revengerat | 9081b8dc4bac6ddfe0a3c54ef32cb810be6b012a2d82ca70c3a4b9466b436086

Analysis

max time kernel
134s
max time network
148s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI098788765.js
Size

229KB
MD5

a94120f574ef044bd35a4e167d6e5a05
SHA1

ec73c38470585db035b6a6716495afaaa83ff577
SHA256

9081b8dc4bac6ddfe0a3c54ef32cb810be6b012a2d82ca70c3a4b9466b436086
SHA512

5e737de130ac934ddc0ca6a3cc345a3e4da9f1c61f244ad79bab182da2e5173ae7633bbda78d3a375755140100b768c82e6e82b36ee27469e0252f4424ee7bdb

Score

10^/10

revengerat guest persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

blessed147.ddns.net:8089

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 22 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\REVX.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\REVX.exe	revengerat
behavioral1/memory/888-65-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/888-66-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/888-68-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/888-69-0x0000000000407CEE-mapping.dmp	revengerat
behavioral1/memory/888-71-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/888-73-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
\Users\Admin\AppData\Roaming\Client.exe	revengerat
\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
behavioral1/memory/996-102-0x0000000000407CEE-mapping.dmp	revengerat
behavioral1/memory/996-104-0x0000000000090000-0x00000000000AC000-memory.dmp	revengerat
behavioral1/memory/996-108-0x0000000000090000-0x00000000000AC000-memory.dmp	revengerat
behavioral1/memory/996-111-0x0000000000090000-0x00000000000AC000-memory.dmp	revengerat
\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
behavioral1/memory/1848-204-0x0000000000407CEE-mapping.dmp	revengerat
behavioral1/memory/1848-206-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat
behavioral1/memory/1848-209-0x0000000000400000-0x000000000041C000-memory.dmp	revengerat

Executes dropped EXE 3 IoCs

Processes:

REVX.exeClient.exeClient.exe

pid process

1488 REVX.exe
1724 Client.exe
744 Client.exe

pid	process
1488	REVX.exe
1724	Client.exe
744	Client.exe

Drops startup file 7 IoCs

Processes:

RegSvcs.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe

Loads dropped DLL 3 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

pid process

888 RegSvcs.exe
888 RegSvcs.exe
996 RegSvcs.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
888	RegSvcs.exe
888	RegSvcs.exe
996	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

REVX.exeRegSvcs.exeClient.exeRegSvcs.exeClient.exeRegSvcs.exe

description	pid	process	target process
PID 1488 set thread context of 888	1488	REVX.exe	RegSvcs.exe
PID 888 set thread context of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 1724 set thread context of 996	1724	Client.exe	RegSvcs.exe
PID 996 set thread context of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 744 set thread context of 1848	744	Client.exe	RegSvcs.exe
PID 1848 set thread context of 1392	1848	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

656 schtasks.exe

pid	process
656	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

REVX.exeRegSvcs.exeClient.exeRegSvcs.exeClient.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1488	REVX.exe
Token: SeDebugPrivilege	888	RegSvcs.exe
Token: SeDebugPrivilege	1724	Client.exe
Token: SeDebugPrivilege	996	RegSvcs.exe
Token: SeDebugPrivilege	744	Client.exe
Token: SeDebugPrivilege	1848	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exeREVX.exeRegSvcs.exeClient.exeRegSvcs.exevbc.exe

description	pid	process	target process
PID 240 wrote to memory of 836	240	wscript.exe	wscript.exe
PID 240 wrote to memory of 836	240	wscript.exe	wscript.exe
PID 240 wrote to memory of 836	240	wscript.exe	wscript.exe
PID 240 wrote to memory of 1488	240	wscript.exe	REVX.exe
PID 240 wrote to memory of 1488	240	wscript.exe	REVX.exe
PID 240 wrote to memory of 1488	240	wscript.exe	REVX.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 1488 wrote to memory of 888	1488	REVX.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1860	888	RegSvcs.exe	RegSvcs.exe
PID 888 wrote to memory of 1724	888	RegSvcs.exe	Client.exe
PID 888 wrote to memory of 1724	888	RegSvcs.exe	Client.exe
PID 888 wrote to memory of 1724	888	RegSvcs.exe	Client.exe
PID 888 wrote to memory of 1724	888	RegSvcs.exe	Client.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 1724 wrote to memory of 996	1724	Client.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 1272	996	RegSvcs.exe	RegSvcs.exe
PID 996 wrote to memory of 364	996	RegSvcs.exe	vbc.exe
PID 996 wrote to memory of 364	996	RegSvcs.exe	vbc.exe
PID 996 wrote to memory of 364	996	RegSvcs.exe	vbc.exe
PID 996 wrote to memory of 364	996	RegSvcs.exe	vbc.exe
PID 364 wrote to memory of 668	364	vbc.exe	cvtres.exe
PID 364 wrote to memory of 668	364	vbc.exe	cvtres.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PI098788765.js
1⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dEvUnnXvDV.js"
2⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\REVX.exe
"C:\Users\Admin\AppData\Local\Temp\REVX.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1860

