revengerat | 9081b8dc4bac6ddfe0a3c54ef32cb810be6b012a2d82ca70c3a4b9466b436086

Analysis

max time kernel
107s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI098788765.js
Size

229KB
MD5

a94120f574ef044bd35a4e167d6e5a05
SHA1

ec73c38470585db035b6a6716495afaaa83ff577
SHA256

9081b8dc4bac6ddfe0a3c54ef32cb810be6b012a2d82ca70c3a4b9466b436086
SHA512

5e737de130ac934ddc0ca6a3cc345a3e4da9f1c61f244ad79bab182da2e5173ae7633bbda78d3a375755140100b768c82e6e82b36ee27469e0252f4424ee7bdb

Score

10^/10

revengerat guest persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

blessed147.ddns.net:8089

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 19 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\REVX.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\REVX.exe	revengerat
behavioral1/memory/1368-65-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/1368-66-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/1368-68-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/1368-69-0x0000000000407CEE-mapping.dmp	revengerat
behavioral1/memory/1368-71-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/1368-73-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
\Users\Admin\AppData\Roaming\Client.exe	revengerat
\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
behavioral1/memory/1512-102-0x0000000000407CEE-mapping.dmp	revengerat
behavioral1/memory/1512-104-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/1512-106-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
behavioral1/memory/1580-201-0x0000000000407CEE-mapping.dmp	revengerat

Executes dropped EXE 3 IoCs

Processes:

REVX.exeClient.exeClient.exe

pid process

1452 REVX.exe
1456 Client.exe
436 Client.exe

pid	process
1452	REVX.exe
1456	Client.exe
436	Client.exe

Drops startup file 7 IoCs

Processes:

RegSvcs.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js	RegSvcs.exe

Loads dropped DLL 3 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

pid process

1368 RegSvcs.exe
1368 RegSvcs.exe
1512 RegSvcs.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1368	RegSvcs.exe
1368	RegSvcs.exe
1512	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

REVX.exeRegSvcs.exeClient.exeRegSvcs.exeClient.exeRegSvcs.exe

description	pid	process	target process
PID 1452 set thread context of 1368	1452	REVX.exe	RegSvcs.exe
PID 1368 set thread context of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1456 set thread context of 1512	1456	Client.exe	RegSvcs.exe
PID 1512 set thread context of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 436 set thread context of 1580	436	Client.exe	RegSvcs.exe
PID 1580 set thread context of 1456	1580	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

916 schtasks.exe

pid	process
916	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

REVX.exeRegSvcs.exeClient.exeRegSvcs.exeClient.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1452	REVX.exe
Token: SeDebugPrivilege	1368	RegSvcs.exe
Token: SeDebugPrivilege	1456	Client.exe
Token: SeDebugPrivilege	1512	RegSvcs.exe
Token: SeDebugPrivilege	436	Client.exe
Token: SeDebugPrivilege	1580	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exeREVX.exeRegSvcs.exeClient.exeRegSvcs.exevbc.exe

description	pid	process	target process
PID 1684 wrote to memory of 964	1684	wscript.exe	wscript.exe
PID 1684 wrote to memory of 964	1684	wscript.exe	wscript.exe
PID 1684 wrote to memory of 964	1684	wscript.exe	wscript.exe
PID 1684 wrote to memory of 1452	1684	wscript.exe	REVX.exe
PID 1684 wrote to memory of 1452	1684	wscript.exe	REVX.exe
PID 1684 wrote to memory of 1452	1684	wscript.exe	REVX.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1452 wrote to memory of 1368	1452	REVX.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 472	1368	RegSvcs.exe	RegSvcs.exe
PID 1368 wrote to memory of 1456	1368	RegSvcs.exe	Client.exe
PID 1368 wrote to memory of 1456	1368	RegSvcs.exe	Client.exe
PID 1368 wrote to memory of 1456	1368	RegSvcs.exe	Client.exe
PID 1368 wrote to memory of 1456	1368	RegSvcs.exe	Client.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1456 wrote to memory of 1512	1456	Client.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 1556	1512	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 2020	1512	RegSvcs.exe	vbc.exe
PID 1512 wrote to memory of 2020	1512	RegSvcs.exe	vbc.exe
PID 1512 wrote to memory of 2020	1512	RegSvcs.exe	vbc.exe
PID 1512 wrote to memory of 2020	1512	RegSvcs.exe	vbc.exe
PID 2020 wrote to memory of 1452	2020	vbc.exe	cvtres.exe
PID 2020 wrote to memory of 1452	2020	vbc.exe	cvtres.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PI098788765.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dEvUnnXvDV.js"
2⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\REVX.exe
"C:\Users\Admin\AppData\Local\Temp\REVX.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:472

