revengerat | 9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

Analysis

max time kernel
151s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-05-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe
Size

4.0MB
MD5

1d9045870dbd31e2e399a4e8ecd9302f
SHA1

7857c1ebfd1b37756d106027ed03121d8e7887cf
SHA256

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA512

9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Score

10^/10

revengerat guest persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2836-131-0x000000000041C7FE-mapping.dmp	revengerat
behavioral2/memory/2836-130-0x0000000000400000-0x0000000000420000-memory.dmp	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	revengerat
behavioral2/memory/604-149-0x000000000041C7FE-mapping.dmp	revengerat
behavioral2/memory/4576-241-0x000000000041C7FE-mapping.dmp	revengerat

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

4920 svchost.exe
1612 svchost.exe

pid	process
4920	svchost.exe
1612	svchost.exe

Drops startup file 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exe

description	pid	process	target process
PID 3344 set thread context of 2836	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 2836 set thread context of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 4920 set thread context of 604	4920	svchost.exe	RegSvcs.exe
PID 604 set thread context of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 1612 set thread context of 4576	1612	svchost.exe	RegSvcs.exe
PID 4576 set thread context of 1580	4576	RegSvcs.exe	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3776 schtasks.exe

pid	process
3776	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe
Token: SeDebugPrivilege	2836	RegSvcs.exe
Token: SeDebugPrivilege	4920	svchost.exe
Token: SeDebugPrivilege	604	RegSvcs.exe
Token: SeDebugPrivilege	1612	svchost.exe
Token: SeDebugPrivilege	4576	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exeRegSvcs.exevbc.exesvchost.exeRegSvcs.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 3344 wrote to memory of 2836	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 3344 wrote to memory of 2836	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 3344 wrote to memory of 2836	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 3344 wrote to memory of 2836	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 3344 wrote to memory of 2836	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 3344 wrote to memory of 2836	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 3344 wrote to memory of 2836	3344	9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe	RegSvcs.exe
PID 2836 wrote to memory of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 2836 wrote to memory of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 2836 wrote to memory of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 2836 wrote to memory of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 2836 wrote to memory of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 2836 wrote to memory of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 2836 wrote to memory of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 2836 wrote to memory of 4352	2836	RegSvcs.exe	RegSvcs.exe
PID 2836 wrote to memory of 4768	2836	RegSvcs.exe	vbc.exe
PID 2836 wrote to memory of 4768	2836	RegSvcs.exe	vbc.exe
PID 2836 wrote to memory of 4768	2836	RegSvcs.exe	vbc.exe
PID 2836 wrote to memory of 4920	2836	RegSvcs.exe	svchost.exe
PID 2836 wrote to memory of 4920	2836	RegSvcs.exe	svchost.exe
PID 4768 wrote to memory of 2820	4768	vbc.exe	cvtres.exe
PID 4768 wrote to memory of 2820	4768	vbc.exe	cvtres.exe
PID 4768 wrote to memory of 2820	4768	vbc.exe	cvtres.exe
PID 4920 wrote to memory of 604	4920	svchost.exe	RegSvcs.exe
PID 4920 wrote to memory of 604	4920	svchost.exe	RegSvcs.exe
PID 4920 wrote to memory of 604	4920	svchost.exe	RegSvcs.exe
PID 4920 wrote to memory of 604	4920	svchost.exe	RegSvcs.exe
PID 4920 wrote to memory of 604	4920	svchost.exe	RegSvcs.exe
PID 4920 wrote to memory of 604	4920	svchost.exe	RegSvcs.exe
PID 4920 wrote to memory of 604	4920	svchost.exe	RegSvcs.exe
PID 604 wrote to memory of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 604 wrote to memory of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 604 wrote to memory of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 604 wrote to memory of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 604 wrote to memory of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 604 wrote to memory of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 604 wrote to memory of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 604 wrote to memory of 4932	604	RegSvcs.exe	RegSvcs.exe
PID 604 wrote to memory of 3776	604	RegSvcs.exe	schtasks.exe
PID 604 wrote to memory of 3776	604	RegSvcs.exe	schtasks.exe
PID 604 wrote to memory of 3776	604	RegSvcs.exe	schtasks.exe
PID 604 wrote to memory of 3444	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 3444	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 3444	604	RegSvcs.exe	vbc.exe
PID 3444 wrote to memory of 4256	3444	vbc.exe	cvtres.exe
PID 3444 wrote to memory of 4256	3444	vbc.exe	cvtres.exe
PID 3444 wrote to memory of 4256	3444	vbc.exe	cvtres.exe
PID 604 wrote to memory of 4860	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 4860	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 4860	604	RegSvcs.exe	vbc.exe
PID 4860 wrote to memory of 3064	4860	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 3064	4860	vbc.exe	cvtres.exe
PID 4860 wrote to memory of 3064	4860	vbc.exe	cvtres.exe
PID 604 wrote to memory of 4388	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 4388	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 4388	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 1564	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 1564	604	RegSvcs.exe	vbc.exe
PID 604 wrote to memory of 1564	604	RegSvcs.exe	vbc.exe
PID 4388 wrote to memory of 3040	4388	vbc.exe	cvtres.exe
PID 4388 wrote to memory of 3040	4388	vbc.exe	cvtres.exe
PID 4388 wrote to memory of 3040	4388	vbc.exe	cvtres.exe
PID 1564 wrote to memory of 2320	1564	vbc.exe	cvtres.exe
PID 1564 wrote to memory of 2320	1564	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe
"C:\Users\Admin\AppData\Local\Temp\9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
PID:4352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4euy6fqg.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc205EE402D4EC4021A15A823AE6F3D3F.TMP"
4⤵
PID:2820