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ojvooyg\5ojvooyg.cmdline"
6⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25C689209614CB5AD2EAE63F444ED8B.TMP"
7⤵
PID:668

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
6⤵
- Creates scheduled task(s)
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vck52uvj\vck52uvj.cmdline"
6⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9493.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6ABC053B9A3248DAB9314E21599E732.TMP"
7⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpfc1vvz\qpfc1vvz.cmdline"
6⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9609.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA26545BB49B24D448CA85956ED4D82C9.TMP"
7⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\opkf5za3\opkf5za3.cmdline"
6⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9741.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9906EB08F5CF42C0AA144C5C631C9C23.TMP"
7⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j2yl0bpk\j2yl0bpk.cmdline"
6⤵
PID:284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES984A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C3D2CAC2D24455C9E49F02237ABA31.TMP"
7⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hpc2dr4y\hpc2dr4y.cmdline"
6⤵
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9944.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C88088A6D104207B33BC6AFBB6D660.TMP"
7⤵
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dwydewrt\dwydewrt.cmdline"
6⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1EF9AF8547049A6A88E9325FD196E1.TMP"
7⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zafvf3yk\zafvf3yk.cmdline"
6⤵
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B1073BF11354B4099956537453BDF8C.TMP"
7⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bi12y2y5\bi12y2y5.cmdline"
6⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3674E07BC9D141DAA3281CC6D843A979.TMP"
7⤵
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rlofc3bu\rlofc3bu.cmdline"
6⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD33F6E32EB6F419588BC4A1FB3714DB1.TMP"
7⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j2b4bgje\j2b4bgje.cmdline"
6⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA101.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED6D637DCA984A8588BE486717251C88.TMP"
7⤵
PID:1056

C:\Windows\system32\taskeng.exe
taskeng.exe {A84E649D-F514-4462-AF12-B007D8FB8A8A} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
PID:1760

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ojvooyg\5ojvooyg.0.vb
Filesize
151B

MD5
593cab3ac472165f12b8d423e5ee24b9

SHA1
cb8ebf1261c70fda1c364aba9ffc38d8654dda4c

SHA256
b548217ce1af95dfbad41f3adbc6f25b30d65d78fe11aa0cc9c7a1e86f0ef0d0

SHA512
5a3c47de2f48869ee25c3a5135fe176a5f9dcb4be50dab820053dba4d7890c21e30601e1717654aaac26b0fd908cf222105a7d0266ac425298bf9df84ebca5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ojvooyg\5ojvooyg.cmdline
Filesize
203B

MD5
5dda989adf5f6472b711c4351baef26f

SHA1
8e0ba0324a4f442b041a61e51a7a0b7209d710ea

SHA256
39bca171e54bb20ddcb772faed8b2315f18bca1099321ba97dd4d09da0023b05

SHA512
715bc7c162e265d205ec84c1012a455b84c8fc7ce8e11f9ca6be6572fae7781ccc0ba2f87f101ef5653d88d90da143148c6979fcc5ffc5b7dcd4d8772b2f3404

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91E4.tmp
Filesize
1KB

MD5
b8f1fe157f707edb6a6ca072e997273a

SHA1
b7cc603832d8b69cc0675467b3bf6661930b3249

SHA256
6546ba919c8aa0ea61912b6985c049a0508ba868b2eeee1de2ffbf820fe6caaa

SHA512
c522e75d8667642d4c180a3d5b5fcb3a738e9b3819fe28d2fe99c1b142dd364a2794b54cd270a478edcc5fefc809b7a3bd06224348cc52341a88df9f5968b67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9493.tmp
Filesize
1KB

