revengerat | 9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe
Size

4.0MB
MD5

1d9045870dbd31e2e399a4e8ecd9302f
SHA1

7857c1ebfd1b37756d106027ed03121d8e7887cf
SHA256

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA512

9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2008-58-0x0000000000400000-0x0000000000420000-memory.dmp	revengerat
behavioral1/memory/2008-59-0x0000000000400000-0x0000000000420000-memory.dmp	revengerat
behavioral1/memory/2008-62-0x0000000000400000-0x0000000000420000-memory.dmp	revengerat
behavioral1/memory/2008-64-0x0000000000400000-0x0000000000420000-memory.dmp	revengerat
behavioral1/memory/2008-60-0x000000000041C7FE-mapping.dmp	revengerat
behavioral1/memory/1948-195-0x000000000041C7FE-mapping.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1632 svchost.exe
Drops startup file 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe
Loads dropped DLL 2 IoCs

Processes:

RegSvcs.exe

pid process

2008 RegSvcs.exe
2008 RegSvcs.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1632	svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

pid	process
2008	RegSvcs.exe
2008	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exeRegSvcs.exesvchost.exeRegSvcs.exe

description	pid	process	target process
PID 1948 set thread context of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 2008 set thread context of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 1632 set thread context of 1948	1632	svchost.exe	RegSvcs.exe
PID 1948 set thread context of 1292	1948	RegSvcs.exe	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exeRegSvcs.exesvchost.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe
Token: SeDebugPrivilege	2008	RegSvcs.exe
Token: SeDebugPrivilege	1632	svchost.exe
Token: SeDebugPrivilege	1948	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exeRegSvcs.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 1948 wrote to memory of 2008	1948	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1328	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1996	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1996	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1996	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1996	2008	RegSvcs.exe	vbc.exe
PID 1996 wrote to memory of 1196	1996	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 1196	1996	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 1196	1996	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 1196	1996	vbc.exe	cvtres.exe
PID 2008 wrote to memory of 1424	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1424	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1424	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1424	2008	RegSvcs.exe	vbc.exe
PID 1424 wrote to memory of 1880	1424	vbc.exe	cvtres.exe
PID 1424 wrote to memory of 1880	1424	vbc.exe	cvtres.exe
PID 1424 wrote to memory of 1880	1424	vbc.exe	cvtres.exe
PID 1424 wrote to memory of 1880	1424	vbc.exe	cvtres.exe
PID 2008 wrote to memory of 1544	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1544	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1544	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1544	2008	RegSvcs.exe	vbc.exe
PID 1544 wrote to memory of 1180	1544	vbc.exe	cvtres.exe
PID 1544 wrote to memory of 1180	1544	vbc.exe	cvtres.exe
PID 1544 wrote to memory of 1180	1544	vbc.exe	cvtres.exe
PID 1544 wrote to memory of 1180	1544	vbc.exe	cvtres.exe
PID 2008 wrote to memory of 872	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 872	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 872	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 872	2008	RegSvcs.exe	vbc.exe
PID 872 wrote to memory of 608	872	vbc.exe	cvtres.exe
PID 872 wrote to memory of 608	872	vbc.exe	cvtres.exe
PID 872 wrote to memory of 608	872	vbc.exe	cvtres.exe
PID 872 wrote to memory of 608	872	vbc.exe	cvtres.exe
PID 2008 wrote to memory of 1916	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1916	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1916	2008	RegSvcs.exe	vbc.exe
PID 2008 wrote to memory of 1916	2008	RegSvcs.exe	vbc.exe
PID 1916 wrote to memory of 1948	1916	vbc.exe	cvtres.exe
PID 1916 wrote to memory of 1948	1916	vbc.exe	cvtres.exe
PID 1916 wrote to memory of 1948	1916	vbc.exe	cvtres.exe
PID 1916 wrote to memory of 1948	1916	vbc.exe	cvtres.exe
PID 2008 wrote to memory of 1776	2008	RegSvcs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe
"C:\Users\Admin\AppData\Local\Temp\9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p_6xrf17.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67C9.tmp"
4⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y3g4jexq.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6894.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6893.tmp"
4⤵
PID:1880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vqlagt3r.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6921.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6920.tmp"
4⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azcqyski.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CC8.tmp"
4⤵
PID:608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-sos1onk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D64.tmp"
4⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m3cc8vq0.cmdline"
3⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E0F.tmp"
4⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ssgwy0wp.cmdline"
3⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E8C.tmp"
4⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kxtacjmy.cmdline"
3⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F1A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F19.tmp"
4⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckxxy8gg.cmdline"
3⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FD4.tmp"
4⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qkkvpsfi.cmdline"
3⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7071.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7070.tmp"
4⤵
PID:468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eu1lnyg9.cmdline"
3⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70DD.tmp"
4⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_6xy8ppy.cmdline"
3⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7438.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7437.tmp"
4⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cvjxwj0c.cmdline"
3⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74D3.tmp"
4⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dthb8w4u.cmdline"
3⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7541.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7540.tmp"
4⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\346bbxdy.cmdline"
3⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75EC.tmp"
4⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5yjmbvs.cmdline"
3⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7679.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7678.tmp"
4⤵
PID:296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zceeewss.cmdline"
3⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7782.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7781.tmp"
4⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l4yenezu.cmdline"
3⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77FE.tmp"
4⤵
PID:1880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wue9lkfk.cmdline"
3⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES788C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc788B.tmp"
4⤵
PID:1064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qocviy3p.cmdline"
3⤵
PID:468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7918.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7907.tmp"
4⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\objqeq1o.cmdline"
3⤵
PID:984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7985.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7984.tmp"
4⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\53tlrll6.cmdline"
3⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A01.tmp"
4⤵
PID:1640