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
5⤵
PID:4932

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
5⤵
- Creates scheduled task(s)
PID:3776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fe7u-fg0.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B9456A36EE54FF29D523C81FC55D296.TMP"
6⤵
PID:4256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yneobja0.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CFE284C3FEF4015862A45337C80925.TMP"
6⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rj4gufpu.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8577.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F817EA7D19A4FB98870DA84821DCD51.TMP"
6⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m-auatxi.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8623.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD8239EDD33643C19ECDD1DB5AF71454.TMP"
6⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mqdgufcl.cmdline"
5⤵
PID:4184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87128DD7F9964098892F5C856EFCC838.TMP"
6⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b_3nb5i9.cmdline"
5⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES877B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4876DB659F824651AF872B11C7A3F743.TMP"
6⤵
PID:5004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w1hqpvfq.cmdline"
5⤵
PID:3080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45A7D5C1C84F4B0DBBEE6D363CB1228B.TMP"
6⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zl0j1uxb.cmdline"
5⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94EB5CB0AEBA4022B6EE858B43F0A4E5.TMP"
6⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6t6g2sqr.cmdline"
5⤵
PID:4060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8901.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc813133B75643471AB6ED9014E3F8B065.TMP"
6⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbdcracj.cmdline"
5⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AD6CCB8A76546F7BFBA23B4EF5DCB.TMP"
6⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kudfsf3y.cmdline"
5⤵
PID:4632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8E87FB7A4F4258BD50F3E6C6E378DE.TMP"
6⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9_3rog1v.cmdline"
5⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcECF6C369B5DF4FE99757903BE0C4BFED.TMP"
6⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvuefx1p.cmdline"
5⤵
PID:3156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98683535F21A459DA37A12540C8726A.TMP"
6⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s6txxkqs.cmdline"
5⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7D4D253403E49B791EF66F5239777AA.TMP"
6⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5-gkifi1.cmdline"
5⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD719CEB5EE1549E2AAEE356EC708AE7.TMP"
6⤵
PID:5080

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp.exe
Filesize
11KB

MD5
10bd15181d7a2956b4cf5e03441df74b

SHA1
f1747e28a2206d7c8c15a99eaae31c299092b750

SHA256
b0e95550dc098a439339115a195f2896a859fc0a5509f6929a2b5f8849298e0a

SHA512
e84828ed7536e9fa12c6347def054c6685b20f0b814b2ae662943d0616b15d4b47a42e32c78f92643c049d6f22c92fcbb278722f5b61c4c82fea660210eec5f8