MD5
cff21717a9335778b90c14666539c058

SHA1
ad82acaf67f703cbe66f7d5b23b65c4eee7abf16

SHA256
346007565dc98141be530417942a2e71b4804faabdcb6aee974ce6bad2121a1d

SHA512
bfa4705952b4fc98f9c9997f7fb3d0e6119c5259aff60c3d183f59656a095784b7fe8cc294d7955e21244e125dfee962fdedfdd17e60d871dc12babe72c5de2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9609.tmp
Filesize
1KB

MD5
d105c7bd7f120b019c67dda03bed8ace

SHA1
5e9c7819b96bb135cd348583db7f82145173c5fe

SHA256
d73daf4be4e92665466fbd637041191578c0aed7fbf3e91850456d7e32d476cc

SHA512
c115d1c369c0b4e5fee8a3a40cd0a023a2901a589764e6df9ce04704226f6200296b68d62c9e0a5b440136163767e377dcc1c44ed3bdba5e3d5692327f896dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9741.tmp
Filesize
1KB

MD5
820824ce81b0ab5c85b38fe292069909

SHA1
8617f9d19d588a23395b776b6c69f4e6b40282fa

SHA256
65d709d19204f524d6bb0eed684ef61cef0c72ff4000627d4a116f58333987c1

SHA512
1d2fde365b5d1602a63155304eca038e71c8bb8db058eaff117775b1054185352cd29df303c4fe71b878fdb19c87cb642d5042166217c85fdbb9c095891d7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES984A.tmp
Filesize
1KB

MD5
c9119d9d84dd0392c2dd5f4fa99754e5

SHA1
482cf02a643890c1d1a4514475e66be23a0359db

SHA256
751ff7f41c3f1bed94467214b70869988903653e381b939f84095ce74f304fb5

SHA512
680a47235072fb89e68fdcfcd9e7f46d2ae992612b1f837b0e5f9d9edfd5ba5c18829b16bb7baaa91c72bd10de22314f6e20a0111674961e54614ed8fc4bc459

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9944.tmp
Filesize
1KB

MD5
638c1afcd480add95974c7fabd1f2df8

SHA1
ae9fd671159289956efb4fa78c3827ecf8c7a9f1

SHA256
d70bbd3058d820be1f55bcf9977e308001663ead14574362e3f0742200dcefca

SHA512
411f9e656f65eaa3459bdea54d43f6eff52f65de411ebb97591f2e01fcbc3aa09cac9d462ccdf13239ee81156c99850fefb19eb26c1f931683fbf7d5b4e9e00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A8C.tmp
Filesize
1KB

MD5
6befb7a6f630cd986ada39d6db121547

SHA1
85dc3289d441cb87064419a994c953b53da85ba0

SHA256
419e3d8c6038bca97e06f21c29b1efe4b401dbe89c752e4e97303e5a5a017afe

SHA512
f6fd1308378be99b5960228515605744e81fcd1bed9e690894821b9ce4af1291eaa1d9a26f00405ddd98e68dc3bc8babfbefd5290c0bf9391dadbe27c4410707

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9CFC.tmp
Filesize
1KB

MD5
a6b4597db9b9311f2e4a58407487b211

SHA1
799449390d7a608edef01ffa32c1588972cf0851

SHA256
7a19ae948d25aa16ffd8601d19a132218895345e7e8fc1c4c8bec151b01a2088

SHA512
1f6b6e166c024c00cc1ae7196d2ace30eec7eca5a8a0481efbf314927c88483e1dcfbff217e22a9027ecdf7a05375299011d96aa37c552cbf14805dd786e588a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E82.tmp
Filesize
1KB

MD5
9fadb91dd9dc94e209cc3aa7e9cc2c6b

SHA1
271852d32f37e8e0ae695ca45e681e6b9054dfd0

SHA256
43a4a13339c6ff57db648a04c260fd48a33c0233aa023a8dcb8d908a53cfe26a

SHA512
5e0f0927375e497687a0314929f3de6e080a959d91494e83370ff3747427df9dffdf29f17c3adbda08cdab3247c348442fdf4736748654ac7585c1bde5a259cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FBA.tmp
Filesize
1KB

MD5
cac90c05699fd3b90e4470119abed959

SHA1
e69a2527945656c757dce3fe5d06f8a401a456be

SHA256
2c254141a8d720bd643f117745838f3960a31fa906bbf2687ed9174690331eb9

SHA512
0c9019f81c97bf65141fe3eb7cbbcce3b02f773f5cefa3e5d1cc4f7982b465700a184d3960dab0eac92f1662573612948533564099a4170dffb157713130eee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA101.tmp
Filesize
1KB

