revengerat | 2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b

Analysis

max time kernel
156s
max time network
204s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8aa6223ca40f85c1ae6fd9024aab6ea.exe
Size

501KB
MD5

c8aa6223ca40f85c1ae6fd9024aab6ea
SHA1

895469c785046dce30badb4de957f5f89657ba0b
SHA256

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b
SHA512

9800a04b8b408940e0c54a752fc87b41edd79d7764cbb16a0357084ee8b1dc3d3a082b424ee3f68632cbb128bde0e867854e2216ec88de48c247d5c248bed530

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 22 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
behavioral1/memory/1544-79-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1544-78-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1544-77-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1544-83-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1544-81-0x0000000000410BAE-mapping.dmp	revengerat
behavioral1/memory/1544-80-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
\Windows\SysWOW64\acsvc.exe	revengerat
C:\Windows\SysWOW64\acsvc.exe	revengerat
C:\Windows\SysWOW64\acsvc.exe	revengerat
behavioral1/memory/1992-118-0x0000000000080000-0x0000000000098000-memory.dmp	revengerat
behavioral1/memory/1992-115-0x0000000000080000-0x0000000000098000-memory.dmp	revengerat
behavioral1/memory/1992-111-0x0000000000410BAE-mapping.dmp	revengerat
\Windows\SysWOW64\acsvc.exe	revengerat
C:\Windows\SysWOW64\acsvc.exe	revengerat
behavioral1/memory/1204-208-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1204-206-0x0000000000410BAE-mapping.dmp	revengerat

Executes dropped EXE 3 IoCs

Processes:

virus.sfx.exevirus.exeacsvc.exe

pid process

1648 virus.sfx.exe
1308 virus.exe
1608 acsvc.exe

pid	process
1648	virus.sfx.exe
1308	virus.exe
1608	acsvc.exe

Drops startup file 4 IoCs

Processes:

MSBuild.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acsvc.vbs	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acsvc.js	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acsvc.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acsvc.URL	MSBuild.exe

Loads dropped DLL 7 IoCs

Processes:

cmd.exevirus.sfx.exeMSBuild.exeMSBuild.exe

pid process

1980 cmd.exe
1648 virus.sfx.exe
1648 virus.sfx.exe
1648 virus.sfx.exe
1648 virus.sfx.exe
1544 MSBuild.exe
1992 MSBuild.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1980	cmd.exe
1648	virus.sfx.exe
1648	virus.sfx.exe
1648	virus.sfx.exe
1648	virus.sfx.exe
1544	MSBuild.exe
1992	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\acsvc = "C:\\Windows\\SysWOW64\\acsvc.exe"	MSBuild.exe

Drops file in System32 directory 4 IoCs

Processes:

MSBuild.exeMSBuild.exe

description	ioc	process
File created	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe
File created	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

virus.exeMSBuild.exeacsvc.exeMSBuild.exe

description	pid	process	target process
PID 1308 set thread context of 1544	1308	virus.exe	MSBuild.exe
PID 1544 set thread context of 884	1544	MSBuild.exe	MSBuild.exe
PID 1608 set thread context of 1992	1608	acsvc.exe	MSBuild.exe
PID 1992 set thread context of 1724	1992	MSBuild.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSBuild.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

852 schtasks.exe

pid	process
852	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

virus.exeMSBuild.exeacsvc.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1308	virus.exe
Token: SeDebugPrivilege	1544	MSBuild.exe
Token: SeIncBasePriorityPrivilege	1544	MSBuild.exe
Token: SeDebugPrivilege	1608	acsvc.exe
Token: SeDebugPrivilege	1992	MSBuild.exe
Token: SeIncBasePriorityPrivilege	1992	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c8aa6223ca40f85c1ae6fd9024aab6ea.exeWScript.execmd.exevirus.sfx.exevirus.exeMSBuild.exeacsvc.exeMSBuild.exe