Download Submit
C:\ProgramData\svchost\DumpStack.log.ico
Filesize
4KB

MD5
9430abf1376e53c0e5cf57b89725e992

SHA1
87d11177ee1baa392c6cca84cf4930074ad535c5

SHA256
21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381

SHA512
dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2010_x86.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x86.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4euy6fqg.0.vb
Filesize
347B

MD5
8a280ce703f3d84f1c87d2039cfa73b0

SHA1
24d7d6172c2a210579852e5c40e273a4ab31dd1c

SHA256
6abc297b9266ff140ff94573067be7dded9a27b340ca986d88c21d94cb912dbf

SHA512
3eb698c12c854e22f65cc0e93f37319057f7e1c797ff3faf1fc1c0ae5edbca6c8788605b05662af73d810c390c6050f9cf8efed48e8240097d1222b6bcd3c3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4euy6fqg.cmdline
Filesize
209B

MD5
232aa4f04a22363b66d3319f06d6778e

SHA1
767ae647718ec296c3e563c1e0fb772f987e0c50

SHA256
31fe832dd801e266962e4156c6f4afd527003f9657949ca475308f2f16968eb2

SHA512
995842488c64d76baa8e5fedeb4d766df980605b942f126685cf875ea9dfe8bd8a61001bb04c2dcd14086186239d2925fe137a6e6ec48e717c15f958022554d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6t6g2sqr.0.vb
Filesize
273B

MD5
dbea023d7387685a4ea8a6daaf8cb8bb

SHA1
d298ff197f99a6a03a888bd15b91d4114032259e

SHA256
ec8e3bd19def9c26d695e0ad3db42646d5ec3109ff08f20d61e18131ca5bf2f8

SHA512
63b6ed1a9e8a211f6b215ddafab4e5d28028d7866d3ed5f41bffdbf2802798834f3a6a8dccac396046ca703274f22dbc658826698ea11ae80db16c87f93c9d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\6t6g2sqr.cmdline
Filesize
164B

MD5
414ef5691f518fd564fe98380a7b3da0

SHA1
5c00d94c22a015adc367dd759120822562c3b7b4

SHA256
abc3b4cfcbe326957641ae7dd147154c6b9a91bc18792803f4e166dbb41ba815

SHA512
01e2116cacb651e324ab4660e55adbdad4ce39aa476e69486acdff2d36cdfdfc1c48bb8208863f9a1bf083a6569a45e4d098b1592824c1229ba59669df02e469

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_3rog1v.0.vb
Filesize
282B

MD5
d191905db04a4ace4578e7a9efe85fde

SHA1
80f4570425825c58322d99aa82a9044c7e3a6b72

SHA256
a4f778776df9ef556a64b71db08be8f736b735db56f2bfb5c52ccb8a2d71de58

SHA512
932bfc6358a93ea4da35b14b35d4c2dc065cd16e2a50ef7b4b6096008dc9737f65f752d4edd20b5aa71e2cbe57dbcad27d6bb2b10fc5d615b7d952bfa827720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_3rog1v.cmdline
Filesize
173B

MD5
1629902f2e1e5b9cbd0f00e3900f457f

SHA1
fe4b66ca57dd31fcd148ac219ad4254d2d0d6f10

SHA256
04691b6686604e3539b15c4fee6cfa3f770ed8e3ad6b506bca173d0a84e6f088

SHA512
0b07014c509806beb7084cc978fc4207cb3c9c62d58e736ad50710d8481f0ae606ecb6da8d6c27287a6ce34f3fabcaf76acd434c4f95bc4eed813dd1f6bd86a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81AE.tmp
Filesize
5KB

MD5
4fae5fa7280b1f2027244e139d061519

SHA1
08eab20ec650a50ef7b5cc20841811604fcd3986

SHA256
13e37c9bcba75bcc345761ee5b99fca8d8d6d56bba3f503b849d729544e7bcea

SHA512
38b073cdad360eba1f9ee1bb420aeade0db56dc86befdeb1448921e519aa0efd58b1201dd9e7415627d3ea878040f34beddcecf2921ea65bafabdec41f1de4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES83F0.tmp
Filesize
1KB

