revengerat | b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951

Analysis

max time kernel
171s
max time network
191s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe
Size

66KB
MD5

a9a46a523993add1117a618d0d5d395b
SHA1

5bb538557bbbe2ccc3f2dabbffe4cd25088cde6b
SHA256

b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951
SHA512

10b2b1d3e48c4fe089e9fd664ad49afe38ea11081bebf669854b2087a79de0147da8faaf420f26818c31a2a843d603cefe59c886706bbed5a8d0ecfc5de6b7ce

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 12 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/580-63-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/580-62-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/580-61-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/580-60-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/580-64-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
\Windows\SysWOW64\System64.exe	revengerat
C:\Windows\SysWOW64\System64.exe	revengerat
C:\Windows\SysWOW64\System64.exe	revengerat
behavioral1/memory/1348-86-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
\Windows\SysWOW64\System64.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.exe	revengerat
C:\Windows\SysWOW64\System64.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

System64.exeSystem64.exe

pid process

1228 System64.exe
1372 System64.exe

pid	process
1228	System64.exe
1372	System64.exe

Drops startup file 7 IoCs

Processes:

RegSvcs.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.js	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.URL	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.exe	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.vbs	RegSvcs.exe

Loads dropped DLL 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

pid process

580 RegSvcs.exe
1348 RegSvcs.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
580	RegSvcs.exe
1348	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\SysWOW64\\System64.exe"	RegSvcs.exe

Drops file in System32 directory 3 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\System64.exe	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\System64.exe	RegSvcs.exe
File created	C:\Windows\SysWOW64\System64.exe	RegSvcs.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exeRegSvcs.exeSystem64.exeRegSvcs.exeSystem64.exeRegSvcs.exe

description	pid	process	target process
PID 812 set thread context of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 580 set thread context of 584	580	RegSvcs.exe	RegSvcs.exe
PID 1228 set thread context of 1348	1228	System64.exe	RegSvcs.exe
PID 1348 set thread context of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1372 set thread context of 1932	1372	System64.exe	RegSvcs.exe
PID 1932 set thread context of 584	1932	RegSvcs.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1616 schtasks.exe

pid	process
1616	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exeRegSvcs.exeSystem64.exeRegSvcs.exeSystem64.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe
Token: SeDebugPrivilege	580	RegSvcs.exe
Token: SeDebugPrivilege	1228	System64.exe
Token: SeDebugPrivilege	1348	RegSvcs.exe
Token: SeDebugPrivilege	1372	System64.exe
Token: SeDebugPrivilege	1932	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exeRegSvcs.exeSystem64.exeRegSvcs.exevbc.exe

description	pid	process	target process
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 812 wrote to memory of 580	812	b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 584	580	RegSvcs.exe	RegSvcs.exe
PID 580 wrote to memory of 1228	580	RegSvcs.exe	System64.exe
PID 580 wrote to memory of 1228	580	RegSvcs.exe	System64.exe
PID 580 wrote to memory of 1228	580	RegSvcs.exe	System64.exe
PID 580 wrote to memory of 1228	580	RegSvcs.exe	System64.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1228 wrote to memory of 1348	1228	System64.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1792	1348	RegSvcs.exe	RegSvcs.exe
PID 1348 wrote to memory of 1780	1348	RegSvcs.exe	vbc.exe
PID 1348 wrote to memory of 1780	1348	RegSvcs.exe	vbc.exe
PID 1348 wrote to memory of 1780	1348	RegSvcs.exe	vbc.exe
PID 1348 wrote to memory of 1780	1348	RegSvcs.exe	vbc.exe
PID 1780 wrote to memory of 848	1780	vbc.exe	cvtres.exe
PID 1780 wrote to memory of 848	1780	vbc.exe	cvtres.exe
PID 1780 wrote to memory of 848	1780	vbc.exe	cvtres.exe
PID 1780 wrote to memory of 848	1780	vbc.exe	cvtres.exe
PID 1348 wrote to memory of 1616	1348	RegSvcs.exe	schtasks.exe
PID 1348 wrote to memory of 1616	1348	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe
"C:\Users\Admin\AppData\Local\Temp\b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:584