description	pid	process	target process
PID 968 wrote to memory of 1708	968	c8aa6223ca40f85c1ae6fd9024aab6ea.exe	WScript.exe
PID 968 wrote to memory of 1708	968	c8aa6223ca40f85c1ae6fd9024aab6ea.exe	WScript.exe
PID 968 wrote to memory of 1708	968	c8aa6223ca40f85c1ae6fd9024aab6ea.exe	WScript.exe
PID 968 wrote to memory of 1708	968	c8aa6223ca40f85c1ae6fd9024aab6ea.exe	WScript.exe
PID 1708 wrote to memory of 1980	1708	WScript.exe	cmd.exe
PID 1708 wrote to memory of 1980	1708	WScript.exe	cmd.exe
PID 1708 wrote to memory of 1980	1708	WScript.exe	cmd.exe
PID 1708 wrote to memory of 1980	1708	WScript.exe	cmd.exe
PID 1980 wrote to memory of 1648	1980	cmd.exe	virus.sfx.exe
PID 1980 wrote to memory of 1648	1980	cmd.exe	virus.sfx.exe
PID 1980 wrote to memory of 1648	1980	cmd.exe	virus.sfx.exe
PID 1980 wrote to memory of 1648	1980	cmd.exe	virus.sfx.exe
PID 1648 wrote to memory of 1308	1648	virus.sfx.exe	virus.exe
PID 1648 wrote to memory of 1308	1648	virus.sfx.exe	virus.exe
PID 1648 wrote to memory of 1308	1648	virus.sfx.exe	virus.exe
PID 1648 wrote to memory of 1308	1648	virus.sfx.exe	virus.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1308 wrote to memory of 1544	1308	virus.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 884	1544	MSBuild.exe	MSBuild.exe
PID 1544 wrote to memory of 1608	1544	MSBuild.exe	acsvc.exe
PID 1544 wrote to memory of 1608	1544	MSBuild.exe	acsvc.exe
PID 1544 wrote to memory of 1608	1544	MSBuild.exe	acsvc.exe
PID 1544 wrote to memory of 1608	1544	MSBuild.exe	acsvc.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1608 wrote to memory of 1992	1608	acsvc.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 1724	1992	MSBuild.exe	MSBuild.exe
PID 1992 wrote to memory of 852	1992	MSBuild.exe	schtasks.exe
PID 1992 wrote to memory of 852	1992	MSBuild.exe	schtasks.exe
PID 1992 wrote to memory of 852	1992	MSBuild.exe	schtasks.exe
PID 1992 wrote to memory of 852	1992	MSBuild.exe	schtasks.exe
PID 1992 wrote to memory of 268	1992	MSBuild.exe	vbc.exe
PID 1992 wrote to memory of 268	1992	MSBuild.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\c8aa6223ca40f85c1ae6fd9024aab6ea.exe
"C:\Users\Admin\AppData\Local\Temp\c8aa6223ca40f85c1ae6fd9024aab6ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe
virus.sfx.exe -p0JTQsNC70LXQtSDQuNC00ZHQvCDQstC+INCy0LrQu9Cw0LTQutGDICLQo9GB0YLQsNC90L7QstC60LDCuw== -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
7⤵
PID:884

C:\Windows\SysWOW64\acsvc.exe
"C:\Windows\system32\acsvc.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
9⤵
PID:1724

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "acsvc" /tr "C:\Windows\SysWOW64\acsvc.exe"
9⤵
- Creates scheduled task(s)
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nowqpfxb\nowqpfxb.cmdline"
9⤵
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F277438DA384A3390DC0682C18F09A.TMP"
10⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bhoyaqis\bhoyaqis.cmdline"
9⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D593967CFB24DAF9E7FD3D375497DB.TMP"
10⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c3sj4jez\c3sj4jez.cmdline"
9⤵
PID:452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6385.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc389CF3B298D24396AA9874F6232E0D0.TMP"
10⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\maqq2h1x\maqq2h1x.cmdline"
9⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jkaucjww\jkaucjww.cmdline"
9⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\srillxbf\srillxbf.cmdline"
9⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kubhgo4j\kubhgo4j.cmdline"
9⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oyabkrwh\oyabkrwh.cmdline"
9⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xor3njqw\xor3njqw.cmdline"
9⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\54aktjsj\54aktjsj.cmdline"
9⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6539.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8924DF7468CA42F89DE4BC7BE7148C.TMP"
1⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6430.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EDBFDFAE32F4944A15BAC1A6337F151.TMP"
1⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA7E3915DAED4F0DB47A77D42FE6FD8.TMP"
1⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES696E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69D1AE6373674252A0CA983AA95AD8E.TMP"
1⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES621E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DFC1D58F81B4FE686B1E92E1BEB3DF6.TMP"
1⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6105.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1810F16A2EFC4C6E929C8326E24503E.TMP"
1⤵
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES602B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE54A83E26B1437DBB81699B2EED9CED.TMP"
1⤵
PID:564