MD5
037edd1ea9968bdb54ed10d6f4aaff7c

SHA1
1d0df6ae29eedd0361fe5cebe91e83adf79d544d

SHA256
af21faff1a3c9d7787e6f56a8083e019c218facb954f9fc9eaaee6b2dc808a1e

SHA512
8faa5da586f90a7a836f8a69aba2e958b8db6ac1d7cc651ca7d5cb2c28c9d97c61771654e4c19b98764c4fc5eb623c90845226f2f57f480e1e2cef0c82950a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8577.tmp
Filesize
1KB

MD5
0bb2eb453039ac133cb4f37285999fc3

SHA1
e17a139399be7468a9cfafd3f077f6930206a4a8

SHA256
22e141a572bdd9a272e137bf8985f362cdbb99517118f9227156e95e11095805

SHA512
21258abe024cf5bc9d181f31f34606ab7f0683ef0b93aaaa156134e790ba284006ff06c3187f8689679dcaad420b1d04e98144ee2400e4605669cd1d12811fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8623.tmp
Filesize
5KB

MD5
1ef4c666e81f8b7f12e5a2f627d27dd7

SHA1
75168867260ae66e8c9f3ee3001913f0d79b42cc

SHA256
5404ff8193370bbbd25f0a17c548d51d52820522c905a4274c6da03366cb2910

SHA512
9384eba99be9ab9e8f6ba9e05a2079f80a89464dd45c2415234cbdc26343e8a25fe917f4d67072d81f89eeda389efd462bef5d64ff4588569272f047d2a976e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86DE.tmp
Filesize
1KB

MD5
b0b202b9311c65aeacc6e1c323e7b0b1

SHA1
1d20067e47c1f2309e04c9678b537c97558d7b34

SHA256
9fd462ab7383fb4fe206c60b5e522121a7d900e32a3caf698c91ba27eb20ae27

SHA512
b1a8677defd310bc0085b78d8cf468bf199a98ebd9c4b68403c7f34d417aea710fbaa89b95b54399b3048ac9581ce2e6961a878204e068e80885051120d39d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES877B.tmp
Filesize
5KB

MD5
7a0f499775481c8eab616fe78b057b21

SHA1
872360f3a4886d858a5863d9b84bfde273bd2bb0

SHA256
868736ab77f31d8f7ba0395b18dbf005217dd80d87387f648e63ff34f6e91273

SHA512
b24d852fa823bd288f0a03f50f0c1b85f2c457cb4a6b3b16e98423cd3430326945b59af15bcd29fae257b6ed72d0106004acc6550370915b129496f82af89db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES87D8.tmp
Filesize
1KB

MD5
935ab7997532c3fa0a0fcf1cda27a6a7

SHA1
67ca690478f2e0688128a00e6d5e00b5cfcf309a

SHA256
08c801366bae8926c792bba6bae6486089e48a24f2b9ce910cd9f6a53f99072d

SHA512
02201683837faf381f5cec3dc0a2e51657a125588f0a578712f41165a0c4d385a6b1b6bc891d85fd4eb45d21f041eccf6eb4d9e0dcc62688b9ac4d7cb97b991c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88D2.tmp
Filesize
5KB

MD5
536a06adb155abaad979a02736a8ba26

SHA1
c621e0ddaf0d2122fd6d9a1cb0f281348fb153bd

SHA256
a571052e624b073202296786122c9fae9dbe4114f3dd0a1e6d7109d6b9f17efb

SHA512
f1b23598de77a414e05d581c93d7ad2fc1747a7da60ab5a759c47827622f605d0457c8e4c63898d980c78b192a0185ee24902f41ef3d92c3308429b23322ecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8901.tmp
Filesize
1KB

