969e814ebd183e57ba999bfc1820512da85afe8dc12143d6c03250393c92a1291cab17c441235a4a6786697115993b72 |
C:\Users\Admin\AppData\Local\Temp\scztj-kj.0.vb
| MD5 | b6f9730115de46756b567e8f913595dc |
| SHA1 | cb8bdd820b9d9405b2a97af9219e08c85e375336 |
| SHA256 | 099e93435c884d79a8c6e2f8ca3fa227c8870e93be10839fea687ea24bc3ef48 |
| SHA512 | aceb5f099294258276e49061cbda8098eab9ee2927318f27d07d35f7c8ea93c3056aa7a3e25faf28a810f20ed4fbf3137e1650086a45197891babb7cb0111732 |
C:\Users\Admin\AppData\Local\Temp\vbc64AD0A1E35564572BB722E4BC28DCA46.TMP
| MD5 | 6109c8e816e691aa16df011af1b222e9 |
| SHA1 | 3beafadd64c8b77c1bc10827d29ebdc784a55c73 |
| SHA256 | be380a83d0ebd463c21ca65a360ae9acf14bfa15e32d649e005c2cd3617c8acd |
| SHA512 | a47ded32c0cef7910318f746221c3fc1facb23cd9232be30aacd83909a63c494133aff7c3147b87b5cb6207b92a8f0151e68e84359fd51101a9be888401d4031 |
C:\Users\Admin\AppData\Local\Temp\RESCD52.tmp
| MD5 | 330e59ea0f57416d07436fae4720ec21 |
| SHA1 | 2af357dbf65d6e66712249d26755591e79d89dfa |
| SHA256 | 2565524ea81380047e32f18620888a66bf546ffc26dbc7e08369f23870e1aea2 |
| SHA512 | 7bedba0fd403844a6237d578946925c3231f1a0e7b2c11613515b7c4ec7fa1327b35449710306d0f9a9785d4697278e4afdf381709f150a62e638d9a8061720c |
C:\Users\Admin\AppData\Local\Temp\x034ge93.cmdline
| MD5 | 0fd320010ec890958eb3b87c8daf0f8d |
| SHA1 | f50c755e794427b0ceeec58eb1553dbc4d7283a9 |
| SHA256 | b03a43c7d56afeda6a8970dc3700a24643ee3ee0693da83ab67548b480a0d585 |
| SHA512 | 06d881582ddaae9715b04b010692ab06cc0bbca8ac627e1180833c3b32375a6998d2b269285c3a608c84c0b98558ea0410ca373129b390ff969fea48d96b91e8 |
C:\Users\Admin\AppData\Local\Temp\x034ge93.0.vb
| MD5 | 4776ddddec9bdbb929820fbaba208684 |
| SHA1 | cf10e4fbb3ce05c0b49f11a4d8167c5332809746 |
| SHA256 | 3567c9e1bafcbf4f5bfb4913960fb5f6ca3b8c037cbf46053a2e1d9298de570b |
| SHA512 | 9a07faedfb1fe8c55f18bcf596d897d1ccad3ac173d5d24cc042722e684f21180511493fa21e76ecbb829d5cff5d4ad11a2c561534b26ce5f7a82d81b7598c67 |
C:\Users\Admin\AppData\Local\Temp\vbcEB43D82FA07948BC85BAE53E265E6E8.TMP
| MD5 | 4ddc4c57fd1d38500f1e1e36d1c80dae |
| SHA1 | 037db607366a9f52bc9b60a6203bc4fc15b44419 |
| SHA256 | 2d69af28605b08d20d9b191b2849bc88cae1f6a7956b2b24f7c7b3721fbcb24e |
| SHA512 | 5d7e027c821429d0296126d12e9c6ad94c205b84940a12d9ff78f3b1a3d9a58a57342a427078ed6e9d3d8218cbd6665c84651e3d0a89cdce1f7123bbd4c23fe0 |
C:\Users\Admin\AppData\Local\Temp\RESCDB0.tmp
| MD5 | 4edfca9411c2ab392720e2235fa7357a |
| SHA1 | a6831ac76229c64ad93894a6a4457b519715b863 |
| SHA256 | 9b9788840c7e2229562b56f06b9fd3518e226e209576f5e4a4d65504260f0d74 |
| SHA512 | 82d75c940d7f467a3cbb0d86df348511514ce2fe230403a2fee20460de6b1044faa2268c774d501c1b358655a0199f9af03c71169153a1dc760d2eb1613bae9a |
C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.cmdline