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
5⤵
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\ProgramData\svchost\vcredist2010_x86.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2010_x86.log.ico

Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\-sos1onk.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\-sos1onk.cmdline

Filesize
261B

MD5
df1adb276eb91ef3e548a03d65a2fea9

SHA1
cce014e2b631bbadbeeb2a0b21654df5c00c8575

SHA256
4d4f3149209a9e50e1826270918337612773bb6e4b0a93a18b7a9270c4c6ce79

SHA512
99fe51ce5a32956135802830879a4f3bc1c681195a369e95bb951e9cdb713ac36c94f8a3bc32adc404c56f3a314f6a9b12d1d75f04a526db3abaf3f1a5f5fdda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES67CA.tmp

Filesize
5KB

MD5
8ceca3be22be27b6be5f2c147f0fb88e

SHA1
f9ad7bd99a4fe734f3ffe4859ccac2a0ebec8d31

SHA256
a30e6567b0161639a42505726f84bff1f705956f9ae28fb5da98862bb03e9ba7

SHA512
6ab8df72a030b89707c5a0c2d8912972aa9e9764e3769296634503827b2df4d398f68b8c0a277bef6d5801fe96f2719dc24b644762456c7c6d28f6ce17e9bdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6894.tmp

Filesize
5KB

MD5
7e9ebdc9f227378f2526107f383338b9

SHA1
0a66002e586429b8bc6e24a2eb72a4efbe2fb1b7

SHA256
396e4323bac239f0a27bc72d16237d4278b9fe35424d19ef6dad72b066eb9dc1

SHA512
6f2391d8a443f0c006e1bf575641dc6c03f865337c4cd47923f71919e810a5e915440701de282fdab91950dfeba4c0b2dfac87c942d99a1ed769e86087bb23f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6921.tmp

Filesize
5KB

MD5
5d205978f85165faac0c4cb52b7f2524

SHA1
843a0a07e733266ad1c2cbb8ca71e0e2c4e25b5c

SHA256
919162ac52b8828c57f65a41f6fbf44c66c2c78918cbc93c9d0e813a0d804d5e

SHA512
ccc813b173c576d381ba7213d94786d5fd638d2303d22e0e0f29b7fbf60ecadda65fa95e38f51e6d53c52b183e1c4676257fb8ec1618bc06129d3790f9a97b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6CC9.tmp