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ludxwohx\ludxwohx.cmdline"
6⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4970.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA57E0ACEEA114661B076611EFF2DA71D.TMP"
7⤵
PID:1452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
6⤵
- Creates scheduled task(s)
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\elocmr5a\elocmr5a.cmdline"
6⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AFE404B35D04A98A8F9179D8E572F9D.TMP"
7⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iw3vuth1\iw3vuth1.cmdline"
6⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB9B505A186D40B5B624E5E00DE2B35.TMP"
7⤵
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r13i1qim\r13i1qim.cmdline"
6⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87A507FAFBB14323BBE87AE2FB7239C.TMP"
7⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0vygddl5\0vygddl5.cmdline"
6⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DF1DC06A04F4EB6B6DB55645A30B3B2.TMP"
7⤵
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ogbvceg2\ogbvceg2.cmdline"
6⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C8FA701F7644FF6903E5B7B24FC9192.TMP"
7⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\klkf24cy\klkf24cy.cmdline"
6⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3020A2C7D84244289D9E5831CABFDFC5.TMP"
7⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pu3oezt5\pu3oezt5.cmdline"
6⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB31BD44229340CBA9A44504C48BB45.TMP"
7⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zyto3jdn\zyto3jdn.cmdline"
6⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES519A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc792279FA7BEA4B0299D59AC22EFDB2.TMP"
7⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\muhnehlh\muhnehlh.cmdline"
6⤵
PID:1012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5255.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc694D20CDBFB24A3F9E3B66FC3EED585.TMP"
7⤵
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jgp5sxy1\jgp5sxy1.cmdline"
6⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5330.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88EC01242FAA481B9485C338BADF76.TMP"
7⤵
PID:1688

C:\Windows\system32\taskeng.exe
taskeng.exe {738BB17F-6284-4D17-8226-D97A2E7CF33F} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
PID:1236

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0vygddl5\0vygddl5.0.vb
Filesize
275B

MD5
9330d0253cc37b933ad7883af5bb188d

SHA1
bb1330a1dfff6a408a4d5921b8353bc16ba2a1e7

SHA256
0346323260a55ee97b62f4b43775634e7ea15ee3e240d62fe32b498d269d2357

SHA512
6c55caaa3894ab48e9a4e59cb660ac50ac31eaed49a640bb8be7c0e5a64363456d75e1d080f57726d34cef55cc9410b60775c1967ced5fa0c91b0a860ee50648

Download Submit
C:\Users\Admin\AppData\Local\Temp\0vygddl5\0vygddl5.cmdline
Filesize
178B

MD5
db7b5a3e7823f3a74bd909ab8ea647b3

SHA1
d2ab9efa7a05446b587444808f7089e89c5ad16e

SHA256
2aa9eb0231294943cf2f5558bdd82f380ff75e7cc95488d574884b2522813f06

SHA512
d45e9433f7f14f537d4ce3dbc99f58547773d2ea8a2ae018bd654af1debe48b4272e370209d085be5d12d41cc07435aba044475a309ed0535c83b3a7fae8491e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4970.tmp
Filesize
1KB

MD5
8b85c814837334f006f412ba27818bcb

SHA1
cce8b1d47a22f7621af016f67ed9d1e82ce25a64

SHA256
478d016c7e88c501f57e2fe52999f963b9a3039e6fda648dc5f68050bbe9378e

SHA512
6ce417dbe51c752fb43ee52199956fbe1cf7e780d72c061c7f045bc67157ec7746aabf188e21e207a0db46a9281d625159c817ac78a859a4b984fd999ee4bd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4AB7.tmp
Filesize
1KB

MD5
e9452bd382f9178391e8479df6beab20

SHA1
4ba198481127c7df8edf4282bb72ebd3b6b67f02

SHA256
6391a8d49a7933cff4f2fea751d6e91293e8d2b344cb35443a4447e289a6e2ad

SHA512
d09646b97bcae82dd5ba8f1db458524f97463d2a355d94ed816cdb2df8db5ae51d8837bfa652a4b49ab2eaabd12ee30871747084584e9b0e63cd409880233e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C3D.tmp
Filesize
1KB