C:\Windows\system32\taskeng.exe
taskeng.exe {29446D3B-3042-4ED8-BEBC-FF680069597C} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
PID:1588

C:\Windows\SysWOW64\acsvc.exe
C:\Windows\SysWOW64\acsvc.exe
2⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54aktjsj\54aktjsj.0.vb
Filesize
272B

MD5
7d86049d27793e2d5c59b2e781d902bd

SHA1
b9bcf51ed6e18e3477e7408a36065787b40ed203

SHA256
b185416165c4cdbafbae92ebe75dd7b997c6d5228ddcb194c68d352e71704ff2

SHA512
95c83498bbe3ff9c3cbac7bf6c824b90acdd60df5abfceed027b5a2ad9ac3c97aa6a104455eacd6a14f6197d41e453159c4b4dcd36c4bdd6eeb3c90c8d134d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\54aktjsj\54aktjsj.cmdline
Filesize
174B

MD5
b12387c115d44fd3038afbc96d6d4e30

SHA1
e23f7655542df75c63d73b4be4f97f439e726f11

SHA256
e6749ce739288107c33cf3dd00090c8b3cd22e208eaa0000125283c44c0d17a5

SHA512
d8b5afec6bc3c26e5cb47559566d467cb174dd7e2366f70a76b7b30e1a9ff92760d7fa402dcc101a81a91645c24f3e6bc28edec98f3d64b277a4778ee9e49d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES59A5.tmp
Filesize
1KB

MD5
811ecc9cd226faeb7f351de2ad11e846

SHA1
3ea1f7cf6ca32b64e114f945ad0164b06639f1ef

SHA256
1c0603fdf6f5cb02b4f5cb948067fa8cae70fb2b214e8aa2644116add073b8c9

SHA512
8e63785ccfea88ee5771d178d22e8d31d7d98f4e25df021dc048be30ac40fbd9bbda0efeb339076b32247d7d59af5c2924085c25b789f0aabadd1d2f55ce265e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F7F.tmp
Filesize
1KB

MD5
bc467819f8b256834a05b8980b1459a1

SHA1
0d3524bab37b859ed80c047e24867703efe14e6e

SHA256
1f84b8f6fcfde78017a5256cb9ed3902a37c3e44ff49ac8d691453c38da0d63e

SHA512
e78b682c39db5609936d0db73a24e9c64b36223f2e19638d6db847727a5f50a74c9435fe6e22ba2208f979833ca5483a9387893066846a667acf2bf916e5d08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES602B.tmp
Filesize
1KB

MD5
37d074bb5ba5d567c06d023da7060e43

SHA1
5d5e6385625480b7f8043e3f9a0eb1e60e530308

SHA256
7eb46b42e0f006b0c2d13964cc88deabf13f0d972828ca91366666f4bd768088

SHA512
1927a8e9f3714f8c5f8e64b32cab6150c83738e5b3785e4dae7c7babb80dab9d0d52dc90e4202dc07af2386ae6ea3cda81b3d6f52f5e91224ff7f3c62aca92f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6105.tmp
Filesize
1KB

MD5
d45abde63b3caeb17ff4d92a1bdd0327

SHA1
2a24044389fc971172de3fc77fab69f6a0872aaa

SHA256
d46d818bca9cd654e56e8ea654d40bde6f4eaa656c4780df2d920d1dda4d7824

SHA512
ce412ce02b515ab16fe4ea286191dcf3f46d85816a6a051c01b957dc6718bd356b4a81b197035561c8432bbe3d47081bd0c6cda3ec6dea9c2d529ccf382a5b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES621E.tmp
Filesize
1KB

MD5
16739b5d9248d9427a755d09f6b170e3

SHA1
38d321e7163408c32fa8b550afa28dfea15274f0

SHA256
10a1deb9ece7adf4b3fe9ab4c637273a060310936215f11d310b13c798201942

SHA512
51b609d8849966bbfa17f89dee1f39357f73b8d0f8fd108c59a185d4d245f09f3d5538212ff04114753b93c36f2c9270293841d3234c0c1d71b462cf58f7f5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62D9.tmp
Filesize
1KB

MD5
11f8a01620c5cb246de449aea9e167ba

SHA1
2443a00462e3d146a969466c044cefeeff671373

SHA256
ae5c76cae544d3e5ca83e4967d4254afba79eb78ad5a7101262c712ffd782614

SHA512
5638e52bfaf13a39ae7a875f3fecbe417644945e1d0e1b9e4faaf169181ceaa126953b0e3e51ccb2f4ad773537a8357c6f8237b3d1191d2cafb4a7ad2b2e088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6385.tmp
Filesize
1KB