Filesize
5KB

MD5
567ea180c355b1f073a897370b2ab263

SHA1
6c249e1db55eac6b5c592c96827e7932e6ec7d4b

SHA256
a36337b056458edbfe73b0e3e64b4cdc44f446a765cf8f0b465fb1a7263cfaa6

SHA512
471813fff256729f6e6735b7592dfae3de52a325819e7bb4e7d3719bff6db81f50f1af1d47800d8f82a4678f1ede59af7b3479475b3a10b2324d278229b7ed2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6D74.tmp

Filesize
5KB

MD5
60de09e9389a6d7f382d4a94475b384a

SHA1
783a37bd8f2c828aa7da5f7ba5233cfe726d0f3e

SHA256
c74e0f6d1527ebf68ad024e65bbfdcae856959ca3d9eb7f8a93048320cf6d947

SHA512
e536683c376fd781b2e2929fa81a7dead6606012bca6b2ffadf067b743901eb0320f4a2c8dd5d7198418a51227eac0c2dbf62e38e061653a682e800d9486d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E10.tmp

Filesize
5KB

MD5
a0659778a0de7386c4d64ddac0a6adc2

SHA1
adbcd2706e450ffd0cd7b4b53bb66fcf9e81351c

SHA256
96fc03ef82453bddd50e4c0f8b4fdd13c893e4a26687c87034e9e339239623c4

SHA512
747b4afa5fb02589bebf3d2c2c978c918e8530b6c6886553bb11bb95e2eea2a8a0a5c7279c571ebf441ae2817f0d5f1871aee1db57860a5d5439fb4a8038a85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E8D.tmp

Filesize
5KB

MD5
d7d8ef9df5fb713686c4a65171eba5be

SHA1
efa586acd8ea6b5256604ce51574bdcc10ccbd7c

SHA256
96f66b36175912b14df9878d15fd18926a90c9dd41a3a7a6ffe470447469dadd

SHA512
6847c5d9a31233fb5283f2f5b275f3221fdf749e7e36fe7d892329648082acaadbd7990a5897f9cf22ddda7af9b51a0b009ca179f299c7773750c3e5f7375b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F1A.tmp

Filesize
5KB

MD5
f003519617cb876320e9f6e1c4c53263

SHA1
a5b5111e03e771fcc0484263dd73fc1abb728720

SHA256
6461bd500c0804b90c7893a3ea32f35fc28d6ca9dabf1385fab349c10085adff

SHA512
10f419892be0d7d20971961483cf38c2e874dc6d69529694b08d95830a7baeb32d3a539d1d385036a80c727d0336205c5e75971f1b1470f7fed849d50ecf51b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6FD5.tmp

Filesize
5KB

MD5
65ea32eab685e7c956f9dba8bbfa373e

SHA1
6e1664320f3a02ddec4c3dd73e1950407950b20e

SHA256
70000993266598ada43d196b47219470ac4d277cb0174053cf243f5582deda2c

SHA512
2535626af20ff248ab134684567d6935f1ebbb9708ebfef0893692a15bf761fd66c25fb2a063a7dc3a225380b6813d24ea02ae8aad1fab566445339078c7c2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7071.tmp

Filesize
5KB

MD5
a8a211a2473cfeac7280f7dce416ee64

SHA1
44c3f4405b9992387e4fa8316e4755088cb57918

SHA256
8398d334193cf890c1620cdd9bb974c8f6a6890aeaf08cb8ece59a7e30c57866

SHA512
776fe29a25adc3fdddc10ec7887072ffe70247b27feaaafcb0dd63888004ac111c9c8d855937874ba7b956e5f57636f30e191d843c469f5bfebeec9221a71bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES70DE.tmp

Filesize
5KB

MD5
8cbc7eb2ba06c1531cef269459a8d7dd

SHA1
1f1b7e1c616dd76852cb8f6196ef9a4b85ff6989

SHA256
1511c22ed4e63403cf2a1438d69763e063acac1e8596b3b9b6eff379a71c0b5b

SHA512
ce25a51eb7f4fb9b930bf0ebb4d8b570a356d8c3cf18744b577310df7292a50af9f988752ae871d2209a7722d57c8809386f5063827ca7e554defeeda1a1f1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7438.tmp