MD5
9bdb88def1cf1dc6e102d38291e2e844

SHA1
f23239294cae83fb4205b4d4cfb2042d638eeb1e

SHA256
25877e1b0ced0353db05e822df1f136ce211c7a7c82bede2132f0f0074242db4

SHA512
892d9d1e5b698b64e6ce05b3a8c1123720bf7f79ad64b68eef042cb275bd896c4c7a0163f707c47c49f7a4a90966fa3184c7aa71314f94d6625c9728d54f33dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A2A.tmp
Filesize
1KB

MD5
d91413043e10cb115e1c0bf339acd15c

SHA1
43e9f8e03bea399b04a06f0f3a80038fca5de4e6

SHA256
c3ce23d2fcc51e0352f6ec01a4dc4997393cab044e2d728943c8cb9db21f5161

SHA512
f760f6ee4926ab5b1405badfc3672f2154abb3afdf572905c662570688981fc37c8ff363292feab3db589b33dee7bb68f321229b0413d387bc655b41f6051ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A49.tmp
Filesize
5KB

MD5
e20bd459fb755f2cb41391652d06233c

SHA1
a11a11474b388f29825e4d8aaa0dc0e7d2809f19

SHA256
1944c29f11538051a343d84254c74d0a3594274717e628160f3c5619809bb667

SHA512
71672b2669f6eb65ab3cc41308c6f3a4d15909f5671930485f588dc0444eac1e2142bb7c7576540508c350a9af96ddf1cae76551043eea95ed6808d30e74cc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE79.tmp
Filesize
5KB

MD5
9b258a1a69b02e0c3cd3e5ad30a3649e

SHA1
e2afd25cf30d1a237323b933a11461a1d8f64495

SHA256
ce0aa863a1da952a196e4aa514e1cc069b1e6134398e447af7c94acfd25bf14e

SHA512
cfcf7751b6d628490207935364b1765dc76a0c50dd3c75e96a56b7a2a032c849b6caf15ee6b7721ed605735c87c0a684853d40918bc3fa92058f2b9390e8d922

Download Submit
C:\Users\Admin\AppData\Local\Temp\b_3nb5i9.0.vb
Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\b_3nb5i9.cmdline
Filesize
253B

MD5
a4b12d04ff804a608991d36447ccec71

SHA1
35fbec5d692820ccd4691f5e4bbd84c8cb94742c

SHA256
478353586da9cd2cf1b7e8856368110fee3364fa99aa449e2851464dd0417222

SHA512
2e7e91adefcdf5ddb84045017957b9799e34f9477db686e62573b0a0561f8de7e541f85086fc5168f564e69e714ec8680ca0e201bef4ae196927ab626ea35511

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdcracj.0.vb
Filesize
279B

MD5
4580281c1784ead9ba81cd3a03438f92

SHA1
ed419009ddd9e5721c9e56d02e8413cde59c12c2

SHA256
7c0097d8d5a2bf996778d97bf447ac3de212108ad89a31ba199a27389e13b07e

SHA512
ec0f9653eba7ede40e7c15b16e4783e2fb8efa8794e35995a7031ade450a0372d747fbaa92ac76b0d17fee07a5ff305c92ffd6e1800d9becfeaa6ebe6694964a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdcracj.cmdline
Filesize
170B

MD5
1687997f87d75448ce49b02858707edf

SHA1
2e27c7107b74a3bc6b25d4814a55fa1292bcf9b8

SHA256
30dca88b9ab3fbc80fb7e185c3e2a312220fd5966e3eb89bb17482d105b7bd45

SHA512
d6a5f52dc823a953ddca4c56f9a303d37f43704263859d88740a37d9426e0f53730b9993098959840227a1edd1b2c7ee0a695900d384c9e67f123feaca7630a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe7u-fg0.0.vb
Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe7u-fg0.cmdline
Filesize
253B

MD5
b44d0a438e82f44d6682f4daa408640d

SHA1
15e138b378c5875222dadffc0b5d04acf0026daf

SHA256
f20203a021ead808c2a67a16a23f6c4c94388f20c09efddeca330f6e5c1bb242

SHA512
b728c40ca47eb2860c12329955e967be32e7b6657eeee9f89ac491a49928e6cdbfc708dc810b13157fadfab90a69bcaa357151c1e43da2e3023163dca5a311a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kudfsf3y.0.vb
Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kudfsf3y.cmdline
Filesize
261B