| MD5 | f5fa64569512299163c5dd5acf6f6d40 |
| SHA1 | d1d6733a090c41ceeabbaeb0d7f914b6d584165d |
| SHA256 | 9841144c1e9c4ad5fbb5213214600ddcf4e5588f663f6636ad3b26b8d5981c5a |
| SHA512 | 4e5b5ac165a49e6fa30d4fe57b94fd3c61fe6cbb11879d2e6e91f61503ca5cbd9377f90de6dd21d4e41ebc29ac7f8c54a75f24e3ac5f54b959a94bae1fac8c01 |
C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.0.vb
| MD5 | 07b10a393c633ddfe03650829ac72adf |
| SHA1 | a91f5b666447054f750df3f10ca2f840a72243a2 |
| SHA256 | 064ddb8b8da7931744430a9dbb24375788074db63fe9f0e74ac75c1afe274e00 |
| SHA512 | 38880d1ad5442fa1fb55038c76f035031fe01f229eece65583774ce90c9f08fc34e5aa82f68d8cc587500f917d52e9eb47b29b989872359a803e0542f2f4dccc |
C:\Users\Admin\AppData\Local\Temp\vbc5D90BDD2162843869EF2EC27C17F1CB7.TMP
| MD5 | f4b8ccb9a2218a7426563bf602dbb3ce |
| SHA1 | 047e64c89bf897f2b908803c01e5767f0b3538da |
| SHA256 | e78fa61a7dad18e3575466e634e76a8760f6e987c632b72140ada947fe7dfca9 |
| SHA512 | c057d11aa5821f0bf64a1c87ec3d48be4f0f3263b6d9d1b832a73d2e99372cef2457e0fff47696ce72e31f0969152c56132ab857371648d588c7e0f1ee9b4ce1 |
C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp
| MD5 | 93f83dff60ab23024e92753509780c66 |
| SHA1 | fd432abcc0d443c64dfbd8d945c72fd77146b1f7 |
| SHA256 | e2b24c04c14f094f1e650144671758dc630c198485ee519057156eec9a2d3546 |
| SHA512 | 3dec72b8ba6ab4d9b893aeda48ed8c0592f35a665186154b5edfe1b68ac7b0e7f7f05311d7d609b4fc370ff6d5d984d6a9236613827ec81ce2ca252d08aa49ce |
C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.cmdline
| MD5 | f7fa858facf4f84e4b788c68af734414 |
| SHA1 | db6615c23a1583a76d89cc2ce35b3121e4b901e3 |
| SHA256 | 3d6352169e0ea265baef800d6e38cd8e2b7c84ff276f72b94118457d002935d7 |
| SHA512 | 3774d10dfdb7c271aa4dea65f02a98182d22127ec2a48b300da2d4e55668d27924eab08afdf0350f8dffdba5f842e4bfcba0fce519d4311c5d84e77d343e2c7e |
C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.0.vb
| MD5 | 75088557db6e2a028811c00adbf5b987 |
| SHA1 | 3804c2dce38b94228464e3d2fba2ea1e43298965 |
| SHA256 | 28b93c7c4a19e5c158e45e40b5431129f7ba2a5b25e7991e01b1eb4b8077029a |
| SHA512 | 1e273bbe0252674e0658acf8d1aca6f359903dd607066f8053acfa60a573b07a8714cd6fc01b98c21422dad62c7c7a7177e45b9d019c7234724b29ab273122ed |
C:\Users\Admin\AppData\Local\Temp\vbc1E6E0CF5DF85437784641620864A13B.TMP
| MD5 | 2214c876093e68709179d742d5af1e95 |
| SHA1 | e67426c777b682b436c6addcd42fbee760f75ad7 |
| SHA256 | 48cb47e939238a904a4eea243c4c0fd3ae383139513e418db024f23fd96ddffe |
| SHA512 | 08783085b534e1e107c4e9dfdc7698818989d36093efff3c9111691d8bc8f3927d0a652d2cc2ffb07f94f5681c67191340a3ae686a0581e36ad05b202bd2cf54 |
C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp
| MD5 | b08eee47d5c37c62fe1e9417a5496a6f |
| SHA1 | 5b0ca036d45b8bcf4ac9011722f758b668c6e97d |