MD5
cb7fcb92c128b488ab87d9a74b6ff13c

SHA1
df6fca456a7d3690f6e5a537594e31ce564396a9

SHA256
49833685dbc4a95cb2900bac0437f9ce70088134de953bd3de5221cd888123c0

SHA512
ceb3ca0508ab85fab87b8d7e6679be6f8ab205ec461c45e120b9cd9595d1bae09fadfec69b1c9135b6154ab01871afc3aff6b8391ad55ff7681076ebc5e81aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\REVX.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\REVX.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bi12y2y5\bi12y2y5.0.vb
Filesize
270B

MD5
bcf70c4f55da7b7d14727824db47f768

SHA1
3887b4b4bf4c0b13ae90f23c6fc3c17e99d3c8a6

SHA256
a9ba174973f0ac003feb63005f0ff3c505c38555a1242c09d0b8f728a2f8b0c7

SHA512
eabf266bb2b1e8585fa7b936f9ce771bb128e62fcdaeabf7552d099ff5a87e40d1de96a2ff086ffc8d10006961b0052c0d43d4098f5f701c554beec0e1e08f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\bi12y2y5\bi12y2y5.cmdline
Filesize
173B

MD5
b04896100ba7037bffca125f60f6c406

SHA1
ac37cdac2713a1087dc3380afd6723d099d79e5f

SHA256
1e362603dd3a11898a0539885883d93f3f5e2325bb84c969fbf88966d781c052

SHA512
665cd1365850a6fae5b2cf28f256ac4bf8e195c506a50d6709d792e681021b58c65ad0cc17c7ac348a09cd2b8263778628255292250dfe58136c0e4b1cdb2ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwydewrt\dwydewrt.0.vb
Filesize
296B

MD5
7787159e4a1effbfda27a4966af98d7a

SHA1
5f32c09575966724e67e60058c545d8daf514ea9

SHA256
09ff9a29192464c14449a98b9c3a4d54494ee8c20fd9c80b32bc863889a5d886

SHA512
e4a412360620ded827472ac967797b915afd3c4c3bdc459d5c534523c5de5f0c4caa370542f3eea96e886c41b690960000f49a5de82b5ece123c440bc6fc218e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwydewrt\dwydewrt.cmdline
Filesize
199B

MD5
26748b3dead23baba8ef63bfe6c12b67

SHA1
3d0238e3d500142edfdbf40e9dc85829fbcc9209

SHA256
d2f4b5dace9843966f34fcd72b63105205cdfe14ef7f47703eccdedd27cf0f3d

SHA512
8bfb43dbd9adcb68ebc6b6c13d410c095d24a359b7b00c233fab14863246c06fbba3293088a14050961cdcf1caf4e29c289c34b6e99f1bc4763c6c85a5707477

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpc2dr4y\hpc2dr4y.0.vb
Filesize
277B

MD5
236ad6b9a4ee790879f87bbfa7290c8a

SHA1
eeb7ebc7e515464c01ff2f50bb6e1a6fa57b8536

SHA256
cc7975516c3339933079173b8d5ed82c56d64caddafe0547ca038963a10507e3

SHA512
df088a9e60ba398701d4c20435884e012b9e37d29dc174198683d634c5d8bf2cefd82fddeca37f9e9daa0ac3f78ca6088efabb8d16e5e6330ff122c732ffe767

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpc2dr4y\hpc2dr4y.cmdline
Filesize
180B

MD5
93ed4c8967dadd976e8451d9796e91c8

SHA1
ad7c451ecfb2af30e7b7d5cc5128961b6b7deff9

SHA256
1a54d37ebe35a8f7aa1533919326254a36ce0b53d421b48d71cdf21caa603f49

SHA512
44e234190c9c98608c0298782ae026361fe60bd428ddb4b56b5653d4f71ab3c1d1560a5c89a16aa3fdaaa8864579215480adb973a2100e43e3a1a5568b1fef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2b4bgje\j2b4bgje.0.vb
Filesize
279B