MD5
cc1cd9d78df8cb7a152040753f788e13

SHA1
7adf2353874e3636c91eccdbc1cc81c11a0377fa

SHA256
649d77fea5029e731b8c285e62a205a8cc250f9f196325ada7444a32427f1351

SHA512
55d9787d4738260eec788b5353c8b5d2fb1c75239b51163506a9431e3c6d96f3efc9acbd7c72b46f01f3beff882c57dcf78e4dbcf3d280ef691c31d0eea7bb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\m-auatxi.0.vb
Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\m-auatxi.cmdline
Filesize
224B

MD5
b9b73d0a59b7f52389bdd6756c2bc4b8

SHA1
3f0c1eacf83d8999ec68d5a7a824443442e78944

SHA256
a84aa06343204b54ceddaf1563baca6020fcd9015a937b2e8d97dc505d1baf4c

SHA512
e1d08d581b16d882f8da4200acc25d69b7f62998000c5aa1af9c69c98ecffceb8406bb4284201159d6e5fbe4669dc5d862f4eefc525d86840582fb496c1f4c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqdgufcl.0.vb
Filesize
280B

MD5
b77a186995634af20ce8b006671fecfe

SHA1
4ecf62cbf48d0f6ecd011cec5c09cbb128b0e653

SHA256
d5a80c6859c4c155f89cdc76f0092bf009f7311fa5e4352993fb6eea0ff00df6

SHA512
bcdb2e73b7d369e0c8f3d12fd955e76f777a22137f3c813c39346458982405780db77a15afa46fdf5cf282ee06ae6c85f3350e89d4ed410b34a7e869bc250927

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqdgufcl.cmdline
Filesize
171B

MD5
9f9737a826472431c3585f7d81c7c88e

SHA1
a5c18890ea6ed75a4c2a39efbb9ccf187f53ed27

SHA256
7c180299665fa5fbfdd64536596e0fa1103b0362584a57bbaafce3e8f6754798

SHA512
dcb5d8e7a03797de0f9a20bc204c08054a1d82b8f0ddb38120eeb6a1c351ee15e8d4bfde94e06c5b180a317e7ddc650a353e85fc7718bf4938466836ad4f5900

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvuefx1p.0.vb
Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvuefx1p.cmdline
Filesize
267B

MD5
368649420fce3ab6fc651b660f144be1

SHA1
cdcd0b530b74e2157ff641a5025c9425fba34229

SHA256
656fc073911ae009e68db64e12afc1a6c2081ab7ce823414bda1af5f50b8aa46

SHA512
b4ace169d05e213364145cb1e165deeac11dfb427e77e1a89dc6092d32eaf15fb27cba47adf58e7ada7ceba35e70dabde5c73307b08e330276973b458f156cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rj4gufpu.0.vb
Filesize
281B

MD5
e74b78fa9f340aa84ea9521425d20721

SHA1
9ae5c680b046a29675c1d8e26513ca1bc4f6bdd2

SHA256
90447f9b09a6d9481a0cf4c14918e742b91822f8b28c0abc247a746fc83de10d

SHA512
7c16a47d4ff390f681e840aec30761788ac07e0dfd6c68c8cd84cf52f1d30d293fc03fe4644c54bd92a84ea2d652156c04fe2bc80e33eea2ec387bc1fb875341

Download Submit
C:\Users\Admin\AppData\Local\Temp\rj4gufpu.cmdline
Filesize
172B

MD5
9f4d5d22c2ea7ffa03f069c5f9a91df6

SHA1
4ead8ae98c5e6c95e1ac87f90a44ede27c77094d

SHA256
719dabbc421f841a769c438e238dc3f2422d86948fdf1fc802883ef1c0911f4d

SHA512
b080004aa20160f1ccf8f676414de37963830f93feaa79c40bed82b95fb6759d863a341b2434de445b451298459a3e698af59d60bfca5131258f83a2222891f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
102B