| SHA256 | 13188157e218b1154afde793ba6ccd1d89d3d23c4bb5f881f3abb19d5b6e4001 |
| SHA512 | ef05dee58aac6cd24c4267ead1578f7421862c82989c4b4301ecd592ebcb8899c6009aba55d40e7d7501b9f3fd96c8d23f08e5b264ae1561c3219549364f3ad6 |
C:\Users\Admin\AppData\Local\Temp\zelprae6.cmdline
| MD5 | 0669380f3a062b42d07b8ced9180c15c |
| SHA1 | 64fcd0324968b812128834c8be93a7a7b0c1c248 |
| SHA256 | a10f9b3025ebf4be06fb0ead65102c315f97989e87012890a8d9010260be3d9e |
| SHA512 | 87a8da55294a9e37aaa571310c01d7389c4c3a2e2091c3fd3eb547b015b901481c874a9a802d842967c1cbac1b28497a8ca70df6c6a0815ec03b4668588d2243 |
C:\Users\Admin\AppData\Local\Temp\zelprae6.0.vb
| MD5 | 5cc2df1b0de07a19c23de684597c5f07 |
| SHA1 | c868685bd6e87187e4a7d096a854de06e26c9ab1 |
| SHA256 | ec443d6c9ce9bfd961362da89d118060a10d309a3dd21b944805affe3fbe10cd |
| SHA512 | 3d541d6c7b9f470b34a61b6245277ce96d80f3cecaae7bab57980677ac7675abb9658f410bd6a1994f6cdbfa827b0209c83a11d1397298ba7238f002fe3c9828 |
C:\Users\Admin\AppData\Local\Temp\vbcAA168AACAF542758D6EEB1CE7E33D4C.TMP
| MD5 | a95dc928661731a2886629b581abb171 |
| SHA1 | e681c1074892cbf7a07f9234a129a1afb6e26efa |
| SHA256 | 74ff7a7faf9652ac7ec7d5593154064a2ea692e9e2c8793f9f0cc8e7e73f31f6 |
| SHA512 | dc1cfa1b7a745f0190f7b6ad45ca72f21c6582a34429663f02459dadae476ecce720b1bf3fc62a3b1410b77a1de34ddcafb520f507fffa94b81864f599feb004 |
C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp
| MD5 | ef123ba63e30670b2c49a30ec1ecb048 |
| SHA1 | 69ce2d1a378f087d2d99830143d73f327876e9b8 |
| SHA256 | e52cd395c8041218ff6ec03bd797ecc6d59a39dade80af3a1c645c9a4dbc2dc5 |
| SHA512 | 4d6d95c422869b3816b259f4b0509c1da176765abc30c32e402b6e6d5e2326c24c61bd77c46638e8fd40688e38881162b89681b9b0721eee97881c2f2eee6518 |
C:\Users\Admin\AppData\Local\Temp\g26toir4.cmdline
| MD5 | c241be41fa44155a1ec8add6956a73e2 |
| SHA1 | f6f33e10dd7c299fd5267b732378778fa3965e45 |
| SHA256 | 81ef493d821fa18dcea7ea10d3310b6ec32a3d9a35f7906a5d9e826bd4e2b9d5 |
| SHA512 | 7e1ea70896b90fb1e608a0b13508eed84083867296cbe7a7de2440d67126398904ee8d72e22be4f7346e2706e4a59a6bc49e9258d50629d2bc8ddb128187e738 |
C:\Users\Admin\AppData\Local\Temp\g26toir4.0.vb
| MD5 | a03f23d29973b0c1ad52e9c77c713e98 |
| SHA1 | 0c425f07f98a55674c1efad5ac33e0af65255f35 |
| SHA256 | ee182384e0363b2f14b3d7530c943d350f9923fb3f7381fc29b90ec513f9498d |
| SHA512 | 36673b6c81f8f3fac8fa46ab418df69304a2caed5cf4bc860fe36cb19a00ade06562121b6aadff9395681da497a82a433b9a821041e81b152fa0f3e0facae491 |
C:\Users\Admin\AppData\Local\Temp\vbc5421A20A7DF54F85883772E309E22.TMP
| MD5 | ad7e0c7168ed15f96d343a38454d080a |
| SHA1 | 8fac85701ad6b2bbe60ccc5ea0a839d911d26f14 |
| SHA256 | 6232a3d19aefb51a81502ada1177f6a6c4f26a909ad5aab3d86de51985f01cca |
| SHA512 | 4284ddf89e11affef3a8f00792a8b71a13f1684113e61cac7c309ba7e86c655d3fe45ff10d42abf0ad002876fef5617f00dd8f6a012b38b9df8c7d1d55ab7fd9 |