C:\Windows\SysWOW64\System64.exe
"C:\Windows\system32\System64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\weosxoml\weosxoml.cmdline"
5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc350880A3E2964214979ABAD025B5BDAA.TMP"
6⤵
PID:848

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "sys32" /tr "C:\Windows\SysWOW64\System64.exe"
5⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thpmhncp\thpmhncp.cmdline"
5⤵
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A1E660A77114E579FEEADA2DD99C587.TMP"
6⤵
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4vovrupx\4vovrupx.cmdline"
5⤵
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE051.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc569F2669AAAC436CBD319B9DF6EA96.TMP"
6⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1f3ogana\1f3ogana.cmdline"
5⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10CF9C6A2F0045F89FC895BD604E3385.TMP"
6⤵
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0ttdl25o\0ttdl25o.cmdline"
5⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CE9589C8B1745D98A1AE3EAF7E9292B.TMP"
6⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ssxybwvl\ssxybwvl.cmdline"
5⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF612.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1B75A35DEEE44258AB0F12B9E2F6CF.TMP"
6⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tp5orxmk\tp5orxmk.cmdline"
5⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91FA97A3927844CFBACCC7A697DF73E.TMP"
6⤵
PID:972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y1ktwbkm\y1ktwbkm.cmdline"
5⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5580281B5294473BF8EDE1E50ADA6CD.TMP"
6⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xliiclze\xliiclze.cmdline"
5⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9C77D8830D4403B9DA3343C025FD5.TMP"
6⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e3lpj0mr\e3lpj0mr.cmdline"
5⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C685D788C48438E9AC26343BF11677B.TMP"
6⤵
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmoti3x1\zmoti3x1.cmdline"
5⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDB0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8DE8334691B4294B340C81BB079E5DB.TMP"
6⤵
PID:672

C:\Windows\system32\taskeng.exe
taskeng.exe {CE7CA38D-5E55-4B85-BD7D-3E7FB2B2D6A6} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
PID:272

C:\Windows\SysWOW64\System64.exe
C:\Windows\SysWOW64\System64.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ttdl25o\0ttdl25o.0.vb

MD5
bd2cc3dca4fe8d414d43845aca480420

SHA1
effd8ef79359f9b49926097f1dc441c2128c7d33

SHA256
6510cb2cdcd73846acbbd706a6d171904d1a3da4bf35de6726a2d005ce793aeb

SHA512
366758250302b6ac6f460e6d78b3ab4b146618558e3c45b6628b425bf1851eaf0d89ff92358b94fe716161ae551b451a35bab8ac91c2317e47366056efeb3bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ttdl25o\0ttdl25o.cmdline

MD5
531e596282213e8e2dca2e3d07eefc60

SHA1
371b745b34a81be06cfcbc90ecc58cf7408d4095

SHA256
1e83cfeb37addb2d8a548f4450cd18469608cf8edc4b2d895dbba42869949b39

SHA512
5ad9f0bca5f8b3d1d5cd2973bd5ad998725317dec92d820a97beda91851900c1fa074f6bc532ab05abe601c60385bad1e58b56ef7a28ce0e77447ccc76b6d73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3ogana\1f3ogana.0.vb

MD5
8879c003c2ac2b2d554321f3a3c4e8bf

SHA1
b544bf2acc77ff161be8e6ef8a40873b04ae7750

SHA256
c2caacb6fde0c5f243c6353765fd8906f9cf931f3d9280a6f5813a669e2ff21c

SHA512
c0831849402fd40a8b929e7d65b65d5b1ed2acfc95f28d83e84fd93d1670a8eee92bc7244a857e880cac53b38a076be18b57490a73e6b41f0832dd9754c01e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3ogana\1f3ogana.cmdline