MD5
aed73bceff373304e303b98416b69f2e

SHA1
ad8cd1c95a61172eaf69a5bf4d0b08a0b1d57cab

SHA256
0ef692d87e4a0458f35cdb6eff6dc20c880fa71208406017626c628e261ebd5f

SHA512
6d0bcfb962acb0e5a6b29268c863ad9393f10bb2a70463fbd783637d8effdac656b0c916b71214b57588939fae59ebb0c2455eba56468fb6a6aab5f4f64cb1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2b4bgje\j2b4bgje.cmdline
Filesize
182B

MD5
7e3759b3aa9f13fd6d25f0e4acc34aa6

SHA1
0b52436d8c79df578c201b031815fc0c9bb7b6b0

SHA256
791b88b3a687ba54b2793ba4e2509638335f70d7f186049a2bc6b14d347cbeae

SHA512
ef8f4f979c806270f4ffbebac85b54ddb95d7eda500659e3f4b07ec39dea7e9ab519606082a87024eda5675659ea6570634ef3640bf335d36052ab2fbc677754

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2yl0bpk\j2yl0bpk.0.vb
Filesize
275B

MD5
9330d0253cc37b933ad7883af5bb188d

SHA1
bb1330a1dfff6a408a4d5921b8353bc16ba2a1e7

SHA256
0346323260a55ee97b62f4b43775634e7ea15ee3e240d62fe32b498d269d2357

SHA512
6c55caaa3894ab48e9a4e59cb660ac50ac31eaed49a640bb8be7c0e5a64363456d75e1d080f57726d34cef55cc9410b60775c1967ced5fa0c91b0a860ee50648

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2yl0bpk\j2yl0bpk.cmdline
Filesize
178B

MD5
b6ee11e43cf39b7b0c33b92bccffe8cb

SHA1
217ce5a1444aa3f7d45aff63123cad75f19c059e

SHA256
c3066976d6f725ef8c2795dcb71f480e6bb31079379ff34df209a457bcdd390e

SHA512
d6ee81f2afa4fa92aa67d5c1f8472df67154f6ceb27d280a82fd99d9446bb8bd5672c2e2756d45d1fe00f9aef14e3a4524bdebd08ba9d762e9411b708fda4d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\opkf5za3\opkf5za3.0.vb
Filesize
271B

MD5
57d5381e25c4dd00c6cabb759341b58e

SHA1
4409cea50518d5b474e419c8f4e6ddba714add5e

SHA256
d6b645065e8613534349f377d907facba74e175b52e189cf1ef29d2b8066ec6e

SHA512
3dae30fab720a8574e186d15989cd4017c5303caa9f3fda48a9fc974685fc6e87006d66bb151f725959f4c61b2eba9deeca462386ebf34604a4f90f04a33f497

Download Submit
C:\Users\Admin\AppData\Local\Temp\opkf5za3\opkf5za3.cmdline
Filesize
174B

MD5
11133169b476671db1d26ea8b7ebcdd6

SHA1
09728b7900dfec3563e5e696ea0e7773bb528b3a

SHA256
ef8499ffc657e0dbd28ac8b632783d6d0de0cac35d813b322f8ffb7d23cae442

SHA512
8d1460b6ba8e4bba7918835a7f9829d5c0c47e18c52bb264940a94b80012dc0543d17dd51e6f5c1eb6e5fd4644f52507f96d072ec89d10c44dadd6cb0eb5a51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpfc1vvz\qpfc1vvz.0.vb
Filesize
272B

MD5
868dc168d836fc159852b05c4ca89f77

SHA1
729688d9706954d69aa1575992dfd25b95b82746

SHA256
4939bdc60420964dc2563a389923b9d57e237a1a49c10f34b1d7e3a17c259605

SHA512
4bd05d9ad0f1204362b3ed1358e1482f353ee1350b72f5a02e4093e455af6f8b512bdce935907cfc8b7f5ac60116c97a890b6c6f1062bad9f83b5cba053793a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpfc1vvz\qpfc1vvz.cmdline
Filesize
175B

MD5
52e2d68770a6a72b54d911716e9b2056

SHA1
04dc192c6859f6ad9614fda42d83491beb46bbf7

SHA256
0c40804506bdd71033a73d207c5b6dbbc3083c0d1b66a64aac479e4047371611

SHA512
0bc6b59575102a336960c90976181a3aef15ac885bc40e5be9efce2add5ffd42f3cd68fd3f00399adb93b8b0b8f3370ec2eac244b5630c2064c6f3431d86b212

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlofc3bu\rlofc3bu.0.vb
Filesize
276B