MD5
35d853ca4dc51ffd0b9328582656c235

SHA1
66ae3ba2ceefa1014d4d864d1717596c62d3bdd0

SHA256
f12fa98d14919213e8bdf18a95589d2dc93ab6adbc081be211015f73a241947b

SHA512
4ffd4ba12382b72f57efa57655d102703580a5f61dc58f469440cc308f2e0fb91677f61589a6a51bb412c4adccc32bf113428a6e8cb6e53a1a03ba2c268b0b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc205EE402D4EC4021A15A823AE6F3D3F.TMP
Filesize
4KB

MD5
7f2155903d9d46630c04b924131c70d6

SHA1
5c64cf895433b593496e5de7fe9f5c77ec98d33e

SHA256
496f2dd424b829f0ad914d9a78a686ac68c3c1ce5dd2412424c5ee0aecd4e18e

SHA512
32cb5486d97328f1001801d7d364f4cd56557af71331d60d4e8c78bb3bb1ec7040b14740f02e467041cef179db5e775cff8d2399badfa591bfb5f1f0a121d0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3B9456A36EE54FF29D523C81FC55D296.TMP
Filesize
5KB

MD5
249d49f34404bfbe7ed958880be39f61

SHA1
51ec83fb9190df984bf73f2c5cd1edc0edf1882a

SHA256
fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b

SHA512
082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc45A7D5C1C84F4B0DBBEE6D363CB1228B.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4876DB659F824651AF872B11C7A3F743.TMP
Filesize
5KB

MD5
d01de1982af437cbba3924f404c7b440

SHA1
ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce

SHA256
518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598

SHA512
a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5CFE284C3FEF4015862A45337C80925.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6AD6CCB8A76546F7BFBA23B4EF5DCB.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7F817EA7D19A4FB98870DA84821DCD51.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc813133B75643471AB6ED9014E3F8B065.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc87128DD7F9964098892F5C856EFCC838.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc94EB5CB0AEBA4022B6EE858B43F0A4E5.TMP
Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBD8239EDD33643C19ECDD1DB5AF71454.TMP
Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF8E87FB7A4F4258BD50F3E6C6E378DE.TMP
Filesize
5KB

MD5
2f97904377030e246bb29672a31d9284

SHA1
b6d7146677a932a0bd1f666c7a1f98f5483ce1f9

SHA256
7e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f

SHA512
ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1hqpvfq.0.vb
Filesize
283B

MD5
3e4e9235ce3ee5cc3dcfd2ae0094cad1

SHA1
9361befb9e40acdc08da7937055885fc0809e93b

SHA256
5f6cffb6892b34e718287ec29358945ea1fe8bda8b42f8704ec21a5c839a458e

SHA512
3bd6e12ef0574d260484848dd4b240849d7ea579244c1b56bab2068f3a5e6ae3f43d84febc86f6915ac455d0ecba964bdac075d6dfca656e2a60824aaa6d92b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1hqpvfq.cmdline
Filesize
174B

MD5
49e515f4a629ec2adb2918f932d586fd

SHA1
9c0f5015da45c6c972a6438b62eb76bcb9668653

SHA256
be8fe46481e1676c99906798037c71c1a95395c62a18d3a9aea7790645f31e40

SHA512
cec04d15c2192e81049a73c8e71f92de0db819a2965f0c7649a2aeb55328cc892501f3578d25177ec896ee02979ece2cb586833f61c3a9803626d4387b183d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yneobja0.0.vb
Filesize
280B

MD5
24f16281edbb494caa9395e5f321fb4a

SHA1
5905c6be6149bf3f915e0acebc610851811b121d

SHA256
9c8bca52e106eefeb17387bd6fefe7341f280d7dafde8998bfd11486d5c0b8b8

SHA512
c606b756f0f5fc669f885d7125873e2145ef8bdc9c05c813795594efa76095cc428cd494cf151df622af199c89108b2992cae121fad77fd954c717528dbfb875