Filesize
5KB

MD5
b1dd60608c2698055d694cb64b3568af

SHA1
c93fb368cb8fbceba6cb26f2722289fb0bb15548

SHA256
95005f8b9225802e25b17cfbf85229765ea61d335dfd059aa9699ff576cc5ba8

SHA512
5000b40dc18e3076f914229c22c790a4896e09fc93b259bff1c7ef63d34dad497973f740db93571dfbe4a37ac0d3afb7122314e79998823798fd03eb325f33bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_6xy8ppy.0.vb

Filesize
378B

MD5
b3f4020948b586a0f9b5942315ffdd2e

SHA1
bcea9b02c02f4019410a5fc2d6aaa1b8448993e7

SHA256
62c128f4f8749a44b0ad3bae5847c107154d0af80562dd4774b92eab801ee16a

SHA512
e75ffeab199cdb63a8be4ba2c2607d1616aea9edbb8a4a4632f3d36f13c6e8bbad4dc23992db5f5a6390df143028247bd5a5012394ba47248e084067f9a2ecb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_6xy8ppy.cmdline

Filesize
271B

MD5
e622be211d97f3f9f29256f3d85b9153

SHA1
3ea7018487608b644af9b6c308cb9b5459fe5cb7

SHA256
caed6586fb18689d02ac52317c09c6aa396ff5e3832a7963c7caceabfb5c277b

SHA512
feaa1a5cd9b4372be70b2fa024834b71f9ad62fb7743e72f9e8c49c2be6332adf836cd08710e3414c215039f8d710ab49a41c2c0d4230283397e208a60d1cfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\azcqyski.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\azcqyski.cmdline

Filesize
224B

MD5
b45b0281145a27ce97a810ea4b8a558f

SHA1
e2443dd85f8fe2c1fc70b08ab38cf61dba909771

SHA256
8854c08230737011623db6ccce2f500aef1c3e04d047a676eda38b75887060ee

SHA512
1a7b33f6172410eb15729d6ecc8adf967af68582218559b6fad2d6705a9d4ee14c46e6094eda25074da353c1a1f7a679885b8c511c9fb27c69321197de5d83ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckxxy8gg.0.vb

Filesize
375B

MD5
085f35c737b484465e1799359126ee1c

SHA1
f51feaf15af726cb9cbc151cd86b9913e428abcb

SHA256
940fb15c66dc34a66b192569ec3588a11285af4f7230c27d54191dcff5dd5b1e

SHA512
8314ec82f79a6dbd1e946be25984635c149ef6689e33d8010680f5bdf3bc8803bc14d8dbaa92717fec261d7f27e8f87384478130c3fe5ee37f3ec84fa2bf1402

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckxxy8gg.cmdline

Filesize
265B

MD5
e9f8923c148d6253cda1ff4a2a71da34

SHA1
40c6ad0323124add15802188441b1fe7dffb4540

SHA256
0f81710d21ed610149bc5c77da59fbbf7152af57c56cfee00547ed3f569faab3

SHA512
d3e1bdc8f239bcc651d0be4efd6b4c44b0fda506e50c4badb6f6cc7b4d30597898359bf4b21e730112576b7248e5098cd477c79fd1a13618a33188fd5d7aa40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvjxwj0c.0.vb

Filesize
375B

MD5
7114e7bf3cad956caa61ac834cbf7a90

SHA1
9e245814174794c08bcd49d3c1cbbeee528fbdfb

SHA256
be2de05d5378b8c7617e9818cf1c992a9148959e0bc3ee18ec98500c7acf3c25

SHA512
2a3a229bf576a520634670715921ee021b13a726cde40d13fe17129471c9d44e092df505c11d3c396df2c69c6651be619b92bb14251d7f37275a840a391bcd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvjxwj0c.cmdline

Filesize
265B

MD5
9fd224ec79c8f38d2f487b117292734b

SHA1
6039d6a35c9ec8b8f60e451fd277efdb30a7d353

SHA256
43f2b6b7a9203a26e295149dc25c5f9e420899d7ee31981bfb66f9afdc02cd26

SHA512
fcd2ebd8cce678c1760eab6560fd6d85bb9b41a476b4d8686bdaa103dbc77862f055602536a8dc2d7194c035356322b2f8d260496378afdb2528ba9a7e1ab713