MD5
daafc5d85e502708fa1d2578df114ee4

SHA1
e1ac79a3807da14f0f50a08d4d755bb10d7bdfd1

SHA256
6f051a06361dd14182c616462fb5be847ea41f0b1a7e70d6be11493fee0a672d

SHA512
6055168ec3467039b7359e3ed7468413e806162a2a076cac0010ce250f3d6dbc4d8821951764eb66e1a05eecddab7e008304ab712d49517c587e7d46bafee9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlofc3bu\rlofc3bu.cmdline
Filesize
179B

MD5
a72bc3a2779c165ebe0721709176109d

SHA1
2fd47121b90e57f67621956507430546679a163a

SHA256
85c52c57130ea01a6328f1d0ca3d59c15a6b4f86ebdbe029d4f2f3dd8ce3fb0c

SHA512
c15ce4c41761d54c9249a710b33070d417f7a64e0614c994ddf3724d05776759d88843e189116efefd05c31ff6325d1c51620913441c7a546ef023d3b85381c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZwfRtNHu.txt
Filesize
41B

MD5
ddacb8d91a476532677016ca8fa15154

SHA1
3e0ea6c24c766b6f05e1a36f47414bfa9f2cffb7

SHA256
fc66ce5a321ced54b4372b6b3933176680cfe42de956743e445b24ae53d24a65

SHA512
e61447050e38b910c9b95f0f203efc6be7c357183482c0de56979c29c1896b997e8b6c872558d13227e13b3aae1ce0934c861f3a718201b68539329d312980f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZwfRtNHu.txt
Filesize
41B

MD5
ddacb8d91a476532677016ca8fa15154

SHA1
3e0ea6c24c766b6f05e1a36f47414bfa9f2cffb7

SHA256
fc66ce5a321ced54b4372b6b3933176680cfe42de956743e445b24ae53d24a65

SHA512
e61447050e38b910c9b95f0f203efc6be7c357183482c0de56979c29c1896b997e8b6c872558d13227e13b3aae1ce0934c861f3a718201b68539329d312980f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZwfRtNHu.txt
Filesize
42B

MD5
400e04d926ca74410f4d8ebaac5c2e7e

SHA1
7f1129504b0ed902209586b90c8490502a5e693c

SHA256
73283710f5a8d16c345982f3b867e79e4e2912bfc3284c93d6299ee627d86ef6

SHA512
6de69b4668aabc3bb8c75d650a35bf6cb19c951ed0711d14672a0814f48fbc6d4041d52adf51c783c1fec99bae88d7dd09fa5ec2dd634a3f95012a6b91f5ae6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1B1073BF11354B4099956537453BDF8C.TMP
Filesize
1KB

MD5
5be03705622d8432c727b2f54d2f8714

SHA1
d5fc067a15681b7defb145c6526331a359e6f84b

SHA256
763889d47a575bea1067919ee6b7da90e470394d08f92f0a12cdb7a95c5f8d6f

SHA512
1aa7ddd4493dcbe9c635594d75c30ed3a4ad68c26f0e437ae32b1098a3d1992b5467777308f6d84ece5be4368136da12202c928d14d785691c9201223adafe77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc25C689209614CB5AD2EAE63F444ED8B.TMP
Filesize
1KB

MD5
f79d4f009ed12db358d8ac93f0804345

SHA1
163b7cfe02be73d9602f5a9387dc7dbe7e9000eb

SHA256
0b353fcca887a01a42a8d5348301f6fbce2519850676b8e8cbbd5a710975848b

SHA512
beda88dc76f7fe331e5a6d0b10a8dbf1c389300e405f6bd6ccef81067d2bb260b9ba993675562a7ea1d274960ffb9cbf26aa695576524eff07143c828ae2edac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3674E07BC9D141DAA3281CC6D843A979.TMP
Filesize
1KB

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6ABC053B9A3248DAB9314E21599E732.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7C3D2CAC2D24455C9E49F02237ABA31.TMP
Filesize
1KB

MD5
c3e495da66a1b628c1f3d67d511f5f30

SHA1
d487b081326a052a7b7057b1f039bbe262280479

SHA256
81cbcb4840551143dbb1f8215d7c54f87f0397173b35d6a101564a784827dffd

SHA512
c596c316e8519a33e4360f87c40a812f904145a12c1d4c3c59f95b08a353eda781e40da8e95b0e971c24faa7d15b19170a67027cf8732246a6978cc6571b29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7C88088A6D104207B33BC6AFBB6D660.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9906EB08F5CF42C0AA144C5C631C9C23.TMP
Filesize
1KB