MD5
f1836a6d8a00ef10a226c65bc178fb2c

SHA1
a3c585b717ec0a160fd96d80f918cea2e7becca4

SHA256
35d83b64e16dc4c0dff1744c7bcba274a5557c9f1e59313fca90969a0e56f65b

SHA512
d1cbddf4ebebf544445d9b6426bf10208a64f10fdd74ec4f4e0eafc598997952ae6bdc3a39c210519f058f55d7855e5b6e5dfe8e06a424e3d1ca90e7f65b470a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp
Filesize
1KB

MD5
cb4fd1887edec8d20a6411ffd5e27df6

SHA1
0ba326fc55dcfa242c99c3b1ab82e6c776d805a5

SHA256
62fd6059cd7428f3252de4105b6dd9ebd91807401e93c61e7592b16eb6e7eb4c

SHA512
79d07b882765463b3d061fa85e2f47dd03f2eadff50e262c1a52d1c8ab5a9e68b5c1e97b92029123bab80224abe8ed3efd5406fc77eb2dacb6bc210d36689f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E02.tmp
Filesize
1KB

MD5
ac364993399cd6b3a4a8edf5550e34d1

SHA1
07e3b45f1a0d35915296ef1b4b58b4d908ce50b9

SHA256
25cef11c7521ae096df29132c96057b83674b41efa6d06119c57a522cd84c480

SHA512
3c1a7e3ce92929b9c04c1337dd61d809474831019a6b7abea6beb2af72907564cfc451a11aacb2dde34bd821421a8b8f611b2ad4478525096276dafe1e139764

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4EAD.tmp
Filesize
1KB

MD5
96b4040bdd54dc563963d4eb2b612fc8

SHA1
5152973c31dfa94285190557e6dad6fb4c91427a

SHA256
2133dae3191cd6624f8208b84332749ee8b4cbda5ee4630c3556dc71dfb08a8e

SHA512
ef3c0b6ed9aa3ac85be121a6f54a4a9cd237c0df5c13351e668c3ee0fbc57bbba2882adf598d57d8cc7e830a0926c5b92854b57250a4eb386abbce050955abd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F88.tmp
Filesize
1KB

MD5
c5aac16cdbfb9dfccd51eefdf8c7b03f

SHA1
a9ef81bc4828c3592915d2af11ac51fb666ee343

SHA256
d6e928d8697480fc2fd9b237b178fd547e02d08299b54806be9597e6f311be5c

SHA512
e58eeb9034bcfec9de00004695a8c49824f91cf0d1c394b9ddbc274c471e38ad987bd0c1ecc5e0b29941d5d875f66eca9bd8676a43e13b12031c5a293037d619

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50A1.tmp
Filesize
1KB

MD5
1bfc17bcc191a4f5b91c3066d77a07e9

SHA1
76f47b3208809bddffc88b1bac522e22a1929c19

SHA256
01b7d81001578e57cc71e06ae6e1f7fcd8b19bbf1288902c3b0abd9c4e6e3a2f

SHA512
c7bed3bf0f3cf0ed5d3cf3a0c6ccc5280988cccb497cdedee089adf12c914184cd8572b54b6743b1e776811ec412a8f1704928c227f2fdcaec877966e71fa2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES519A.tmp
Filesize
1KB

MD5
4750e5f97ba06b761f807a3b3ad68880

SHA1
94d9aa9edc63696a201076381e3031a9990f1274

SHA256
48eb4b2d517b093d0c87bf5f6fc9aead95cdf66834b5eb9c892361e0bc5785ef

SHA512
6c54e15a1a6401f447f2c3c75fd4d268d5e20931fde497c9c91f0243082de138ba695f2808503f42887a94ba68ac462baa42108cb771d0411d3a9495af6c15ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5255.tmp
Filesize
1KB

MD5
5ff461732413167e2d89ca4d62f71143

SHA1
abf172aeb3c45880dcf1bf098e0592293359a490

SHA256
4923e9c10ffdf57a3b634f443c20a4a1c271ad870437a53d0a9934135b5a352f

SHA512
da1cd66b7fee7a75ce526fce66e23827630303ff4b3d2b03b7c9927a43eb130e89346a63242128f1c3b40d979bd6318e3552ceeca645cbc2c7c204756a284525