MD5
4b3d9d2b3278c7eafab58fa0287fe4a7

SHA1
cccbc6f15447e3769a2368f2ccb255b645c6805b

SHA256
62d4464d652d07f84550d2b38af5046a897175661ea7dfd16b0c9863c4a9aa9e

SHA512
2f5c4b02a9d98b8ed9c84f0ed8df1d47fcce927bd2eb2410b0a8dc8f840828c0cd5e9d24e66f039b9626ef6cb6a3f469a196daf7c2d22095f3f5b3e3edf76542

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6430.tmp
Filesize
1KB

MD5
7fe1c1964d4d965aa8ef50574fcc7cd2

SHA1
700ea1f6a2cd5a244d83812347ffe380a811df70

SHA256
f275497f749652a77a3ea5a9d283538d7f064bad52de621d002d0f5ad73555ac

SHA512
4d98fcb09306aed011e9acbbfe498a38149ba5d238b9eba3079187ac5968edb1f388f605eecc7910f6fe62f8be88a317be3a5d9cc067f9cf1a6a2f11a68f7a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6539.tmp
Filesize
1KB

MD5
3553eccad869b9c9543940e6ca749c7d

SHA1
b896c40b533db627d819d134b24d132aefab44c6

SHA256
01311332c8d93159bc4fe9de77679f6388ea4d9634a0e0ee61ee28f3b3b298b1

SHA512
ce54e90676ee2993dcf2357473834682797bad4eef4b3fc2c6dc30da176891c13ad77c5c56bf775c8883856bbea6053a023cfc9e903b9187eda49aa718074058

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES696E.tmp
Filesize
1KB

MD5
385d44a4574c44153ae96ce0f594bee6

SHA1
1aafad89d3b7e7a0c05ca7e9902c7ecbf1dbfd28

SHA256
392940f5d3e31f90b585b42b30b054ba30be5e494a8f380ad07aa3323cb89e31

SHA512
c7ac32fa53745850be82172bd824e7c767e9d9e2ddf1a84a04b017dca13c7c89d5e6bceef4f049e343bc96a48ce586b2c388face70a38bb76e6bdfcca9543ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat
Filesize
120B

MD5
313763e1158ac32e596f279922d5fa7a

SHA1
f53fd94eae3c4b49eaaea6d7276a027d592fa6fd

SHA256
cedeed1af7694e6e59ec05f0e07c87e083a110d7109289112b42c365ffab66ae

SHA512
850f1aac826e79f51e45edfda06f23fd37b6d9e1fc6851daee7dedd5ac4a5d1839fb3c7022d0cd3de8cd053bbb0db75c93b41081602a7ffe613d9afae38e0f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhoyaqis\bhoyaqis.0.vb
Filesize
273B

MD5
0b56294a5290d612f74518c86dc0c75f

SHA1
8c3bddaeee6a4b39f482d5937fe6af67241aa10c

SHA256
62ce6fc9bb7cf24deb2ad36f187e5b00f3a0e20dfc6653337e883b7f03c37223

SHA512
082fa8443eb2584fa6a83a83bef31c8a6310244176b1348735f348c6cbca1bb5818398936eae0464c65ac4f776362d723cd4a756f9c78061bc88fa2b8569e296

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhoyaqis\bhoyaqis.cmdline
Filesize
175B

MD5
372bffbb4fcfdc2f83f981acba38494b

SHA1
2e0f204f639a3a58b3676875924184ba646c75a6

SHA256
188e6720423c67b803ca2fbe1712a766ec3dc49970c2c04986403d981f1bebfa

SHA512
fe755fbf4bcb6023b6bbb6196381dd4272c1de75a9ac6025ab08233c296a7de1ba6098be5ecfb22c1b0c0a5f5f024c9281c009acf9e57e8b43e28593bb7bc3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3sj4jez\c3sj4jez.0.vb
Filesize
278B

MD5
9f7cad9fd40d0862a0fcb54ae02c5267

SHA1
cacde3b65fd2b661f22f1594aa6e982826a61f34

SHA256
1479809a1d7e36e7a06bb483c7d2d54854e5a486f9e562d9755c53f4569f4571

SHA512
405bd74bcf9833b042379e675499484df467909ec32f57120034e1918ed56c5471b2071168db7f0070d11110f89b7feae9902254e33533fff35c3698c2331ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3sj4jez\c3sj4jez.cmdline
Filesize
180B