MD5
71c434368ddf95b73a4f77654253b5a4

SHA1
82ad0fade20c68fca0e60fb514915dbb85082747

SHA256
334c395ce872b9b0871c2a0d57db0a412e795459a7daebafbea387eb8cd1a9ea

SHA512
1be91c362e896fa14c1fa53c4465cf7c86774a6b0c3ad7f3fb9bad2fb4e625158abee7f5102d41afbf808548db0ae6c4007f382107462d6f6008c7a20e5f0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vovrupx\4vovrupx.0.vb

MD5
6b214daa3a527b4ce284fa228b58130d

SHA1
e5e3bcf7b48e37c806be346988578e089ef7489f

SHA256
fb91fc915a3dba70b734cfcf7848e24d048e77854930d5bbe03250426427782e

SHA512
70e0dc1b23d0be3bdaebff8a5a508808fca2c2ab128c16d93b2feba4f7d7b661e6e5d60c71d1f81ee1743ca6617a617efcc9cdfdbae7ab3861db6b08653de277

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vovrupx\4vovrupx.cmdline

MD5
3e304fac1c239b9a43fa0bab49f0eeac

SHA1
e8bd57ef4ec424eb2facbfd2a855395e79c36fa8

SHA256
e9b2fae5547a0a2cdbc3fa754af5313627578f2c721d753fab30faa3ea3a24bf

SHA512
fb15cd761e6b2b45eacaa227498de137741a09eb4d10911854e6133bad4a8d16d75633560f52d37736cf651f259d3a285d258001ad1c6681ac57651d8d7aa7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC1E.tmp

MD5
5ea3f1f6f92a8d632c969f7f4d9081dc

SHA1
7a07b09211d85e934b4ff86740df6ec2a7edd41d

SHA256
c33980c615c4b7094ef463c4bdd1c7d43fe9d6ba8cc422bc30daf6f91552f9e3

SHA512
af2b72290f634d4e97b8ecd7125c96c6c8cefa9065d4847ed74332cebc81ed4ebdb78fbac58d877b3d1e08d3c1e2fbf84f49515b40270ee3cbf4ade88950a577

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBF6.tmp

MD5
1154ff27d7c2997e6cc36ef84367e9eb

SHA1
f1baf2d30c81203a4ab423dc255f61ad05127754

SHA256
c972adb9565749739daae96770335ca04788d3e6d452c5fd682b9c052fa5c64e

SHA512
80bbcc637d72dd4e851cf71e0880c8bc27558f170ca1c448d975ee489307ac71cb43a85fc1043a08fcb733a50a30944f6ef446c622bbaaad74bcee59b40e6fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE051.tmp

MD5
dc03cfccfee130d0c107d53992f090ec

SHA1
d55692bcb26c9324403233239c9fac4a3b0d68f0

SHA256
a9e2c993d1b1739b33f20129e5f3c59619181110148e0256c5f27b808857afa2

SHA512
e30ae22e923e06f8c3a4d4947b2331504fc7b1b9faaf824f84cf8f8bf30e0f9b50ffe348f27097931887f4558e401e4e74c37b8894c2c98f5c94017e83d4bbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA5F.tmp

MD5
06e7dbea934a7222282e803ba0930338

SHA1
d572115dadd9d44f791a5686f3db0e680b24770c

SHA256
b8140dd5159371eeea67f4fb81a231cb7936238296b8e73e3a2367574da19916

SHA512
db6f1b7d67733fca627fe48944b32b27b4f3ab2fdcfb5731451595ba35f6fbe15e4f601986a0366d0209ea19637b5e32a8b0ad485702444360efcb05a57f3bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF4CA.tmp

MD5
4f6f535322979103514cda5676d0580f

SHA1
6d3eca58ec1db4f866a4de7afa48467a73e5b66e

SHA256
b79bb22dd16455542b9a5880721218cc75284ea16c8eb34bd4c7cd9ddd59bc57

SHA512
04482233add04e220330b76da22fec12f8557a5d3e90d2ffbb8761c982a4fe9f17e1fd4ac19595b2ac353a669820a91890ae0789b5dc931713f6fe50a4521466