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5330.tmp
Filesize
1KB

MD5
ea66d818eb9059679c819cf5056ac710

SHA1
1e6f38803397ed59c7d9db67c859a83f0245f9d9

SHA256
7f7a852c8173b6eb5a715d5314022942f7505fe0fd0656da584f13c26d2a4ff2

SHA512
121ba37c18f54d6feb6857c39a82020dceabb0cc4537679ecb0d6c28e69dbb52b2721288ba1bffbf20eb4b348363a93d5632539056932daf67cbf569d3260056

Download Submit
C:\Users\Admin\AppData\Local\Temp\REVX.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\REVX.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\elocmr5a\elocmr5a.0.vb
Filesize
268B

MD5
6cf129fc48e797ecd718356f26a17846

SHA1
fc1e81d6a24f31312481df25f00d77505c951255

SHA256
5682ca2aef80da42d879819c43e1ee9357002d56fb7937460a45cd7b240ba97f

SHA512
80c2d54835345e0643d61e0b458f548f0fbaf743c821d996961f33e200403621d4aeab81a46e3a9dc6ccdb02e168e9fd6e6b108dfbfc02a54ed51067a6cf97cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\elocmr5a\elocmr5a.cmdline
Filesize
171B

MD5
42f27cf5aff9d27ef3ebe3ee5d5343f7

SHA1
1c99c8c4cdc78e47d6bd076f3deb0aa7d559d6f5

SHA256
97722973a583dcc39d0431d416d094589802be370143770d6489260e8ce14061

SHA512
f28867a2aa8c2ad151e78a23e78b41f94ebd129303bfd2605370ab8c04c9d631b77403ec055796c05fd556a6b6ff486331f96a94aeb0f78fb0258be0bbbaa3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iw3vuth1\iw3vuth1.0.vb
Filesize
272B

MD5
868dc168d836fc159852b05c4ca89f77

SHA1
729688d9706954d69aa1575992dfd25b95b82746

SHA256
4939bdc60420964dc2563a389923b9d57e237a1a49c10f34b1d7e3a17c259605

SHA512
4bd05d9ad0f1204362b3ed1358e1482f353ee1350b72f5a02e4093e455af6f8b512bdce935907cfc8b7f5ac60116c97a890b6c6f1062bad9f83b5cba053793a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iw3vuth1\iw3vuth1.cmdline
Filesize
175B

MD5
b8ff76ea84a2ca8a9e2bb97c6371a52e

SHA1
0a7abd615a855c7ecc945aa3786313496cde64c0

SHA256
c27c857a0ca0f4228682fad427f96b5cd25e542c7521db8957c8e89e848dc772

SHA512
3c721fdbc2530999eacd5fb51682e5173392170094fc402ec4fdf1613d88337b59ae0020b2bcbc22d52fd8445df91643ae8a4bfd0d594c9a0d03db4bc1c63936

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgp5sxy1\jgp5sxy1.0.vb
Filesize
279B

MD5
aed73bceff373304e303b98416b69f2e

SHA1
ad8cd1c95a61172eaf69a5bf4d0b08a0b1d57cab

SHA256
0ef692d87e4a0458f35cdb6eff6dc20c880fa71208406017626c628e261ebd5f

SHA512
6d0bcfb962acb0e5a6b29268c863ad9393f10bb2a70463fbd783637d8effdac656b0c916b71214b57588939fae59ebb0c2455eba56468fb6a6aab5f4f64cb1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgp5sxy1\jgp5sxy1.cmdline
Filesize
182B

MD5
71878e56c999815223151ed58516db5a

SHA1
b7b13aa148ec53e3102533b871163a55a8532343

SHA256
185b4d7b3d2c83f7eb94eb41075b24b83e8d51fcfbdef6a894fc4f40c8969aad

SHA512
a0c02a44c94e012edba1dfbf3713400e161b8453061a88c24208ba6121144e24597d22ef2311e867de33496e871d1f30a627a613bfb94860ac4befd1323fb13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\klkf24cy\klkf24cy.0.vb
Filesize
296B