MD5
4cf4a74e1242a4e2f16fb2ea1ceac23b

SHA1
94208cbe047c5114560f2edb586e305db034badb

SHA256
35e1baa1973636342667bcff96010bf44e0198fa438d7b319d938c5974159bec

SHA512
1d72cbbe300d482d15de16a6cf872493a20ce41932790989064263c4a5b21748f34fff8a50b511e464ce4419af1628975359591befda508f404e3f8a8236cc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkaucjww\jkaucjww.0.vb
Filesize
271B

MD5
ad7aa2942da4eb02d567296d261bbca9

SHA1
3f90c02ba6d4c157e0aad6796d00304057abf133

SHA256
738c8474791533b7e0eb28aed7af7f3a1d281d8b7d502e2a04c5c1db539c353d

SHA512
5f919c9f00f780c6fa9dee87476d1680d07049e6e1447b3f0234db5438b2ceafb02824025b4ad63cf420b4250e37eb685a11b6dc882f2a9c1279f1932e9e3cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkaucjww\jkaucjww.cmdline
Filesize
173B

MD5
69f95a7834f6d34a2335d3a3351d7ff8

SHA1
18c6144ba9af65e3c455bb8bba07d80b80ff5030

SHA256
d95f7e50d04887f0c00852eba1039fe4f43f9680f852a78db5c2e38f7fc1056f

SHA512
d27e01e479a6472bab8ec4e8f55f087f4cc1d51eb9eb6cd8b5f75e7369354f8c758174dae8197c211d95dfed605a9dc88bf4943d84782aaefa2b6b6bd7cd6f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kubhgo4j\kubhgo4j.0.vb
Filesize
280B

MD5
f2a87b34e31322d5af0f89a732f899cb

SHA1
a1d91a0e0cfcaa1e8eea3559f057eeae11f6bcb6

SHA256
e411fd07aae2108cf096fe55bb30ba37f5a672c41999697149e96452ca3e5425

SHA512
aee56951d29f8033666a6fb5c6ddc7035a5518bff8690442d092b07948285d83b4186baf92e6e0ac065abf3af1cdc90d7fbd5641bca4d506a0fc3d21c54a4386

Download Submit
C:\Users\Admin\AppData\Local\Temp\kubhgo4j\kubhgo4j.cmdline
Filesize
182B

MD5
6845d37a349a43b17b81434bde662e52

SHA1
8d76dbefab9f7bba4bf74ee810f01afa8937141d

SHA256
54823be722225959eacbc62ec4f53c41714f61fbd9132a83321ae1f4688a5afb

SHA512
8fb3d6628d22c7875663d3702b15d7d0d57a92012d0df25229ba75df63039aa7ac09bae3e82237fb7612f11c14d826afbb443ec5c847896569d1c1b0d19feb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\maqq2h1x\maqq2h1x.0.vb
Filesize
277B

MD5
761234d154293c0d90c750b76795d6cc

SHA1
17dcc982694db0ab56a4ab89645d397ed9a02a7b

SHA256
4b2750027615d0eea1bd1102d576c1cbec8fbf347115e2322a1189e39ef72da0

SHA512
364ac9edd6befbd1a560fa8c8038aed7d385007cec57c6bef1dc4a2b9d392dda11632d9e19a6459607eb3570c1b133e8399f3c27d2bdee1f4cde8ce6ad387dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\maqq2h1x\maqq2h1x.cmdline
Filesize
179B

MD5
b0070958ce6783f93c8eaf727ba6b96f

SHA1
d8486c8ad250431f9394d5eec7c7e19b01b2b94b

SHA256
f181cc0766f31e316e2850b583be2ad37be3d71b40e0f4d68b93eece949d5786

SHA512
c4a6c5b1cccc3a1acb246a080fb3dbb08036ee57b42b66720ce5603eeb99d2af74e21d41cfb77a099acf07031b462e893249e80ca22b6285858ca3c090d2abd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nowqpfxb\nowqpfxb.0.vb
Filesize
269B

MD5
43a8f98a0bd9ca2e2664c19fe7b7e4e7

SHA1
8ff7ffe20db725f8a5204039cea64c0d3d8d87b2

SHA256
e0036f57d0154459e4f687e9bdacf66487469ea519a89ab8be6d73f35cbf62b8

SHA512
570756ac49978d1134be7902dc44fb7f35878ba093b7e8b61bb0df7b64109bc7807ed48d9a725a425b8ef4671193880211bbbf247a487e195519a114e0c97ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nowqpfxb\nowqpfxb.cmdline
Filesize
171B