C:\Users\Admin\AppData\Local\Temp\RESCF46.tmp
| MD5 | f79b6f578b2959be03ab683203d56ae4 |
| SHA1 | 4179add616d75b35ac5435d791a726ad6a4612cc |
| SHA256 | 2ccf3be7c29cf8c7c6e7ad62596bd1911c764aaeb9e126b7c59d539a90531c46 |
| SHA512 | 9cc28ae82f272878f54efe7e0d245d6f2700c7d6ac86713265828b7ed6336b0c1f24c5494f47a038be3c48ee771ad07b32a57ac206c0a6f051dd9d4f90b470ba |
C:\Users\Admin\AppData\Local\Temp\ktulmwhe.cmdline
| MD5 | 0b10df4e43a199886b7a5dff8972fdc2 |
| SHA1 | 89bb32a7cc896482463ca8267b87712275fd6755 |
| SHA256 | 7efff7b6a4b80d8567d13fd178c60f59c9d4d4ab30ba3b1ec3cca530da6adc93 |
| SHA512 | b7b4411293566cbef3c2c91d56b5467a09e11edafce4113c9bb8eab8bd4852c0962ef8d6ebcd4c3b57ff136ec4f7a8c9b673dfb89854b42fae17a644874976fa |
C:\Users\Admin\AppData\Local\Temp\ktulmwhe.0.vb
| MD5 | 7e552aa475227fe451bbf11a52d9b811 |
| SHA1 | 933058d53d848d3daf1246ab7185beb9e101c302 |
| SHA256 | d23f1a481fd7538ff94e15558af73221d61e6bbc2eec208740c90bcb5fa0eb8e |
| SHA512 | dde6f810ada06beb517e583720afa3edad4ccc740e1ff6a4ac21403e1227487d6a8c4ed2b15dc2bc6eaa5b84a47b03ac6b20b356b0260d55a4ee64fe53aa6026 |
C:\Users\Admin\AppData\Local\Temp\vbcF00E7DCCFC5641D599B2183C44C84CED.TMP
| MD5 | 548c704c2c8add1705f3e9e277982a99 |
| SHA1 | 2729f1c3ecb360275a1803097a1799fc0fe71b1d |
| SHA256 | a8c38a9119b97c59c2cde0cb10c171e32b69ea4cc5e27dc366d933a3d00ceca4 |
| SHA512 | 53cbdb43af99693b8d2fe78441b2fa3f8b6620f3fb569efef81bac2d92e7037427f8ff871606a7cc1bbec85ffa137bd8bdf2081d64cbc793302feb0f9418158a |
C:\Users\Admin\AppData\Local\Temp\RESCFB4.tmp
| MD5 | fc8fae02841567164eedfbf6b9088a70 |
| SHA1 | 82778b0cffab42e4c20285d1b3653556ffa606ca |
| SHA256 | 3fe02bcf3340b81caa0e0568d4a1f7783ac992c6aeb569df8f029ee856c25dfa |
| SHA512 | 2f549159a35f2660b4272bcd610eb26ad3e71dd39da307affaf6cfa1c10d5150c4aa52b43beb034c22c7c23b5f476d0fdf12bf93c13f246d2ccf7dc68b659d20 |
C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.cmdline
| MD5 | bd534c796d2526862b7f0a98880b7191 |
| SHA1 | b18c824435af825387696e4646812c05f3996fd8 |
| SHA256 | 4ba1b8c0716689c07836b47185fdace42415aa2c516cfb5449c6761340ed4a47 |
| SHA512 | d6291ca9e86159e4caf45e8eca2dfbc54b70aa6d70929c535e0431f68eb385435d060015bdb5adcf31791c9f0ac10639368d22838fe2ecd81eb5cad89095b9b3 |
C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.0.vb
| MD5 | 102f791566f6024af32b6e4eb24614d5 |
| SHA1 | 03b4cce2ab9c69efd37795f7a0265f898bef605f |
| SHA256 | a3b30928d3848dc1c5ed6fba7dadc767ce3e6ba026460f76171a239defe92b76 |
| SHA512 | 09c693c5c60d29834ec7bfa0012eee38afdc4ff0f3db41f54bac380e019db13e607c14503d3abec3abb5f73d82737137b05ff0ec316f082fc395b308406d62a7 |
C:\Users\Admin\AppData\Local\Temp\vbc69E53D2A34854D7DA7B5F3C1BE33FE79.TMP
| MD5 | 29c5a9e999a66e2a2c21bf393981b4d7 |
| SHA1 | f34fe08de19e1032819879e91988b1126eae207e |