MD5
7787159e4a1effbfda27a4966af98d7a

SHA1
5f32c09575966724e67e60058c545d8daf514ea9

SHA256
09ff9a29192464c14449a98b9c3a4d54494ee8c20fd9c80b32bc863889a5d886

SHA512
e4a412360620ded827472ac967797b915afd3c4c3bdc459d5c534523c5de5f0c4caa370542f3eea96e886c41b690960000f49a5de82b5ece123c440bc6fc218e

Download Submit
C:\Users\Admin\AppData\Local\Temp\klkf24cy\klkf24cy.cmdline
Filesize
199B

MD5
13aa67f18d97ee737880d404e7dbdedf

SHA1
4f8674f561ede8f2fc361563db949db05eb2cb19

SHA256
05b15cfcc4b763fed88b3e9bd0132a15daa55bb1f7615f1c01d557e1d5d3a2df

SHA512
d61b6cbc9e0fdcfff205232d0b7c8de97ae45f113328a5230b4c292bcaaf9e2682d14edc0394e1d03c8953fbe6a5a77e1b5410bb7207744b1d6c9f150b50aa7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ludxwohx\ludxwohx.0.vb
Filesize
151B

MD5
593cab3ac472165f12b8d423e5ee24b9

SHA1
cb8ebf1261c70fda1c364aba9ffc38d8654dda4c

SHA256
b548217ce1af95dfbad41f3adbc6f25b30d65d78fe11aa0cc9c7a1e86f0ef0d0

SHA512
5a3c47de2f48869ee25c3a5135fe176a5f9dcb4be50dab820053dba4d7890c21e30601e1717654aaac26b0fd908cf222105a7d0266ac425298bf9df84ebca5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ludxwohx\ludxwohx.cmdline
Filesize
203B

MD5
f0c715da9599bbbff5e1798d0ef9b7d1

SHA1
086bc771a5bba7e718142a28f76b998458c4cd5b

SHA256
e2646fd258a13b31994b1412dd16d6b89b4965fd994940082720d46f1afd357a

SHA512
8515cde8e454a92ed138fe72de00fc271c0956f3399117e8233b0e237277afe01757c29741947d3d3f113ea1c2d1a276fb38b77e2a67a54840d00c58d305936f

Download Submit
C:\Users\Admin\AppData\Local\Temp\muhnehlh\muhnehlh.0.vb
Filesize
276B

MD5
daafc5d85e502708fa1d2578df114ee4

SHA1
e1ac79a3807da14f0f50a08d4d755bb10d7bdfd1

SHA256
6f051a06361dd14182c616462fb5be847ea41f0b1a7e70d6be11493fee0a672d

SHA512
6055168ec3467039b7359e3ed7468413e806162a2a076cac0010ce250f3d6dbc4d8821951764eb66e1a05eecddab7e008304ab712d49517c587e7d46bafee9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\muhnehlh\muhnehlh.cmdline
Filesize
179B

MD5
ebf17e9a4cd269862a6ff3eb27f871f6

SHA1
1254f06b7b9effa00c9a70b437a8cbda69dc89e5

SHA256
4d16b33b66ce26fe2d75da7ac3260c373b969160554305cd10580cbf8645559e

SHA512
8fa82d5f4fdb80d4ecad0f817e8b0ec64ed9699ecf29b6b436d9b7db9e41920efef61a47db25b085bc4d9725d4a2045282d62096e47f1192e97ece974d242769

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogbvceg2\ogbvceg2.0.vb
Filesize
277B

MD5
236ad6b9a4ee790879f87bbfa7290c8a

SHA1
eeb7ebc7e515464c01ff2f50bb6e1a6fa57b8536

SHA256
cc7975516c3339933079173b8d5ed82c56d64caddafe0547ca038963a10507e3

SHA512
df088a9e60ba398701d4c20435884e012b9e37d29dc174198683d634c5d8bf2cefd82fddeca37f9e9daa0ac3f78ca6088efabb8d16e5e6330ff122c732ffe767

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogbvceg2\ogbvceg2.cmdline
Filesize
180B

MD5
52559cd9ad3c3bd27eed356f6f83a520

SHA1
a9a6c1305a0b679d34ceb57ae4f5fb2104d7de23

SHA256
50447afd4554e6c3b72bc4da3b93478f8e9d282af992d4e2578820af74cdfb43

SHA512
41965b2e2cf46d23b82e9457de4fa523ea56a0791af372471791661a07cb65c12ba1ebd35dc68366f340e9a9c19c0a511738318fb82f5d53f12115a658dfcc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\pu3oezt5\pu3oezt5.0.vb
Filesize
277B