MD5
7da28510b8c10e28d72571ccf6e357d0

SHA1
fede5f5b9a92af56861d6cf497dc037f776c4f25

SHA256
d6a68ebbfa3967b84e02ed87ba707306420d4a6b9ba60c4c9a28792e83699fd8

SHA512
bbd7d9523c68ede67dbfb5e94f86aeff3e8405a5221813c63b29f67280ec090a27d42d9bf4803a5393fe9c4c532564e9267b901851e2e12ced6654e6df32893b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyabkrwh\oyabkrwh.0.vb
Filesize
278B

MD5
503cc829036ecec5de26c96dfe6cea8f

SHA1
7b511c2388501ae5e36bb9655983adbd7cbc4d96

SHA256
5ea6914239a44ee338bdabe3ffe141509f38bd70c5f95920e0820a23980a39e9

SHA512
0949e215a2cdda57ff133502dd9b43a7a716227f607692ab083374c1506dfd00d795f8f7da6a04eeb248cbf0e0dc59822a1c1317b5dadf52a96ce0531fa6b225

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyabkrwh\oyabkrwh.cmdline
Filesize
180B

MD5
aa661c13d047a87033711e0e020e9e75

SHA1
7002e5d362b63d2b43f90026eff288a12c5c39f8

SHA256
d5d936e2d613e72993c5f9e5bde70e10cc91e1fb08a37f06730249da600a0236

SHA512
d2ae56d24a2efdeff44f4f12830de034dc0b0a4fa148c659ec49441a12f6cabeef9033ec43dc45be32618e4de1b776a5de7cf101d318aa6a0b144812525cce69

Download Submit
C:\Users\Admin\AppData\Local\Temp\srillxbf\srillxbf.0.vb
Filesize
297B

MD5
7212afdd0670866c081634fabf3e48f8

SHA1
643439c9fcc621b4363baf3cba30c2637b1a0e07

SHA256
6d73e6e412b28bbbb95b28ee65f3f75aa183690d33357b422b747144b7889540

SHA512
1bc788e1b5286dae9c06fa5b8b579871735d9ce656c5f3254065c3c56553f57cd4bce8bb007950a12eb798ad9acac72d4afc42d82b30a7046884a0e21fc97b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\srillxbf\srillxbf.cmdline
Filesize
199B

MD5
cae132ab3b6f56280792f9c9b2f613a8

SHA1
212d996dbc9a23e3847b8f328ee26bf88b85f46b

SHA256
ce3eeed8ef02a94ab5fd6bcc2a84f1bc29476265e124e84aa19fc39f04a61f69

SHA512
8b7f45860620e9bb542918fdc21e4bd342b01f99f0524ac7ae79fe2b877102b38c724b3851654d9b2c3721791b14640620d4e38de49ecd559bf34eed4de3b8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1810F16A2EFC4C6E929C8326E24503E.TMP
Filesize
1KB

MD5
c3e495da66a1b628c1f3d67d511f5f30

SHA1
d487b081326a052a7b7057b1f039bbe262280479

SHA256
81cbcb4840551143dbb1f8215d7c54f87f0397173b35d6a101564a784827dffd

SHA512
c596c316e8519a33e4360f87c40a812f904145a12c1d4c3c59f95b08a353eda781e40da8e95b0e971c24faa7d15b19170a67027cf8732246a6978cc6571b29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc389CF3B298D24396AA9874F6232E0D0.TMP
Filesize
1KB

MD5
5be03705622d8432c727b2f54d2f8714

SHA1
d5fc067a15681b7defb145c6526331a359e6f84b

SHA256
763889d47a575bea1067919ee6b7da90e470394d08f92f0a12cdb7a95c5f8d6f

SHA512
1aa7ddd4493dcbe9c635594d75c30ed3a4ad68c26f0e437ae32b1098a3d1992b5467777308f6d84ece5be4368136da12202c928d14d785691c9201223adafe77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D593967CFB24DAF9E7FD3D375497DB.TMP
Filesize
1KB