MD5
4ffaef2181115a3647790b920aa31b31

SHA1
7f15eee57c8482252db8286ab782978747471899

SHA256
d52cc5df93cac8616b0ecebdf21c6e11bf14e0308f97d6406f4e1c76d0738843

SHA512
501991abd0d0f5780084b9584292183d55bf2c5587de4a7182e1f0979a68f051ef2e1a94753d9da0add2f4f04107320d664952f018c516f3354fdda4e11ec436

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA26545BB49B24D448CA85956ED4D82C9.TMP
Filesize
1KB

MD5
6592f9186211221a0a3afcf34a2dfa00

SHA1
bf3748b4ab03bdc65c242ad924653666cda3c5d9

SHA256
eac2c432a96e0d19ef3a1950bc067babe642d11af2a3c2a14bc3050e508c1b3f

SHA512
f7b072428258b7cf5d674c9df15bcb28df9369fde271e79bb2752e0266cabbc3b4bce8aa36e56f3ae99ebc2e658ca7d764628c82668adafc3d0889bd6d71dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD33F6E32EB6F419588BC4A1FB3714DB1.TMP
Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED6D637DCA984A8588BE486717251C88.TMP
Filesize
1KB

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF1EF9AF8547049A6A88E9325FD196E1.TMP
Filesize
1KB

MD5
cee1aae40ed483284d3131b9a76eae59

SHA1
616bc1c7ea383b4f78305c4111a9816095f45b12

SHA256
bc10f0b64e7c4e54e0d840d904c395326907aa9e30b243959e00aea0a51b8d35

SHA512
57976c6b66ca77489f168915be4b0b7c3b53747f6a62e60984db5d0aa2ff8428a0c8a78b515191e2c257afd11a4fb17c4bd6f05a49bd429120e588ac040addee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vck52uvj\vck52uvj.0.vb
Filesize
268B

MD5
6cf129fc48e797ecd718356f26a17846

SHA1
fc1e81d6a24f31312481df25f00d77505c951255

SHA256
5682ca2aef80da42d879819c43e1ee9357002d56fb7937460a45cd7b240ba97f

SHA512
80c2d54835345e0643d61e0b458f548f0fbaf743c821d996961f33e200403621d4aeab81a46e3a9dc6ccdb02e168e9fd6e6b108dfbfc02a54ed51067a6cf97cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vck52uvj\vck52uvj.cmdline
Filesize
171B

MD5
0592d1c27b8816c08b995053976942f0

SHA1
7f455d0d03035418803886e40c908eb0e00e6f72

SHA256
c93a6e22ce3fb0a6cc6d5ec9afdd133e3db5a91395f20fb0300dc7a846d3f3f4

SHA512
9a18e76f2d29daf6e3d5e0673988c51a2e0a572c3212dbdab490ba26dfcef1b3f684a5c41b29fea5248e6b5eb6e385c6489ae727788ace7048ec758e62081446

Download Submit
C:\Users\Admin\AppData\Local\Temp\zafvf3yk\zafvf3yk.0.vb
Filesize
277B

MD5
01c4825ec87bebe7a80ecde4737b54cc

SHA1
de5500ea5be32a105675b25a32871fd449724a1b

SHA256
f163c113e4f3135bbb80e95c01ec02b7c603fd41d600cbc5aeb616b7179f0f73

SHA512
eb238fe76907baf1c2d151be9a05dadf4d017ceef96974613d8c2cfad3a8aa31be614146aa0c679be7a66b23fa4e47d30196578f9bbc448cbac980b4a83a1dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zafvf3yk\zafvf3yk.cmdline
Filesize
180B

MD5
c6c9c8ae98d65a57a4f9c67789cb6aa5

SHA1
ded8a7457dd471980bd81fb756e8fb42506daa91

SHA256
6e8013a3b52d0b9b350fc8c597acc77f2f8891f1416fa325b24bc56b0f64025c

SHA512
9da336c354942cbe3ffcc49a3a546498d6cd2338bd32c685fd6ef5b9aea0a191b807013fbd4511000920b276eac56d849af8313a9ad856038d699de578c60cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
C:\Users\Admin\AppData\Roaming\dEvUnnXvDV.js
Filesize
23KB