Download Submit
C:\Users\Admin\AppData\Local\Temp\yneobja0.cmdline
Filesize
171B

MD5
2a0b31eee2303fd0dee949b69526f70a

SHA1
284de84195663be2419f806164058a83b1772107

SHA256
416cf20f993465d4b161fec75d4a3bc6084d42ace592f2a4812a673ce450df89

SHA512
7512c4138a43ad89409b9dd3ff2bb70e6680c379dff4884fde445590dbbc8853f196ca1ea325f27dfa3cbc0921018a39e1490d849ce77ac1c996197ae78ed758

Download Submit
C:\Users\Admin\AppData\Local\Temp\zl0j1uxb.0.vb
Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zl0j1uxb.cmdline
Filesize
224B

MD5
99ee03d87f90f1ec7e15e6339ea26fb1

SHA1
eac8bfa6b0551aaa7be3119279ce9c857250bf5f

SHA256
6432b4d0d32a8743bcd5e83d535e1495ff63137cc42b792e37ddf247bc837108

SHA512
ad2ad07963b0e3c8408a370b393007534a407b3085a67ffa3d2c125c64d3a20db5ff347fdafc86f4c9e4dcb95a9f189a3bee4ef64647d94cbab6576438ca29d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
memory/320-185-0x0000000000000000-mapping.dmp

Download
memory/604-150-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/604-149-0x000000000041C7FE-mapping.dmp

Download
memory/764-199-0x0000000000000000-mapping.dmp

Download
memory/1040-216-0x0000000000000000-mapping.dmp

Download
memory/1312-237-0x0000000000000000-mapping.dmp

Download
memory/1408-200-0x0000000000000000-mapping.dmp

Download
memory/1484-236-0x0000000000000000-mapping.dmp

Download
memory/1564-171-0x0000000000000000-mapping.dmp

Download
memory/1580-242-0x0000000000000000-mapping.dmp

Download
memory/1580-245-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/1620-224-0x0000000000000000-mapping.dmp

Download
memory/1808-235-0x0000000000000000-mapping.dmp

Download
memory/1968-210-0x0000000000000000-mapping.dmp

Download
memory/2012-187-0x0000000000000000-mapping.dmp

Download
memory/2320-178-0x0000000000000000-mapping.dmp

Download
memory/2548-238-0x0000000000000000-mapping.dmp

Download
memory/2820-145-0x0000000000000000-mapping.dmp

Download
memory/2836-132-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/2836-131-0x000000000041C7FE-mapping.dmp

Download
memory/2836-130-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3040-175-0x0000000000000000-mapping.dmp

Download
memory/3064-167-0x0000000000000000-mapping.dmp

Download
memory/3080-190-0x0000000000000000-mapping.dmp

Download
memory/3156-229-0x0000000000000000-mapping.dmp

Download
memory/3444-157-0x0000000000000000-mapping.dmp

Download
memory/3508-221-0x0000000000000000-mapping.dmp

Download
memory/3776-156-0x0000000000000000-mapping.dmp

Download
memory/3908-227-0x0000000000000000-mapping.dmp

Download
memory/4060-203-0x0000000000000000-mapping.dmp

Download
memory/4184-183-0x0000000000000000-mapping.dmp

Download
memory/4256-161-0x0000000000000000-mapping.dmp

Download
memory/4352-136-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4352-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-133-0x0000000000000000-mapping.dmp

Download
memory/4388-170-0x0000000000000000-mapping.dmp

Download
memory/4576-244-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4576-241-0x000000000041C7FE-mapping.dmp

Download
memory/4632-215-0x0000000000000000-mapping.dmp

Download
memory/4664-207-0x0000000000000000-mapping.dmp

Download
memory/4768-137-0x0000000000000000-mapping.dmp

Download
memory/4812-232-0x0000000000000000-mapping.dmp

Download
memory/4860-164-0x0000000000000000-mapping.dmp

Download
memory/4920-139-0x0000000000000000-mapping.dmp

Download
memory/4932-154-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4932-151-0x0000000000000000-mapping.dmp

Download
memory/5004-194-0x0000000000000000-mapping.dmp

Download
memory/5080-239-0x0000000000000000-mapping.dmp

Download