MD5
01c4825ec87bebe7a80ecde4737b54cc

SHA1
de5500ea5be32a105675b25a32871fd449724a1b

SHA256
f163c113e4f3135bbb80e95c01ec02b7c603fd41d600cbc5aeb616b7179f0f73

SHA512
eb238fe76907baf1c2d151be9a05dadf4d017ceef96974613d8c2cfad3a8aa31be614146aa0c679be7a66b23fa4e47d30196578f9bbc448cbac980b4a83a1dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pu3oezt5\pu3oezt5.cmdline
Filesize
180B

MD5
6d5afced06309267b634d9d3d34d6226

SHA1
2d403616a52b896ca855875ae055e5e9a9d053c9

SHA256
69dddd3f758eacf576702cbee336af277b7180a77bf2fe6af94011b8ca8370dc

SHA512
27bb703c31e7d1eca0bb48b964bbe4453e9b232ebec9cfbac017b9bd62f54e1f4fbf9898bfe4dac98e8df813de9a661483fd308dc4697de3f32280fa96b9a74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\r13i1qim\r13i1qim.0.vb
Filesize
271B

MD5
57d5381e25c4dd00c6cabb759341b58e

SHA1
4409cea50518d5b474e419c8f4e6ddba714add5e

SHA256
d6b645065e8613534349f377d907facba74e175b52e189cf1ef29d2b8066ec6e

SHA512
3dae30fab720a8574e186d15989cd4017c5303caa9f3fda48a9fc974685fc6e87006d66bb151f725959f4c61b2eba9deeca462386ebf34604a4f90f04a33f497

Download Submit
C:\Users\Admin\AppData\Local\Temp\r13i1qim\r13i1qim.cmdline
Filesize
174B

MD5
358704f4ddfbbfb8518404aac0c698df

SHA1
2c427937eba6323f99f7bc32404325d8f23fdf0a

SHA256
47f82213d1a05740bfb4fbc86d5a4d2c0e883b81ada33e40d640f7a6095e68dc

SHA512
d235bba005e80ea7b3ed99ef9390a4f8b7f5d2282a29ddf805acd1168a08ed45bcb4fa61ea6c7d8f5dae8b78fcfc9420a52690ed658e7c132db02c7ddddb7170

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZwfRtNHu.txt
Filesize
41B

MD5
ddacb8d91a476532677016ca8fa15154

SHA1
3e0ea6c24c766b6f05e1a36f47414bfa9f2cffb7

SHA256
fc66ce5a321ced54b4372b6b3933176680cfe42de956743e445b24ae53d24a65

SHA512
e61447050e38b910c9b95f0f203efc6be7c357183482c0de56979c29c1896b997e8b6c872558d13227e13b3aae1ce0934c861f3a718201b68539329d312980f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZwfRtNHu.txt
Filesize
41B

MD5
ddacb8d91a476532677016ca8fa15154

SHA1
3e0ea6c24c766b6f05e1a36f47414bfa9f2cffb7

SHA256
fc66ce5a321ced54b4372b6b3933176680cfe42de956743e445b24ae53d24a65

SHA512
e61447050e38b910c9b95f0f203efc6be7c357183482c0de56979c29c1896b997e8b6c872558d13227e13b3aae1ce0934c861f3a718201b68539329d312980f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZwfRtNHu.txt
Filesize
42B

MD5
400e04d926ca74410f4d8ebaac5c2e7e

SHA1
7f1129504b0ed902209586b90c8490502a5e693c

SHA256
73283710f5a8d16c345982f3b867e79e4e2912bfc3284c93d6299ee627d86ef6

SHA512
6de69b4668aabc3bb8c75d650a35bf6cb19c951ed0711d14672a0814f48fbc6d4041d52adf51c783c1fec99bae88d7dd09fa5ec2dd634a3f95012a6b91f5ae6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3020A2C7D84244289D9E5831CABFDFC5.TMP
Filesize
1KB