Download Submit
C:\Users\Admin\AppData\Local\Temp\eu1lnyg9.0.vb

Filesize
375B

MD5
61580d8eee92263741c70b5e756b3a1d

SHA1
cb09d0e8635efa1fee911b9ead83c6a298139f27

SHA256
1430de0fb4d00afcb7d7df9abd3d248df27101eed793251c8bccaa325a9b6f77

SHA512
b0aa8925e8016324ebad6a4307ea4c9b9a58ff564b718092080f966ac069eba387157da708303ce83b7b42b3ffe16efc4dba874e7b4563693195d6736de96d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\eu1lnyg9.cmdline

Filesize
265B

MD5
4823caa70c68f7bea49e30c56b223ed9

SHA1
ac2d4ac090b6fbcb78d33ae028e421497734eee9

SHA256
de8d8cf5ced4e673045fb8a5010c3d15ac18bdb43e267ff69ae6ced527744631

SHA512
6dd771a3f0be70c67b32e4abd99db9ed1df1ce58ae3be78b865aae91a3986e570738f452ead4d6b540a64c31b60eee1f09940ab045b5888557369ac342df908e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxtacjmy.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxtacjmy.cmdline

Filesize
267B

MD5
5534b070dbeb155d3f377b2be968a6ad

SHA1
bd5f457c6019b5c687ce943b2b1743ad54c08c11

SHA256
ad31e6fc3a842a7daf4eca4f0d0f3a87de49d5e2cd02ee2ca7f278c9a1b63975

SHA512
fa83ad38193dad7f82cb950191cb70baed333cd73cffd7dc9733b18cfd73d6181106a17030d5f2e22c20e60f92427048320b9d2819b4192fbb2fad15c1511dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3cc8vq0.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3cc8vq0.cmdline

Filesize
267B

MD5
88e21268ec9fe02b2a42ea8702e1b035

SHA1
b4184561aaa2b900972ce4817984e1d11035e9b7

SHA256
6b3918d0473890f4de96c139b7cf9600ef0d1bc803f71a75ecb3b357384e64f9

SHA512
798ab0aa213755fd04da341b2ceab5c6a13527dd25821fd232913ed3e6d61ae6eb423f6d4be7e66ee2882e1920343cbc997e8c845c3e3371aa273d030642b167

Download Submit
C:\Users\Admin\AppData\Local\Temp\p_6xrf17.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\p_6xrf17.cmdline

Filesize
253B

MD5
0208855af46a29759049a7f77dd71542

SHA1
eb3835099492bf9658123a8f258f71c95ffd2643

SHA256
826ad25f9a6963ad1b30df36c01a52839559041094a2fd08017f3acfb5865b4c

SHA512
fa4c3e1d65a5abc8feac93014adb2805ccf07fc6b824eb258e8ba160ed6acb1d36c9cd205f579cb6b91bce00bd42828a4fecc509bba1cbb6ed41feb28bfdeb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkkvpsfi.0.vb

Filesize
378B

MD5
a52a457213a9d0522f73418af956a9ef

SHA1
cd46e651cb71f2b3736108d58bd86c7cf3794ecc

SHA256
be60d63078e797b8b46dc31f978e20e9819ef09b6fd3d5869934ace0530f23f7

SHA512
9d3458eefcd36539d4e97ed847f06faf96e0a8445e1d352d6a77506a042f513fb39523f90eff3aa1ef06afb000371e94d1968bc61d28bfb00f2a8cbbcc2eb3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkkvpsfi.cmdline

Filesize
271B

MD5
7a22f235e2d66344da675d68ec7cf8f1

SHA1
3a8b3c9d551e416099a664b55bc320bb69204ce4

SHA256
dfcc38fae6d159db59cf061598834f8961c0e0add7be3df035fa1f2faeba1a3d

SHA512
22f9d1eaa410941914abc63e82c69c3f8c91436bb62d8399129d4b0a2b8d4453cf61a31a9789c5561a86ae7a846297c090b802de71bd55b6d2a228bfb4780b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgwy0wp.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgwy0wp.cmdline