MD5
0891f3f02d5ce4faa78ba53a23f0433f

SHA1
10f8ba0c20259d28c28743f64d341280c314397d

SHA256
b5413d8252009618b5692ef92948b1ae2afc1de266c491b7b9927ed4715cc595

SHA512
abcb34dd8e06e64a61328a72750f6a32832c147e8340c3702a4d71d4ced4353585c58b522692b7bc14f243be9ff782611cca03156b46ba2aaa3eb36f064954fd

Download Submit
\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
\Users\Admin\AppData\Roaming\Client.exe
Filesize
92KB

MD5
2b6dc42dc5c0b40bf131dc3eb4f7b4ba

SHA1
277a44b6fc468199180efdab5c4151e5b772e2b9

SHA256
a2639ef31af5e1015463f0663982ae4bd10271f1660cdec494cfb8848b2c87a0

SHA512
98f993806bafe8924fe58e92d4441376350117eeb3b17f9e74221cbe4410376592050a7d05e3b914ca39eef63583356df0213def1510d6bb233f77ee45c6a11d

Download Submit
memory/240-54-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/240-169-0x0000000000000000-mapping.dmp

Download
memory/284-151-0x0000000000000000-mapping.dmp

Download
memory/316-142-0x0000000000000000-mapping.dmp

Download
memory/364-125-0x0000000000000000-mapping.dmp

Download
memory/520-178-0x0000000000000000-mapping.dmp

Download
memory/528-136-0x0000000000000000-mapping.dmp

Download
memory/656-132-0x0000000000000000-mapping.dmp

Download
memory/668-129-0x0000000000000000-mapping.dmp

Download
memory/744-154-0x0000000000000000-mapping.dmp

Download
memory/744-195-0x000007FEF3300000-0x000007FEF3D23000-memory.dmp

Filesize
10.1MB

Download
memory/744-193-0x0000000000000000-mapping.dmp

Download
memory/744-196-0x000007FEEE810000-0x000007FEEF8A6000-memory.dmp

Filesize
16.6MB

Download
memory/836-55-0x0000000000000000-mapping.dmp

Download
memory/888-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/888-87-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/888-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/888-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/888-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/888-68-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/888-69-0x0000000000407CEE-mapping.dmp

Download
memory/888-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/888-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/940-160-0x0000000000000000-mapping.dmp

Download
memory/996-104-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/996-108-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/996-102-0x0000000000407CEE-mapping.dmp

Download
memory/996-111-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1056-190-0x0000000000000000-mapping.dmp

Download
memory/1196-163-0x0000000000000000-mapping.dmp

Download
memory/1272-118-0x0000000000408356-mapping.dmp

Download
memory/1272-122-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1392-216-0x0000000000408356-mapping.dmp

Download
memory/1392-223-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1392-224-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/1488-61-0x000007FEF2C90000-0x000007FEF3D26000-memory.dmp

Filesize
16.6MB

Download
memory/1488-60-0x000007FEF61C0000-0x000007FEF6BE3000-memory.dmp

Filesize
10.1MB

Download
memory/1500-175-0x0000000000000000-mapping.dmp

Download
memory/1524-133-0x0000000000000000-mapping.dmp

Download
memory/1556-184-0x0000000000000000-mapping.dmp

Download
memory/1636-187-0x0000000000000000-mapping.dmp

Download
memory/1724-93-0x000007FEF3CA0000-0x000007FEF46C3000-memory.dmp

Filesize
10.1MB

Download
memory/1724-157-0x0000000000000000-mapping.dmp

Download
memory/1724-94-0x000007FEF2C00000-0x000007FEF3C96000-memory.dmp

Filesize
16.6MB

Download
memory/1724-90-0x0000000000000000-mapping.dmp

Download
memory/1732-172-0x0000000000000000-mapping.dmp

Download
memory/1760-145-0x0000000000000000-mapping.dmp

Download
memory/1800-166-0x0000000000000000-mapping.dmp

Download
memory/1848-206-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1848-204-0x0000000000407CEE-mapping.dmp

Download
memory/1848-209-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1860-78-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1860-79-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1860-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1860-86-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/1860-74-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1860-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1860-80-0x0000000000408356-mapping.dmp

Download
memory/1860-148-0x0000000000000000-mapping.dmp

Download
memory/1860-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1860-75-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1924-181-0x0000000000000000-mapping.dmp

Download
memory/1932-139-0x0000000000000000-mapping.dmp

Download