MD5
6592f9186211221a0a3afcf34a2dfa00

SHA1
bf3748b4ab03bdc65c242ad924653666cda3c5d9

SHA256
eac2c432a96e0d19ef3a1950bc067babe642d11af2a3c2a14bc3050e508c1b3f

SHA512
f7b072428258b7cf5d674c9df15bcb28df9369fde271e79bb2752e0266cabbc3b4bce8aa36e56f3ae99ebc2e658ca7d764628c82668adafc3d0889bd6d71dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4F277438DA384A3390DC0682C18F09A.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc69D1AE6373674252A0CA983AA95AD8E.TMP
Filesize
1KB

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DFC1D58F81B4FE686B1E92E1BEB3DF6.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7EDBFDFAE32F4944A15BAC1A6337F151.TMP
Filesize
1KB

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8924DF7468CA42F89DE4BC7BE7148C.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAE54A83E26B1437DBB81699B2EED9CED.TMP
Filesize
1KB

MD5
4ffaef2181115a3647790b920aa31b31

SHA1
7f15eee57c8482252db8286ab782978747471899

SHA256
d52cc5df93cac8616b0ecebdf21c6e11bf14e0308f97d6406f4e1c76d0738843

SHA512
501991abd0d0f5780084b9584292183d55bf2c5587de4a7182e1f0979a68f051ef2e1a94753d9da0add2f4f04107320d664952f018c516f3354fdda4e11ec436

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCA7E3915DAED4F0DB47A77D42FE6FD8.TMP
Filesize
1KB

MD5
cee1aae40ed483284d3131b9a76eae59

SHA1
616bc1c7ea383b4f78305c4111a9816095f45b12

SHA256
bc10f0b64e7c4e54e0d840d904c395326907aa9e30b243959e00aea0a51b8d35

SHA512
57976c6b66ca77489f168915be4b0b7c3b53747f6a62e60984db5d0aa2ff8428a0c8a78b515191e2c257afd11a4fb17c4bd6f05a49bd429120e588ac040addee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
Filesize
89B

MD5
78cd7fe96fcefee2dc19332106da3ebb

SHA1
c36b1f451e75734c99070fceea6fa1fef43c953f

SHA256
5147181b11646207d24192fb4d0b893b1ea2220f3b3ce032ff9057297ece794c

SHA512
18a304a4ba7b8d8680bf4727cd3f68595f3e00046872215fd68ddb6f9363b3b14637a7abc53b2aa97073b423f8c3814b5e8c8f385ab0c22f9598698305b1e56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe
Filesize
338KB

MD5
0c2a42618a219916757349673caee33d

SHA1
108b16ade92cae3f05a05daf399931e3f460030e

SHA256
6346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f

SHA512
50ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe
Filesize
338KB

MD5
0c2a42618a219916757349673caee33d

SHA1
108b16ade92cae3f05a05daf399931e3f460030e

SHA256
6346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f

SHA512
50ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlRvZwfRtN.txt
Filesize
29B

MD5
1e3348c1a4f7e3ff5ec118e0c31d64f1

SHA1
60118a6f01adcd2aaecd8f0625ab728b862f1d88

SHA256
947db6a90c3d89c94e89698749283ea13a6f33b31bde2c995f6a2cca8f140961

SHA512
dccb6375ecf87a62ffffe965d88f3c602ecfb09c5d9e9120a4cab3f6775ebf2749fdb8cac453e52ec4b6c1c06b0d72b52c2249ca0a3c7fa15b61d7f50cb696a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlRvZwfRtN.txt
Filesize
29B

MD5
1e3348c1a4f7e3ff5ec118e0c31d64f1

SHA1
60118a6f01adcd2aaecd8f0625ab728b862f1d88

SHA256
947db6a90c3d89c94e89698749283ea13a6f33b31bde2c995f6a2cca8f140961

SHA512
dccb6375ecf87a62ffffe965d88f3c602ecfb09c5d9e9120a4cab3f6775ebf2749fdb8cac453e52ec4b6c1c06b0d72b52c2249ca0a3c7fa15b61d7f50cb696a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlRvZwfRtN.txt
Filesize
43B

MD5
f1ba33ad4b56ad7b7686f89feb608559

SHA1
85d3b17567ad850d13f9b83334f370ce29606a95

SHA256
c7aed8ea013e7ca83936882c859052ca20c0be20fd02a4df6f1668ef601da24e

SHA512
ce6c0549a3f2daaf27a416dd6f3e0b2736b40b54fc7b816e741321ac90e544ee8ccb7070607595adc697cdd6b5a9e4f9f28de53ce11bdad555a13c4144319007