Filesize
261B

MD5
440d991fc0366f8452de1a7fff24125b

SHA1
3c1e2d9706890d3ca6145427ad433158b0e51649

SHA256
08b47ea1eec5bd1003baf859a9c63cc71374b47f178f924b89a30731cda8b8ea

SHA512
6e79a18d34529e6e1ddcab00e055fa30e702eaa812c39cf57de6a65978050108257ea7283f79a7a593158a12b67013a57870c282b0b8dd13418d7d9e946982a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
102B

MD5
35d853ca4dc51ffd0b9328582656c235

SHA1
66ae3ba2ceefa1014d4d864d1717596c62d3bdd0

SHA256
f12fa98d14919213e8bdf18a95589d2dc93ab6adbc081be211015f73a241947b

SHA512
4ffd4ba12382b72f57efa57655d102703580a5f61dc58f469440cc308f2e0fb91677f61589a6a51bb412c4adccc32bf113428a6e8cb6e53a1a03ba2c268b0b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc67C9.tmp

Filesize
5KB

MD5
955c29e6642db6b23d9ca8d18903794f

SHA1
2a12553a01cafeaf83d2f52febb424af00e649bd

SHA256
6839c94e5031c8646f5d3db534b41c09076e93cae238d1337aa8a1d41ad741f5

SHA512
30eaed32fb99fa62ef8883c4b6e34678175cf8ce24a953d80e43ef67a68f79e9a59996ea3cb4465c6f6d6e0b03a0fab1b241c1d21430bedc49e3e757293fe296

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6893.tmp

Filesize
5KB

MD5
d7d67a3915a3aae053cb2867a77fd9fc

SHA1
829757b4c84456ea3771deb6988e77bfc3ad117c

SHA256
d1d578383b3b0b42856bef5deb0fc8cd2406e1f9bc8f6818b2c719a66e6d8093

SHA512
bb877e96798c34921c613aaa44e424593a791f450a10e254e5a643ec774d527178c7b36bf91cf683e712d893e8e321c8ecafc6a2521f148200f769c9ce2d78be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6920.tmp

Filesize
5KB

MD5
666d582d0f49759982ad0b7cea623a35

SHA1
54f28f61b9f4ae52dcce4ee9eb8ac0b8d7809ba8

SHA256
b890a7bcccc09c2d2577b944bb32e3419d70458e5ecd02f2f846325b86bef862

SHA512
29d157e897c2e0547cf105ebee1dca1eabf410ef364fb807055e2dfc79bae4be60ae2d8f012ca02eb37696b335fa0eaffafa1db7a032b80945fcabf954b18d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CC8.tmp

Filesize
5KB

MD5
1efc3dabeb7009b6007394dd082dfd86

SHA1
a410d235b0cf2733a2ebccc1215dc6d0302a2540

SHA256
6185bd2851899871047c82a55a8019a7f3435270e8e93bc06aa3dc757ff55846

SHA512
25cf1e8e4a81fc324e1b0324c41f67381ca47760a9cd64b52111286f4ce2b02228db5c5e948586201628ba0a6b8fc73597b216ecfe3b74f072c3ba9c0e7e3bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D64.tmp

Filesize
5KB

MD5
a4da846ea032d0e25d23ca969a569fe4

SHA1
facf679f92a929a6fd914bb43f7b52e6536b6802

SHA256
329ca0161ca179613635d25604e61a249ba4f1b762f5672bfe27c3bb9a7f47d3

SHA512
3255e2339afa13b7e0f1d74572712bcb87ee7366859b3161bf2570b57a9738c1d195a14a7f784849e1ce2233f31b048c393c07f854c0a7a9fb037693d941f8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E0F.tmp

Filesize
5KB

MD5
f039d48c1767e0e4303ba43ffe355c97

SHA1
2e92eb77d16962623212f004480717303db5101e

SHA256
e78a94663d6c227a309e24b0952ee7ec52c49fe817a02f29516b36d24d465acb

SHA512
4a5e0e693827cbf1a742f71e8b6395382cdfee797ee1e8b0b3fb9e4132e593da9cc532a5cb0b2e9d660d2eefc29f6b0bba849792a6385100348d18cda0950ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E8C.tmp