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF612.tmp

MD5
56c77c59f95b8030bc569b1102dc6548

SHA1
8390800f3be2ed43126f3c13cf349bd80adbbcb2

SHA256
9d3d078e011504c308029958a6c6f38959b8e7d0ba68809f65c1aad33d91ef80

SHA512
6c44faa83d9951a5310c87c2ca8975e17d7ecfc09d006be58cb76ad4f294f42f4a04ea4550088f67c70be2a2772385da2f93c1b35dbc0f03849f3f58593361bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA56.tmp

MD5
bc0fdb6f15a2a944359d795578304315

SHA1
449b767059e4dd3a82c215374406f4be9cf8c9cc

SHA256
1b4217e53392e3309ce18616e9f53cca1282b4017947bd7447d086a2b7fa7f5a

SHA512
a6272c6dd731440727235235796ae8f7e8791a6b9ec1bbd6b1e84e58b815210a32bca28080f307c02765a46ee2cfea3c98ad2bd849b91271ad261e14e19bacc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB8E.tmp

MD5
db7388b86f53996c33aec8cc9a5a6090

SHA1
1395cf76e5f43fc0cc583fc1a42441ac4a6a0ed1

SHA256
2ca1d734b0a94445357edeaf75557cddde039961653bb05f3712f123da2b15ca

SHA512
96593144e6ac7a1909417b4bf75f472ab16ffeb5969699f14eb0d578b0e932fd8a82eb30e4d1822d8969ea76ef6c2da1d174a9311427525302aad77bb7be55b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC3A.tmp

MD5
b603328af3ef7ae46ca6e12b6bb4774b

SHA1
682ee8490b7ca3608c70375da222a744371449af

SHA256
40ea11624c978b17d8b683c691e08912659fd0832c37bd1d7e5c6cdcf1b3bade

SHA512
b85cea15e6f79750098ac5713a386ab0f7de236d5419518431fa37a6e3d830af8717aeec12093fa0c243b3443d40b69555704b2cd7485fd82a3cf1d15e407a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFCF5.tmp

MD5
3d67cbba6fcacbc4a45943f1e08201b0

SHA1
a0700b8053001bb45213df8530d427778d9e997e

SHA256
b6ea629a1c18fdb80c57d7d6f0ac78ccb02e23e2a936247e2b86740bffcce2e4

SHA512
43b279276bc67f49dfaf1afb65f97bcbc97ad113db7a47b6bcb7d550b7c98bd931984df770df142f349f9d1fb06d62375d750e8e943a31054130eed3cc06ea6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFDB0.tmp

MD5
dd4dec5b3330464be27ef6ae4a629de2

SHA1
f94263b65953d0b49737aaa2acd0ba6ff87226be

SHA256
9a748879cd8ba74d815cb8640d7a526e73bea6837a063272df4b6b55ac859fd6

SHA512
8d769284f24841d9fe71879ebbefb01bcb908d4aa7c14b81d263a349e393ebc0e1eaa683eae4b6b10eb5b8161cb9f14d3e870e58cf1c9eb07d0799af83641277

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCGPPiCCa.txt

MD5
44dff858086676688d0bbc59f2016031

SHA1
77fd5441227cd8e1d79feeaeee22a584f91c2b3d

SHA256
514bd1b4013f3e8d2c45681079b773a007b220907c3f879dbf62e7bc259949c2

SHA512
beea1bd2e4504e21b9027d81e087fbf8ab357baab4e02ba0e1f3cda3cb003a2f015c6cf87f0c1c7f9dfc976e45d3def5a51a26e3ec9f00a99dda57d4d2651b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCGPPiCCa.txt

MD5
294613bf2f7101bd3029d811f0ab4c79

SHA1
eca737371264f8d59321458b056982af3115870f

SHA256
5f6ca4023bf699649cb1765c6096b2bbc8ccaca6428e5543b68625009f4b038e

SHA512
9032e8d9480e6a4a07c7b23974fe098f2c057e0836af090b819506cdaec31849ec8591a6cca0c19210e8cf8065d9834d254fbd71c12c775d3f55ce7f571b4554