MD5
cee1aae40ed483284d3131b9a76eae59

SHA1
616bc1c7ea383b4f78305c4111a9816095f45b12

SHA256
bc10f0b64e7c4e54e0d840d904c395326907aa9e30b243959e00aea0a51b8d35

SHA512
57976c6b66ca77489f168915be4b0b7c3b53747f6a62e60984db5d0aa2ff8428a0c8a78b515191e2c257afd11a4fb17c4bd6f05a49bd429120e588ac040addee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C8FA701F7644FF6903E5B7B24FC9192.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5AFE404B35D04A98A8F9179D8E572F9D.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc694D20CDBFB24A3F9E3B66FC3EED585.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc792279FA7BEA4B0299D59AC22EFDB2.TMP
Filesize
1KB

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DF1DC06A04F4EB6B6DB55645A30B3B2.TMP
Filesize
1KB

MD5
c3e495da66a1b628c1f3d67d511f5f30

SHA1
d487b081326a052a7b7057b1f039bbe262280479

SHA256
81cbcb4840551143dbb1f8215d7c54f87f0397173b35d6a101564a784827dffd

SHA512
c596c316e8519a33e4360f87c40a812f904145a12c1d4c3c59f95b08a353eda781e40da8e95b0e971c24faa7d15b19170a67027cf8732246a6978cc6571b29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc87A507FAFBB14323BBE87AE2FB7239C.TMP
Filesize
1KB

MD5
4ffaef2181115a3647790b920aa31b31

SHA1
7f15eee57c8482252db8286ab782978747471899

SHA256
d52cc5df93cac8616b0ecebdf21c6e11bf14e0308f97d6406f4e1c76d0738843

SHA512
501991abd0d0f5780084b9584292183d55bf2c5587de4a7182e1f0979a68f051ef2e1a94753d9da0add2f4f04107320d664952f018c516f3354fdda4e11ec436

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc88EC01242FAA481B9485C338BADF76.TMP
Filesize
1KB

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA57E0ACEEA114661B076611EFF2DA71D.TMP
Filesize
1KB

MD5
f79d4f009ed12db358d8ac93f0804345

SHA1
163b7cfe02be73d9602f5a9387dc7dbe7e9000eb

SHA256
0b353fcca887a01a42a8d5348301f6fbce2519850676b8e8cbbd5a710975848b

SHA512
beda88dc76f7fe331e5a6d0b10a8dbf1c389300e405f6bd6ccef81067d2bb260b9ba993675562a7ea1d274960ffb9cbf26aa695576524eff07143c828ae2edac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDB31BD44229340CBA9A44504C48BB45.TMP
Filesize
1KB

MD5
5be03705622d8432c727b2f54d2f8714

SHA1
d5fc067a15681b7defb145c6526331a359e6f84b

SHA256
763889d47a575bea1067919ee6b7da90e470394d08f92f0a12cdb7a95c5f8d6f

SHA512
1aa7ddd4493dcbe9c635594d75c30ed3a4ad68c26f0e437ae32b1098a3d1992b5467777308f6d84ece5be4368136da12202c928d14d785691c9201223adafe77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB9B505A186D40B5B624E5E00DE2B35.TMP
Filesize
1KB

MD5
6592f9186211221a0a3afcf34a2dfa00

SHA1
bf3748b4ab03bdc65c242ad924653666cda3c5d9

SHA256
eac2c432a96e0d19ef3a1950bc067babe642d11af2a3c2a14bc3050e508c1b3f

SHA512
f7b072428258b7cf5d674c9df15bcb28df9369fde271e79bb2752e0266cabbc3b4bce8aa36e56f3ae99ebc2e658ca7d764628c82668adafc3d0889bd6d71dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyto3jdn\zyto3jdn.0.vb
Filesize
270B

MD5
bcf70c4f55da7b7d14727824db47f768

SHA1
3887b4b4bf4c0b13ae90f23c6fc3c17e99d3c8a6

SHA256
a9ba174973f0ac003feb63005f0ff3c505c38555a1242c09d0b8f728a2f8b0c7

SHA512
eabf266bb2b1e8585fa7b936f9ce771bb128e62fcdaeabf7552d099ff5a87e40d1de96a2ff086ffc8d10006961b0052c0d43d4098f5f701c554beec0e1e08f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyto3jdn\zyto3jdn.cmdline
Filesize
173B