Filesize
5KB

MD5
abeeccd127afe60188318600ec0e2795

SHA1
adc607f07fc09053d796abf25095c76b361436f2

SHA256
d1df4661c37810b6e6d906cad05c9e45c42a080f2b832e56c9e08316a35f6792

SHA512
7a6ff2db0e83b9b6d24210fb9a44ea3e0345221f656f46290841bf352edac16dc5a4cb4e8a914ef60c6ca507e6bd5eb1e169ea187feedb7b3050022567dc0ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6F19.tmp

Filesize
5KB

MD5
55e078852806b5d83533794483a09a7b

SHA1
ed79aa8f044b59bdef3c7091acab59f92543227c

SHA256
be654a24194cd1ffca4dd20466530905c4f208bbfe0f464746d6784bb56e60fe

SHA512
632b637781498756bbffa5b267d80ed155f6b89a2842a9691f7cf302ec8ddc1b360d1f4202661b666fd01a1335c6d0ef2f2c69a10c5ff15f086156f2eb031068

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6FD4.tmp

Filesize
5KB

MD5
4a95cbe7406a930bc0b431ccf5ec97a2

SHA1
1ef8622262c9d6c829affd42877361fec2ac105c

SHA256
61d27f9f3053d3366d2ea7234418be37478f0c1773d7d622f2b9c7e0c39f07a3

SHA512
b83016a32a253624ee336c74cfd1265f4bd5c95fa7667d776e236783a537215440b4d2a5f7ba6f9421a756ce11b22c3584544d3f9c5d9c4b0a7e12a5fc09da14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7070.tmp

Filesize
5KB

MD5
0b29c6dc82961bb1ba502861a41b0a9f

SHA1
0491d8095d42138c473b92f400b6138662cdd8ef

SHA256
3152b3a5164b8f7ced037e4dce64e877bd6054d4d39caa0547c318ccd25d15f7

SHA512
1b4b429c2f60dd47f37bbdb40c19bcddb1b2c0c708b458c11969c89bb5f94db82dab6dad7ccc9c2112c50c0c584de93924a4be242a9738d6ccc36e6dd7ca55fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc70DD.tmp

Filesize
5KB

MD5
5b433d6e19bfb6046ea8babe98b38fef

SHA1
f7c31647ca9efd914a1bd005664f6216fc412c86

SHA256
71c163391ea0a47c536db329b28344f6b99f06c45d0d5d9a898b0c024d961cec

SHA512
f42496445d976b4d09942f2cd7cf60fa0abac253601a956eef473a0a8e632ad2552926a0c55edf6ca87e3e50e48d0833fe86143158bb413068206ad667fbbfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7437.tmp

Filesize
5KB

MD5
556ae762417965d4e6362dac7f6d00d1

SHA1
de59a1bd1e1cf8f213975e5fcd03cc1a74e25750

SHA256
92c67382383e236fcac528c6389533787a5d85f08cb4919f403e057773371d72

SHA512
c3b9590200285371334617feafd9aecf0b374fae08237fc31ce5e03655ad371af2c944b888f3f317906b246d81bc11561c48c5f5c3c7f487a6f503bfd286018b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqlagt3r.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqlagt3r.cmdline

Filesize
253B

MD5
bd943aba805c134f32ee2053677faa18

SHA1
189bd337a20fe719c90b619d89f7b2fca0dc69e5

SHA256
fe87b5cd06286fbdd421371ae62ce386115dbbc81a148e7d5750215c1bd333d9

SHA512
3c16aa5fd9f086d9e18a9fb7b6e78ca956d0fe668e1572de5211c41cf0f9f06641a2f04119fe86fd0df165dbf2a833449a9805649c0da224f396c3a08b07aeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3g4jexq.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3g4jexq.cmdline

Filesize
224B

MD5
5ef9c53f4bfb327097e61910a3cecd2e

SHA1
dd4db30b49235e89485333fb279c6dc42a817c0d

SHA256
40c7cf80b70fe235513a98d59a9a0cb22076f1d226e5b1f58338f7c6f848d2f2

SHA512
5695c3faa9739d9ddf049a7042d29f5a0998b7af9993f79bd8c0383bf8c885e7f004149ccb83496e535bf98d259c75fee92950bd924f01e5e784814b4dbb2401