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCGPPiCCa.txt

MD5
44dff858086676688d0bbc59f2016031

SHA1
77fd5441227cd8e1d79feeaeee22a584f91c2b3d

SHA256
514bd1b4013f3e8d2c45681079b773a007b220907c3f879dbf62e7bc259949c2

SHA512
beea1bd2e4504e21b9027d81e087fbf8ab357baab4e02ba0e1f3cda3cb003a2f015c6cf87f0c1c7f9dfc976e45d3def5a51a26e3ec9f00a99dda57d4d2651b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3lpj0mr\e3lpj0mr.0.vb

MD5
6c9bf672167241ea28e24037a3960695

SHA1
75e9c85a8ac074bc21df74ca6160319b58b16a3f

SHA256
6d8f0c34ca91f216c0b02ffd6742dd354e8de02a4281ed93d9f065fb0dfaf214

SHA512
76684fb48b84591597ec211508561b6f0ecf4d15f3b8a2692b39702c5d0f105d434d2f117b207268537a1c37019a737ced3b813f76ba214865dbe3766e317c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3lpj0mr\e3lpj0mr.cmdline

MD5
bbdac695fcf8b7bc5eadc60193eb5718

SHA1
ac177870d1b0dfa7a03300dbc6dcde038e19c814

SHA256
a5ff813872c98ec4b774b6d5f594e448f0bef7354c4319ded757c746bf0439ce

SHA512
09505afe7f37755573bb468cca610c5411bbf6ea5fff7c018df48b7acc5aa50ebdfd20fc05021ad11874a0d7f0f6b14e7fc0976fd654acea92a83ba1a0246e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssxybwvl\ssxybwvl.0.vb

MD5
6dfc9bbd0778c39098d5fbdad2bbf0d1

SHA1
833ddb1832438176418e0b61db3cb120783f43c1

SHA256
53e5fa024b0c04af1b7d2b05c267f6bebebfe94e2238c2f7f0e66150be1dacf0

SHA512
7557ec023216d674d58c76d57b8c4916aefdc7b22aa967d806d71640f3747a46d594ee973a111dbaa409295d20e47a90ea4ce0e38c5bd9a7dac60f07f789385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssxybwvl\ssxybwvl.cmdline

MD5
d10035e4c51d882dba19946ae9d32a97

SHA1
e4c511ed9116d3c418b8674fcae1d63244d08f6e

SHA256
c55bff8667546ec7df25af15e9cb2cf7e3caec65682f0b5800a281579239e004

SHA512
0074bb580819e43d3227ecaf2ad3093fdd75bbab16c84dab65197c511dafaa164466bbf1ec9fe0936b29b8937f6ebb43962733edfed0f341d448756f7da03d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\thpmhncp\thpmhncp.0.vb

MD5
50efa1e694d70e81cb473ee15b715d95

SHA1
377e553abf635c07346c8b4f7d31cb34ab9affdd

SHA256
c43e88c4523354de2f7bc3a0fb7c4504ae90689b5652e1e06aa0ede264945be0

SHA512
9a18201f26ec868201eb6117b04fe032dd45a1c6aa21e9f486eaa7c5135d0edb90aa0d6928f388acd8baeccb39cb36e21bc825d35d711fac5e277c30c1856126

Download Submit
C:\Users\Admin\AppData\Local\Temp\thpmhncp\thpmhncp.cmdline

MD5
6a45e21a5df6e7f5d3741a5bf0264e60

SHA1
4487951d475c505bfb2ab8636051d75bb2de795f

SHA256
d7cbfc909ff0594e5638192f7c3f829db8126d7ce9865f466c2d69c7eb7f5116

SHA512
91aa4cd74b4d56409c9206b828f739528f925ed6f7d1aaf62b4e0b5518d98225d0f1eddd0f5246f6b171d3308f8ac2e327553d998884c9177b2c04ec892ad853