MD5
684eb7bb751dfc6d6549d36132e87584

SHA1
14f341e5164a0d67cffdeaad5de7bf5358b971ab

SHA256
7bf876e3a11be3ce12d8f3556bd7ec80265f1d58221447e154daef147676104f

SHA512
1a56ac2bc6f406591c294c65d4c220e9f3ebfd95897be69fe811c59b3f187cd1e1e75569dd4f820e50697e11ba6f34898886306a4dfc0d2595057cf4cfd88859

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Roaming\dEvUnnXvDV.js
Filesize
23KB

MD5
0891f3f02d5ce4faa78ba53a23f0433f

SHA1
10f8ba0c20259d28c28743f64d341280c314397d

SHA256
b5413d8252009618b5692ef92948b1ae2afc1de266c491b7b9927ed4715cc595

SHA512
abcb34dd8e06e64a61328a72750f6a32832c147e8340c3702a4d71d4ced4353585c58b522692b7bc14f243be9ff782611cca03156b46ba2aaa3eb36f064954fd

Download Submit
\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
memory/320-175-0x0000000000000000-mapping.dmp

Download
memory/436-190-0x0000000000000000-mapping.dmp

Download
memory/436-192-0x000007FEF3690000-0x000007FEF40B3000-memory.dmp

Filesize
10.1MB

Download
memory/436-193-0x000007FEF25F0000-0x000007FEF3686000-memory.dmp

Filesize
16.6MB

Download
memory/472-78-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/472-79-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/472-87-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/472-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/472-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/472-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/472-75-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/472-74-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/472-80-0x0000000000408356-mapping.dmp

Download
memory/576-151-0x0000000000000000-mapping.dmp

Download
memory/584-166-0x0000000000000000-mapping.dmp

Download
memory/824-148-0x0000000000000000-mapping.dmp

Download
memory/840-145-0x0000000000000000-mapping.dmp

Download
memory/916-129-0x0000000000000000-mapping.dmp

Download
memory/940-139-0x0000000000000000-mapping.dmp

Download
memory/964-55-0x0000000000000000-mapping.dmp

Download
memory/1012-178-0x0000000000000000-mapping.dmp

Download
memory/1036-181-0x0000000000000000-mapping.dmp

Download
memory/1052-163-0x0000000000000000-mapping.dmp

Download
memory/1120-157-0x0000000000000000-mapping.dmp

Download
memory/1368-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1368-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1368-69-0x0000000000407CEE-mapping.dmp

Download
memory/1368-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1368-86-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download
memory/1368-68-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1368-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1368-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1368-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1392-169-0x0000000000000000-mapping.dmp

Download
memory/1452-126-0x0000000000000000-mapping.dmp

Download
memory/1452-61-0x000007FEF27F0000-0x000007FEF3886000-memory.dmp

Filesize
16.6MB

Download
memory/1452-60-0x000007FEF3890000-0x000007FEF42B3000-memory.dmp

Filesize
10.1MB

Download
memory/1452-57-0x0000000000000000-mapping.dmp

Download
memory/1456-90-0x0000000000000000-mapping.dmp

Download
memory/1456-212-0x0000000000408356-mapping.dmp

Download
memory/1456-94-0x000007FEF2F90000-0x000007FEF4026000-memory.dmp

Filesize
16.6MB

Download
memory/1456-93-0x000007FEF4030000-0x000007FEF4A53000-memory.dmp

Filesize
10.1MB

Download
memory/1456-219-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/1492-172-0x0000000000000000-mapping.dmp

Download
memory/1512-104-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1512-102-0x0000000000407CEE-mapping.dmp

Download
memory/1512-106-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1556-119-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1556-120-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/1556-117-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1556-113-0x0000000000408356-mapping.dmp

Download
memory/1560-160-0x0000000000000000-mapping.dmp

Download
memory/1580-201-0x0000000000407CEE-mapping.dmp

Download
memory/1588-133-0x0000000000000000-mapping.dmp

Download
memory/1600-142-0x0000000000000000-mapping.dmp

Download
memory/1684-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1688-187-0x0000000000000000-mapping.dmp

Download
memory/1768-136-0x0000000000000000-mapping.dmp

Download
memory/1840-130-0x0000000000000000-mapping.dmp

Download
memory/1912-154-0x0000000000000000-mapping.dmp

Download
memory/1952-184-0x0000000000000000-mapping.dmp

Download
memory/2020-122-0x0000000000000000-mapping.dmp

Download