Download Submit
memory/296-175-0x0000000000000000-mapping.dmp

Download
memory/468-182-0x0000000000000000-mapping.dmp

Download
memory/468-148-0x0000000000000000-mapping.dmp

Download
memory/608-106-0x0000000000000000-mapping.dmp

Download
memory/828-165-0x0000000000000000-mapping.dmp

Download
memory/872-102-0x0000000000000000-mapping.dmp

Download
memory/880-171-0x0000000000000000-mapping.dmp

Download
memory/916-185-0x0000000000000000-mapping.dmp

Download
memory/916-155-0x0000000000000000-mapping.dmp

Download
memory/948-169-0x0000000000000000-mapping.dmp

Download
memory/984-184-0x0000000000000000-mapping.dmp

Download
memory/1064-181-0x0000000000000000-mapping.dmp

Download
memory/1136-123-0x0000000000000000-mapping.dmp

Download
memory/1168-158-0x0000000000000000-mapping.dmp

Download
memory/1180-99-0x0000000000000000-mapping.dmp

Download
memory/1180-183-0x0000000000000000-mapping.dmp

Download
memory/1196-85-0x0000000000000000-mapping.dmp

Download
memory/1292-207-0x0000000000406BDE-mapping.dmp

Download
memory/1292-214-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1328-70-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1328-75-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1328-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1328-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1328-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1328-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1328-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1328-72-0x0000000000406BDE-mapping.dmp

Download
memory/1328-79-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-144-0x0000000000000000-mapping.dmp

Download
memory/1424-88-0x0000000000000000-mapping.dmp

Download
memory/1432-173-0x0000000000000000-mapping.dmp

Download
memory/1504-137-0x0000000000000000-mapping.dmp

Download
memory/1544-151-0x0000000000000000-mapping.dmp

Download
memory/1544-95-0x0000000000000000-mapping.dmp

Download
memory/1608-127-0x0000000000000000-mapping.dmp

Download
memory/1628-174-0x0000000000000000-mapping.dmp

Download
memory/1632-189-0x000007FEF2840000-0x000007FEF38D6000-memory.dmp

Filesize
16.6MB

Download
memory/1632-188-0x0000000000000000-mapping.dmp

Download
memory/1640-187-0x0000000000000000-mapping.dmp

Download
memory/1656-130-0x0000000000000000-mapping.dmp

Download
memory/1656-177-0x0000000000000000-mapping.dmp

Download
memory/1676-134-0x0000000000000000-mapping.dmp

Download
memory/1704-186-0x0000000000000000-mapping.dmp

Download
memory/1736-120-0x0000000000000000-mapping.dmp

Download
memory/1736-170-0x0000000000000000-mapping.dmp

Download
memory/1776-116-0x0000000000000000-mapping.dmp

Download
memory/1864-180-0x0000000000000000-mapping.dmp

Download
memory/1880-92-0x0000000000000000-mapping.dmp

Download
memory/1880-179-0x0000000000000000-mapping.dmp

Download
memory/1884-162-0x0000000000000000-mapping.dmp

Download
memory/1892-176-0x0000000000000000-mapping.dmp

Download
memory/1916-109-0x0000000000000000-mapping.dmp

Download
memory/1948-113-0x0000000000000000-mapping.dmp

Download
memory/1948-208-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-195-0x000000000041C7FE-mapping.dmp

Download
memory/1948-54-0x000007FEF2FA0000-0x000007FEF4036000-memory.dmp

Filesize
16.6MB

Download
memory/1976-178-0x0000000000000000-mapping.dmp

Download
memory/1996-81-0x0000000000000000-mapping.dmp

Download
memory/2008-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-60-0x000000000041C7FE-mapping.dmp

Download
memory/2008-80-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-65-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/2008-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2028-141-0x0000000000000000-mapping.dmp

Download
memory/2044-172-0x0000000000000000-mapping.dmp

Download