Download Submit
C:\Users\Admin\AppData\Local\Temp\tp5orxmk\tp5orxmk.0.vb

MD5
f87a4e0eb8183c4f20b9e6a5e70b04a3

SHA1
535b93ba07a226ff75d9c7b6e84d455848638d47

SHA256
a5ee5c30cf701cfcd6d882ac34f942f57d6bb80a6601e64aa0abdff3262146ba

SHA512
c76074ae135ebad0b29ba5991da78dc63773b6f901eccb25885991426cea2114f23d138f210f9b362e1bf8da8d0cf0f4da4e9261ca666ed9222e03cb8d544b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tp5orxmk\tp5orxmk.cmdline

MD5
56e38a768b39d4e339941e4859907c9b

SHA1
caaf2ce3facd43e435fc434fcabbeb22533f5687

SHA256
4c6a8e333ea49c607fd8f94df3b9978f2244aad553771d4b98b360aff1cacb38

SHA512
6b477069c23d1dd5653cd1450051107199a6f997cd00c2f0ed4476b8cbeada93cebdb8f558674e38c32b8794054622e8ea7f7c6cffceb0224195bec6278b1cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc10CF9C6A2F0045F89FC895BD604E3385.TMP

MD5
4ffaef2181115a3647790b920aa31b31

SHA1
7f15eee57c8482252db8286ab782978747471899

SHA256
d52cc5df93cac8616b0ecebdf21c6e11bf14e0308f97d6406f4e1c76d0738843

SHA512
501991abd0d0f5780084b9584292183d55bf2c5587de4a7182e1f0979a68f051ef2e1a94753d9da0add2f4f04107320d664952f018c516f3354fdda4e11ec436

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CE9589C8B1745D98A1AE3EAF7E9292B.TMP

MD5
c3e495da66a1b628c1f3d67d511f5f30

SHA1
d487b081326a052a7b7057b1f039bbe262280479

SHA256
81cbcb4840551143dbb1f8215d7c54f87f0397173b35d6a101564a784827dffd

SHA512
c596c316e8519a33e4360f87c40a812f904145a12c1d4c3c59f95b08a353eda781e40da8e95b0e971c24faa7d15b19170a67027cf8732246a6978cc6571b29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc350880A3E2964214979ABAD025B5BDAA.TMP

MD5
bc0e6cf653352f52e981fee45011533e

SHA1
f20b8f1f650e184c91624e22777ad0b65541afc2

SHA256
593d13d2af4017cb1a57c525a8bf05c60b19aaf42df01ee391150a332c38a205

SHA512
9574deec5f852369b181805677ac7d77ddcc5eb2a00183d5314ac8ec0d0f3d9496a70cd9f68922714316789cc625267e1988946302c2046a7699793b2ffb42b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C685D788C48438E9AC26343BF11677B.TMP

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5580281B5294473BF8EDE1E50ADA6CD.TMP

MD5
5be03705622d8432c727b2f54d2f8714

SHA1
d5fc067a15681b7defb145c6526331a359e6f84b

SHA256
763889d47a575bea1067919ee6b7da90e470394d08f92f0a12cdb7a95c5f8d6f

SHA512
1aa7ddd4493dcbe9c635594d75c30ed3a4ad68c26f0e437ae32b1098a3d1992b5467777308f6d84ece5be4368136da12202c928d14d785691c9201223adafe77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc569F2669AAAC436CBD319B9DF6EA96.TMP

MD5
6592f9186211221a0a3afcf34a2dfa00

SHA1
bf3748b4ab03bdc65c242ad924653666cda3c5d9

SHA256
eac2c432a96e0d19ef3a1950bc067babe642d11af2a3c2a14bc3050e508c1b3f

SHA512
f7b072428258b7cf5d674c9df15bcb28df9369fde271e79bb2752e0266cabbc3b4bce8aa36e56f3ae99ebc2e658ca7d764628c82668adafc3d0889bd6d71dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6A1E660A77114E579FEEADA2DD99C587.TMP

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc91FA97A3927844CFBACCC7A697DF73E.TMP

MD5
cee1aae40ed483284d3131b9a76eae59

SHA1
616bc1c7ea383b4f78305c4111a9816095f45b12

SHA256
bc10f0b64e7c4e54e0d840d904c395326907aa9e30b243959e00aea0a51b8d35

SHA512
57976c6b66ca77489f168915be4b0b7c3b53747f6a62e60984db5d0aa2ff8428a0c8a78b515191e2c257afd11a4fb17c4bd6f05a49bd429120e588ac040addee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA8DE8334691B4294B340C81BB079E5DB.TMP

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD1B75A35DEEE44258AB0F12B9E2F6CF.TMP

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE9C77D8830D4403B9DA3343C025FD5.TMP

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\weosxoml\weosxoml.0.vb

MD5
af59edfa9af503346207e9be9e61c58e

SHA1
4a015fda9fd8158851eca81817e76390d2f78a1f

SHA256
e30b66b864d952cd744b56ee0fc596941359468115df69ee3f20bd8b72a9d338

SHA512
5e79b99ca6a7bbe5d567eeda6c9b299bc2a5ed556f117a5d8b97b3d611edefbd2b47d0431fcdfbe0e7a0bcb1c4879329e6051b989e6608c11a4eb9028614feb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\weosxoml\weosxoml.cmdline

MD5
f90e9a7d22d8c941288cb2744c6ec42c

SHA1
9063ebdf0080708658764c809ffa68511d1579ae

SHA256
252d935608ff1780ea337da5c54e241aba543fb0f03cb2db2dbecff36fb3186b

SHA512
26fbb8f67f19d363682e7d32c0a288664035027686742e05e3205430f664b78372964cb9eeec1852caf53ba68d0e77a63a87c71abb626fb916cdc1df37313f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\xliiclze\xliiclze.0.vb

MD5
565ef03be2a828075dcb3664a58d74cf

SHA1
77c5c7f60f1237cd1dfc86735659d3093d068746

SHA256
c565fb8bb4263bb48a20e42e30ab22123a6cca67bd872cbb25b1ae5570d6de9e

SHA512
25aa7ced171add99987c22f7405caee7fd8d95fa1920becab077343f09cbef3066407cf1c0e06c555b7e4beb7186f13eccf8a220d82097418e48991e091d7b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\xliiclze\xliiclze.cmdline

MD5
f762e283979a346b2ad39815e0ded65e

SHA1
95b51b2b037d223206255692ee2fdd9ddff04721

SHA256
707c5554041f824151aeda6dcbb54585a9c8b17c1bf50254a69efa1acaa387d7

SHA512
6904828ff5b9dd874d718c42ed29edabd9f85d342ee0169fb755247b3b3558ea795e567b396f9be01d5df58e1d43a1b015894cae6b46060b1aab9a362752bec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1ktwbkm\y1ktwbkm.0.vb

MD5
3bba12d3f1b64917f973285144aecf3f

SHA1
b1dd434e15559a668f20ca7ebefa88be1b886ce5

SHA256
e6d5b7a29cb1642f31b3b6f8ed5e1b84780d9c060ec52abb5078a9c2ecfd2225

SHA512
9c70e9623bc6590d4db4559f6f5feb656938b7fe41806b54e32acf28dca10ad59621a994f7855f71881a2be51a49b2d829ffa0cefcae2a4bd0255cdff4f7a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1ktwbkm\y1ktwbkm.cmdline

MD5
3292842d501f243916ac04cf22fbada6

SHA1
05c87bbb7c6110c1e2bd42c89a6801b1f8b04c53

SHA256
7cde27dda401d02beca69d132ce0211472676cf14498e7c65a179a2705cee1e8

SHA512
b18584b07a3e0e7c93715380f080c25c714dd833ac6abef50f92e8468d841f4e06ef6539e8588f0b16c6853259b55ec42374221ac0a45347e5b174a4fda269f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmoti3x1\zmoti3x1.0.vb

MD5
3ad4bcf163179214870320e59eb60c72

SHA1
eaa8c33ade507e3dd7a7359800b4df94cf000bbc

SHA256
9069e5602e5ead5363c05a973eeb355c67649248eca7ac0b07068376b121d624

SHA512
ea4017362ebdbf31fb6855b74215d88337820a12ddd67eda88377d491d82e0ef3e5ac26a3fefb44a5eec4c6342f439cd447bb7581c3df38d9a31de8356a2837f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmoti3x1\zmoti3x1.cmdline

MD5
97f4773189729d4d49a6baa3b8a9f120

SHA1
4caeba33ed4dadacccdb1032caa6d336a14c7517

SHA256
9452a8ef96ff0bd5a2e8067e7b30d31aa8ad3b793d181f8dd81c71d47417b63b

SHA512
cd2a6719fb691fda5ff6ea481ba2b0f2c4c0751231a04323b697fde98b8941869f3ea677a3e401b131e2ca0fdbdab162e7bd055a261dcf62ec4f34fad44829d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updating.exe

MD5
a9a46a523993add1117a618d0d5d395b

SHA1
5bb538557bbbe2ccc3f2dabbffe4cd25088cde6b

SHA256
b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951

SHA512
10b2b1d3e48c4fe089e9fd664ad49afe38ea11081bebf669854b2087a79de0147da8faaf420f26818c31a2a843d603cefe59c886706bbed5a8d0ecfc5de6b7ce

Download Submit
C:\Windows\SysWOW64\System64.exe

MD5
a9a46a523993add1117a618d0d5d395b

SHA1
5bb538557bbbe2ccc3f2dabbffe4cd25088cde6b

SHA256
b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951

SHA512
10b2b1d3e48c4fe089e9fd664ad49afe38ea11081bebf669854b2087a79de0147da8faaf420f26818c31a2a843d603cefe59c886706bbed5a8d0ecfc5de6b7ce

Download Submit
C:\Windows\SysWOW64\System64.exe

MD5
a9a46a523993add1117a618d0d5d395b

SHA1
5bb538557bbbe2ccc3f2dabbffe4cd25088cde6b

SHA256
b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951

SHA512
10b2b1d3e48c4fe089e9fd664ad49afe38ea11081bebf669854b2087a79de0147da8faaf420f26818c31a2a843d603cefe59c886706bbed5a8d0ecfc5de6b7ce

Download Submit
C:\Windows\SysWOW64\System64.exe

MD5
a9a46a523993add1117a618d0d5d395b

SHA1
5bb538557bbbe2ccc3f2dabbffe4cd25088cde6b

SHA256
b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951

SHA512
10b2b1d3e48c4fe089e9fd664ad49afe38ea11081bebf669854b2087a79de0147da8faaf420f26818c31a2a843d603cefe59c886706bbed5a8d0ecfc5de6b7ce

Download Submit
\Windows\SysWOW64\System64.exe

MD5
a9a46a523993add1117a618d0d5d395b

SHA1
5bb538557bbbe2ccc3f2dabbffe4cd25088cde6b

SHA256
b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951

SHA512
10b2b1d3e48c4fe089e9fd664ad49afe38ea11081bebf669854b2087a79de0147da8faaf420f26818c31a2a843d603cefe59c886706bbed5a8d0ecfc5de6b7ce

Download Submit
\Windows\SysWOW64\System64.exe

MD5
a9a46a523993add1117a618d0d5d395b

SHA1
5bb538557bbbe2ccc3f2dabbffe4cd25088cde6b

SHA256
b53e495500f628e4914ce71fcd5dfa5413a62220671e5fdf93377a08f057e951

SHA512
10b2b1d3e48c4fe089e9fd664ad49afe38ea11081bebf669854b2087a79de0147da8faaf420f26818c31a2a843d603cefe59c886706bbed5a8d0ecfc5de6b7ce

Download Submit
memory/580-65-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/580-60-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/580-58-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/580-59-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/580-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/580-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/580-73-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/580-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/580-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/584-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/584-67-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/584-75-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/584-74-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/584-70-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/584-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/584-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/584-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/584-158-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/812-57-0x0000000074462000-0x0000000074464000-memory.dmp

Filesize
8KB

Download
memory/812-54-0x0000000074461000-0x0000000074462000-memory.dmp

Filesize
4KB

Download
memory/812-56-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/812-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1348-86-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1348-96-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1348-95-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/1792-94-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/1792-93-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-152-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/1932-159-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download