Download Submit
C:\Users\Admin\AppData\Local\Temp\xor3njqw\xor3njqw.0.vb
Filesize
276B

MD5
24ec0d492277e96c058af01bcfcc4b3a

SHA1
1cbbb8d176dba926db8436da5aff054216fe4af0

SHA256
2222428703391a1fc761d2d46aefb0206e3afa9853abc4406c078a9de1e62f4f

SHA512
7ed3396a26f426d5bd8855694a497805f5878bc6d6b3cb158c8dd4ff32489b1da624b7fdcdb081b45d42d1fa7dd0f2b3f272fd14c35481762a74bc54ed2a3c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\xor3njqw\xor3njqw.cmdline
Filesize
178B

MD5
bbd0b8936812d47dcd795e28df4ebeeb

SHA1
4d7ffe1cac73d6175d08b60313dcb3f556180308

SHA256
65df45048006fb35d5e80916eb4cd1688eaaf63e5ff76e66a8b2aff92c28b9c8

SHA512
ac448eb474e2de8a30c9e9c7d1f52a9366f0a39674161195c582b1198c053ae865ea52c6dad6019b117ee8788ea2080a7800bb8fc79648fae8ee8d94a0628b92

Download Submit
C:\Windows\SysWOW64\acsvc.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Windows\SysWOW64\acsvc.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Windows\SysWOW64\acsvc.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.sfx.exe
Filesize
338KB

MD5
0c2a42618a219916757349673caee33d

SHA1
108b16ade92cae3f05a05daf399931e3f460030e

SHA256
6346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f

SHA512
50ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495

Download Submit
\Windows\SysWOW64\acsvc.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Windows\SysWOW64\acsvc.exe
Filesize
65KB

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
memory/268-135-0x0000000000000000-mapping.dmp

Download
memory/328-156-0x0000000000000000-mapping.dmp

Download
memory/452-171-0x0000000000000000-mapping.dmp

Download
memory/564-150-0x0000000000000000-mapping.dmp

Download
memory/564-192-0x0000000000000000-mapping.dmp

Download
memory/852-134-0x0000000000000000-mapping.dmp

Download
memory/884-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-91-0x0000000000439A92-mapping.dmp

Download
memory/884-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1020-147-0x0000000000000000-mapping.dmp

Download
memory/1108-183-0x0000000000000000-mapping.dmp

Download
memory/1120-138-0x0000000000000000-mapping.dmp

Download
memory/1204-208-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1204-206-0x0000000000410BAE-mapping.dmp

Download
memory/1308-73-0x0000000075020000-0x00000000755CB000-memory.dmp

Filesize
5.7MB

Download
memory/1308-69-0x0000000000000000-mapping.dmp

Download
memory/1368-180-0x0000000000000000-mapping.dmp

Download
memory/1468-144-0x0000000000000000-mapping.dmp

Download
memory/1544-80-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1544-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1544-79-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1544-78-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1544-75-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1544-77-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1544-83-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1544-81-0x0000000000410BAE-mapping.dmp

Download
memory/1608-99-0x0000000000000000-mapping.dmp

Download
memory/1608-103-0x000000006FB50000-0x00000000700FB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-62-0x0000000000000000-mapping.dmp

Download
memory/1680-174-0x0000000000000000-mapping.dmp

Download
memory/1684-186-0x0000000000000000-mapping.dmp

Download
memory/1688-159-0x0000000000000000-mapping.dmp

Download
memory/1708-55-0x0000000000000000-mapping.dmp

Download
memory/1724-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-126-0x0000000000439A92-mapping.dmp

Download
memory/1724-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-189-0x0000000000000000-mapping.dmp

Download
memory/1832-153-0x0000000000000000-mapping.dmp

Download
memory/1928-141-0x0000000000000000-mapping.dmp

Download
memory/1932-198-0x000000006F060000-0x000000006F60B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-195-0x0000000000000000-mapping.dmp

Download
memory/1976-168-0x0000000000000000-mapping.dmp

Download
memory/1980-58-0x0000000000000000-mapping.dmp

Download
memory/1992-111-0x0000000000410BAE-mapping.dmp

Download
memory/1992-115-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1992-118-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/1996-162-0x0000000000000000-mapping.dmp

Download
memory/2008-165-0x0000000000000000-mapping.dmp

Download
memory/2008-216-0x0000000000439A92-mapping.dmp

Download
memory/2044-177-0x0000000000000000-mapping.dmp

Download