| SHA256 | 17f40a3896dc18d0f928a701152bbd5086963dbbef39b35704730365fea5f4ee |
| SHA512 | 1a6ff42cd0e832509b6b1972947df8709009bbb952cc8d347aa2cca17b3ff74564c4e610626eceefebf8bac878663a9b97b428f22738f0c39b3b95ec7059da47 |
C:\Users\Admin\AppData\Local\Temp\RESD002.tmp
| MD5 | 2f831dca9bf79695c0a498c5338dc3b1 |
| SHA1 | af86378b045cdda1b39a8d90505b85446240e76e |
| SHA256 | 9ca4f3a4b85cab7f2b418b22e43fabb91d35c56cb57c15464aecd376fa929104 |
| SHA512 | a47da80ae8a2dadfe73cfbfe1c8a854f819e47a5613e5bdc084ebaf876ddb2ec1e6f6326176d5ecb8e19db6b678426974ee94fb3a6871cb85b643f33e406990c |
C:\Users\Admin\AppData\Local\Temp\iru5k0nq.cmdline
| MD5 | 6972fe3153ed6f5af8c4c4a5c06d8f79 |
| SHA1 | 0a35a2830ae9c2f7c3be4ec0446e8de2882297b4 |
| SHA256 | 70650ccb78eb84975711369847654e7694e443947c3f975bc3f80339559f4039 |
| SHA512 | 2433892b9aa3b276f9b1a04b4301411d4b9f3fa34139b8197985c9cae0a18a806a29a3214e353dc12a2db7f5bde54ec5fa01c322d56d1878cc180f17bba1689e |
C:\Users\Admin\AppData\Local\Temp\iru5k0nq.0.vb
| MD5 | 8c5c94ce9523fc00aa8f77ba9970c844 |
| SHA1 | fdca7988fb823d599eb00de2be871f7a3f557ba6 |
| SHA256 | 22ca27df429206fffa3e79ebe49f4af70ffc6400b7957b07f26c0c2f37e28e69 |
| SHA512 | e4cd952f68a29a9b3705f413a6c272c871bfc5b6e24c3c96ce1d309975f83aa51885111182fa623d6780715825989d1111e4b7dce777b8dabc94e764f2e1eb7f |
C:\Users\Admin\AppData\Local\Temp\vbcEF0A03D22BDF4DB580813EA2A55D41C7.TMP
| MD5 | 6a6db771159557442920c503a43904b6 |
| SHA1 | 8df46af5cf7d84e8f7817aba14b704a08ee16697 |
| SHA256 | 19acca242ec156ef6483efae24486c3bc547a7d6add870e825ea30e6e7b140ca |
| SHA512 | 748a5e972b1c45246313dc2d9c7aa31f4434dee74946e41a6a1e90dccef7f38eb26d6e185cb772480e7bc24b4d896132966c602931e0d9dc7b4ad5a4b8628ec6 |
memory/4724-241-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
memory/4724-295-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
C:\Users\Admin\AppData\Roaming\indexworm.exe
| MD5 | 72292b69bc9a8b6191cd4f83db9b8598 |
| SHA1 | 944c73806a03a3eeaabab1ece053710ee613e1f9 |
| SHA256 | 5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897 |
| SHA512 | ee1365626a806687cda20a8654e151fe92b4a78512ea97941aa9875ad8775c47ee6631c828739d6c72be7bf5fe547332084488ef964feeb45dec6507f5e67ccf |
memory/4724-303-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc58129BFEE4B549A4BE356716AF1C2792.TMP
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\vbc8B38C610BC6847759A25B82EE8849D7.TMP
| MD5 | 85c61c03055878407f9433e0cc278eb7 |
| SHA1 | 15a60f1519aefb81cb63c5993400dd7d31b1202f |
| SHA256 | f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b |
| SHA512 | 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756 |
C:\Users\Admin\AppData\Local\Temp\vbcB34EACBFFF1D434AA7282A14DD515A2C.TMP
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |