revengerat | ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe
Size

67KB
MD5

8f5d2e6c2fa3d1e8e10060524ff1d085
SHA1

add5129da13dcfaf912dd81a908cd464509a38c7
SHA256

ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413
SHA512

2e8ece0ad58abc64bb9182843eaa5427f3303f33630823c43b3fd0bf3af096c0ebc81b746a2be410fd8ef7152dd1b903680536cfd77a5e21a774dc10b5c9abea
SSDEEP

768:MeGmGNASzgONow+FdYvIbj4TBA9wM+LzapzgGD23SrzY2h2TiZVFcrFK:xJoAirQ2cj4TBA9wM+H4kGD23SoKCo

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5088-134-0x0000000000410DDE-mapping.dmp	revengerat
behavioral2/memory/5088-133-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
C:\Users\Admin\AppData\Roaming\VSWebHandler.exe	revengerat
C:\Users\Admin\AppData\Roaming\VSWebHandler.exe	revengerat
behavioral2/memory/3504-148-0x0000000000410DDE-mapping.dmp	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

VSWebHandler.exe

pid process

748 VSWebHandler.exe

pid	process
748	VSWebHandler.exe

Drops startup file 6 IoCs

Processes:

aspnet_compiler.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.lnk	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.exe	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.exe	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.vbs	aspnet_compiler.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aspnet_compiler.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSWebHandler = "C:\\Users\\Admin\\AppData\\Roaming\\VSWebHandler.exe"	aspnet_compiler.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exeaspnet_compiler.exeVSWebHandler.exeaspnet_compiler.exe

description	pid	process	target process
PID 2312 set thread context of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 5088 set thread context of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 748 set thread context of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 3504 set thread context of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

800 schtasks.exe

pid	process
800	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exeaspnet_compiler.exeVSWebHandler.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe
Token: SeDebugPrivilege	5088	aspnet_compiler.exe
Token: SeDebugPrivilege	748	VSWebHandler.exe
Token: SeDebugPrivilege	3504	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exeaspnet_compiler.exeVSWebHandler.exeaspnet_compiler.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 2312 wrote to memory of 5088	2312	ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 1940	5088	aspnet_compiler.exe	aspnet_compiler.exe
PID 5088 wrote to memory of 748	5088	aspnet_compiler.exe	VSWebHandler.exe
PID 5088 wrote to memory of 748	5088	aspnet_compiler.exe	VSWebHandler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 748 wrote to memory of 3504	748	VSWebHandler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3160	3504	aspnet_compiler.exe	aspnet_compiler.exe
PID 3504 wrote to memory of 3336	3504	aspnet_compiler.exe	vbc.exe
PID 3504 wrote to memory of 3336	3504	aspnet_compiler.exe	vbc.exe
PID 3504 wrote to memory of 3336	3504	aspnet_compiler.exe	vbc.exe
PID 3336 wrote to memory of 948	3336	vbc.exe	cvtres.exe
PID 3336 wrote to memory of 948	3336	vbc.exe	cvtres.exe
PID 3336 wrote to memory of 948	3336	vbc.exe	cvtres.exe
PID 3504 wrote to memory of 800	3504	aspnet_compiler.exe	schtasks.exe
PID 3504 wrote to memory of 800	3504	aspnet_compiler.exe	schtasks.exe
PID 3504 wrote to memory of 800	3504	aspnet_compiler.exe	schtasks.exe
PID 3504 wrote to memory of 4960	3504	aspnet_compiler.exe	vbc.exe
PID 3504 wrote to memory of 4960	3504	aspnet_compiler.exe	vbc.exe
PID 3504 wrote to memory of 4960	3504	aspnet_compiler.exe	vbc.exe
PID 4960 wrote to memory of 3600	4960	vbc.exe	cvtres.exe
PID 4960 wrote to memory of 3600	4960	vbc.exe	cvtres.exe
PID 4960 wrote to memory of 3600	4960	vbc.exe	cvtres.exe
PID 3504 wrote to memory of 1116	3504	aspnet_compiler.exe	vbc.exe
PID 3504 wrote to memory of 1116	3504	aspnet_compiler.exe	vbc.exe
PID 3504 wrote to memory of 1116	3504	aspnet_compiler.exe	vbc.exe
PID 1116 wrote to memory of 2356	1116	vbc.exe	cvtres.exe
PID 1116 wrote to memory of 2356	1116	vbc.exe	cvtres.exe
PID 1116 wrote to memory of 2356	1116	vbc.exe	cvtres.exe
PID 3504 wrote to memory of 1500	3504	aspnet_compiler.exe	vbc.exe
PID 3504 wrote to memory of 1500	3504	aspnet_compiler.exe	vbc.exe
PID 3504 wrote to memory of 1500	3504	aspnet_compiler.exe	vbc.exe
PID 1500 wrote to memory of 4400	1500	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 4400	1500	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 4400	1500	vbc.exe	cvtres.exe
PID 3504 wrote to memory of 2920	3504	aspnet_compiler.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe
"C:\Users\Admin\AppData\Local\Temp\ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
3⤵
PID:1940

C:\Users\Admin\AppData\Roaming\VSWebHandler.exe
"C:\Users\Admin\AppData\Roaming\VSWebHandler.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
5⤵
PID:3160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1j3mczaa.cmdline"
5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD2FB150DF634D288A85E473F2561C62.TMP"
6⤵
PID:948

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 30 /tn "VSWebHandler.exe" /tr "C:\Users\Admin\AppData\Roaming\VSWebHandler.exe"
5⤵
- Creates scheduled task(s)
PID:800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p2cx1e7m.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB77C53F0D2CE4EB1946647E713F21FF.TMP"
6⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n3ycj1tr.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F84.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3DD0D5F420E941FB87FB98FEEB9DFD20.TMP"
6⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dd7fytro.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC30705245DA6481FBAB28764AA614BFA.TMP"
6⤵
PID:4400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wbmm-qqc.cmdline"
5⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2215.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF2B39DBF71B4B8A8D22A147FC9C2150.TMP"
6⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2jcvbzne.cmdline"
5⤵
PID:4860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc625DCD03145F4C61B54F679BA4768B5.TMP"
6⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ug-bipti.cmdline"
5⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES239B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1625FC1962C34DEA88F5302E1754A1.TMP"
6⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1zmibfzu.cmdline"
5⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2466.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2623CB93B6E54F42B36475E1FC70F6D5.TMP"
6⤵
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log
Filesize
213B

MD5
542799505971e4b49beff1e58bfa61cb

SHA1
7a3939442a6a4f209fa8f5a6246eeb6d29621596

SHA256
af4e0cd2feb1b66da325e63c2b0f6245996c056b3707b8dd6b35b9f20b92c78c

SHA512
c07e2e000dd30566a394b171e0cf0927bc65c07b90825c688804f2b73ae1af70c30ed255a1ccc679a979dc4bd96bcb537ff69723aada4549fa81fe8657bc6a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1j3mczaa.0.vb
Filesize
156B

MD5
9e1dee95f0ac712137f952b89ec8a7b5

SHA1
f6b4b4ccff484b555f68ff04665d1008825200d6

SHA256
f3aad84d65de05390fae4231537e224084dc55c2db29f14f12e1daa9986fcfb8

SHA512
4b447b3a0842e4d207d6908179182d3c8d87082637bd643186dbdc066415c437af78286ed772386bd9fe661f6da3992e32cfff8c7c106cf7919a8b98c65776f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1j3mczaa.cmdline
Filesize
196B

MD5
c90588ec0943a8b7c438d7051e85bb88

SHA1
336437af1f0408a0b158f06b2cbe63e94a126728

SHA256
2d997b39ddb828b6a43aab4a2afb7295c23f969ac3b09151efe4d5828edebfaa

SHA512
30aa018a973a7c73e8b9cd95b06d464194155c6bf963f2f1ccdbe1331ac92f48cfb046009b1a81ed116b7c6d7be0b16ba3329c214549e5c592f1daefffb4934e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jcvbzne.0.vb
Filesize
279B

MD5
32ae120259d39688abca0b8779fa6f81

SHA1
1597cfb1b8533dae50befa9a965ed02abe974042

SHA256
19426267a4a5697af00c0ad53a2ff9916c24af648870f9cba11f5106bed9ca5b

SHA512
c20926574494678bc5c857e41f9513f4ca60953a61c14e6ca0c251c5810f8a0aac5f3238eb9a374fb2d7d72880a515938443a434dcf2ea4b077a397875e561b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jcvbzne.cmdline
Filesize
165B

MD5
b6c399ccb993128f1c4282d85b82ec57

SHA1
99c57a213788961f66160e3306e976a6a1a6183b

SHA256
a2bd7a58bb810b6a3575ebe8a23bfc14afb20a3812c488776e6d3361294952e8

SHA512
2bfe12a42f3209ef512ff1730e3bb09d54e98f2f5bcc21e72b3fe569768545d765d9c509f188aa8e6277aa97854d6bfaebc05cfd5f0fa3101184a1766586393d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C96.tmp
Filesize
1KB

MD5
ae76d4fe9750ea9f42c6432181638756

SHA1
7c1911846b05db6ded6dfaa76e37382f44a6712a

SHA256
eafc3ca5133efe3d4ab7dea213f3605ce631af71901387209f0acd23672e2a3d

SHA512
24bb3eb32e474962f862ec937b44c675b801b70ef097b4545662c2a4e536b73fcfe5289ffb91271573262b2f7c174e1d50727ff18adf33acdda586ce40819269

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DCF.tmp
Filesize
1KB

MD5
712f8da5b7660b22169b3931447de75b

SHA1
369cf96b86c6515698e95122e726fbce0a043ca8

SHA256
d2685b6d5f8c6ce4279b928d1618769042bee9e828ac40e2407cfb2647dc7bec

SHA512
7019a865a18ce047468ae3b8382baac28e232b6eb637d166d338d290cee09b31cf29086f9dcf0d4b3e1510b4ceca9a64ec77ac80f33e54b3bb473d5f3020b99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F84.tmp
Filesize
1KB

MD5
ec4ed1af0192c650bb83b1ea531c8c2f

SHA1
dca8e4c628156ef77fcd0027e055dd3af1bf1ade

SHA256
f0ef3a44fcdee8bd73a6ba135f3a0cf7adee1a1f7a44f7c4fc83343db5cfd03d

SHA512
6cc64a50bc513118d171e76e2fb35d035a9ec5e894b527f2b19fb008417e7cc2eef17b5d08d4f9014b8605527f4fe44e1cea85c15a2f097baaa6da4041eeca94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20EC.tmp
Filesize
1KB

MD5
7f3dc864a409b58994a3ffa8ccb50c87

SHA1
8e6eaf5490ba6245645cf426c45e1d963c7af1ba

SHA256
5cc6dad26e5ece4c39bb44fb91a4c30833d5e72b7698104f97c816624f3d7784

SHA512
0beac47a6fc10bbd6fdd8aa9abfdbb5938c77d4a287a52e12eda360b547e30ae3e1d71a714e8b65488208ae3e58fc99566958e210caa8e70f3bd1b734248d5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2215.tmp
Filesize
1KB

MD5
440d9311ee441daf10a926d97983ed58

SHA1
cac4b8a1beba668b2a81ae0b85fd9d018b5301d4

SHA256
7995ca6482bc5c056e02506418ad2b9dda952f0feb30b92eb07400f836b3f99e

SHA512
cdee9bf1f9cf3ef2417ba2b0eae26a7101978e99d630b699e79e19c1e75f943e38c188d22a5e393c8a19c87408192efa7f11bc93352352a3245130aa0c8bc130

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES22E0.tmp
Filesize
1KB

MD5
79987704e938fb6fa944ba0ad13bbd70

SHA1
8519a513548b8f893315990865f03a6644d6baf5

SHA256
acdb2f9ca849902ce5c0d3ec0f34796e392d85a5d8a372e86404e5155cd91543

SHA512
b44a0408c9aa9fd169ea3548a3865535842a3a9deabf2a44ae0b469bd7d0ae140e11d05fdccd820601accb024f509e74c5dad6944036649d03da9511ca39da9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES239B.tmp
Filesize
1KB

MD5
36a8601ba54e78122f9171f040d53f64

SHA1
1d2bb4bb44622f3486515249ed9316fd2f117713

SHA256
2ca4d77d1d07b7b744e3f1fb57d0686a8ae18f977f33964ec15b3e7e886fee0c

SHA512
df4bd2809ab3ea6d53a7bf9182117b28ed1575a31854af549b21db2f06ba70dbc16215beae3b1f2b2fa41accd21b2815e3bb4f311a5c593ce08a4f53a8bd800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7fytro.0.vb
Filesize
286B

MD5
750be3a336b188813cbf14002c1622ab

SHA1
bdbb7850be167682f7adf766a19add704aa5c18d

SHA256
72a018f7e0a78398a24435723d70dc18d2ef7ac70ebe7b300cd591450eea774b

SHA512
ecc7dbc9a98b6a14310849e1d42b5343659f4a1eef3170e5ee367bff41eef1fcd33ec718fac256e478241c531d81188ec7e255c5e5ff8791f11a1b7305b479f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7fytro.cmdline
Filesize
172B

MD5
24000b20dbea6703d6854bbb1039a7b3

SHA1
2310034692e44a33e2258b629298b66009af5187

SHA256
7d5869321221383f0668bf5df8847b538353a030f187d7d7cadf1ae26c6898a0

SHA512
9cb6eded8cfc06f7c6b40bf6480fa4561fcc1833339614fa55013154c1a84660ca3c3402e58017b6ee6bc5046b57df1afc1d23c75b70b644a155ae9784254ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGGjjtn.txt
Filesize
102B

MD5
fc62418d672aeb3432f3a66c0304718b

SHA1
d978bf54aea24e0ecc3256652189216beb2bd01d

SHA256
944b9e394372787889284070388c80bc39571d66b72b3ce46df133d14bf0cca0

SHA512
b6ea6150abfec716d84ddf32f5b83653f94f3a50e45b26946253f2f430fee14275c6bc8144816236bd196bb3c64c35a325bba6a44a0fd0dc6d5d418ca418342d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGGjjtn.txt
Filesize
47B

MD5
a371f2a72d2015157d4be46815d2d905

SHA1
c6f235339ddc10b4ac535a901758956c68c5b1ad

SHA256
fa4c32cef82b5b7b15cd4d371b58244eb7ed0971731d9fe92172638a3da19295

SHA512
f66f9b456a7daa2925c91b45f991c051e737e1f546db94d8e9b90e2c02a94e1a482a079508dbce2b3abd60fa6c3a5a30c8e552b96fba5709aae472994e600ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3ycj1tr.0.vb
Filesize
286B

MD5
e9bfe7a484d2903a7761e28503467237

SHA1
87e36965da83acdc88b016ecb98bff2e137abd2e

SHA256
b3fadb6d9f97efa96ee01d6eb64ebc55736f020e5824971b8b7c23cef270c9a1

SHA512
17a2a7e25d6c2052b364fdf996c9c3a76d18d5c52f2023e95582b358a2ad29e5a6d9aeb278374550253272d439bd2c75499fe20298de1b105b1efb8252d62278

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3ycj1tr.cmdline
Filesize
172B

MD5
d295e4112430242d116d15b366cd7cfc

SHA1
0d27c55a2e86d49218b92ff2ebd6ee58aaecb90f

SHA256
68777e74c0a04a62a828159e753f3725a807cde0392a0dd5eb6725a14c3ccaf8

SHA512
47cbad90de7bbe7b8cf2cf275194ee76db455765a9468e1431c82a795ccecbabe4ce413b536cbee3e1be9ccfb2e561bfa7fe2b88433e2750129ea5d00ea4d004

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2cx1e7m.0.vb
Filesize
285B

MD5
2d0ea4aea378d5b5c0b1c58eb7d21693

SHA1
31b1ba78de62288582f529ebed4601a376f01549

SHA256
012c712c2e6559ff7156cd784e8503d4068932ec2769d05ea4b6055b6e3f6127

SHA512
4f613052d4cc8b763cacc601b7b2386dbc6dc53e56fadb57208a9812db499979187e9f000a84ab303e8f19677a78cb88dbbbce29c8e6bec5c89cd2fe5e1afc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2cx1e7m.cmdline
Filesize
171B

MD5
cb92da0d895c24460dc6fb91e2eb37df

SHA1
02e5e0d648927a2ffb53cfc6dc85e54961e21b1d

SHA256
75be898c06f300e722e73801800c744475863e617e667c8a9f25995048bff7d6

SHA512
3dec3104f3c9745ab13d7ffc896ba82afe0e503d5f22eb31ccb9d2da09314deb162ad471d8c365264f52f72a85b5137df5975d05b7fa6e7375a43ebb90dd014e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ug-bipti.0.vb
Filesize
285B

MD5
3a97c8afb1f8bfb2f8f029ddee205ddd

SHA1
b78653f3f482a3d982ade9cb09e756aa290aab9f

SHA256
c1411bca9748fda20d93e2b5b3d81c29c3705c222a08d69b41973585e87939bf

SHA512
be58356d24a6052596495ba8badb01b1ac9f357fc85f38f1f64e69994a15531c5268c9515d3d2d70fc096cf7ed448623c478151e1f68d1a1a7a4e29810d464a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ug-bipti.cmdline
Filesize
171B

MD5
afc8f628c94642bcd508162f2c622257

SHA1
627c1407e08c95a503689c23cc6d21f2c3146b19

SHA256
3eaaeab4bb28bfc44a014c7fd1b1b3ba2220e45d67ea20de321a9da4906bd1cb

SHA512
15656b5f2dd199ea052a348f2bb51d0063c23fab7c4e42c51a062aa1ed5a92d743d0b992ee39d146976db571eed65b6e900b2973da3d986eda7f7543585441d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1625FC1962C34DEA88F5302E1754A1.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3DD0D5F420E941FB87FB98FEEB9DFD20.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc625DCD03145F4C61B54F679BA4768B5.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAF2B39DBF71B4B8A8D22A147FC9C2150.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB77C53F0D2CE4EB1946647E713F21FF.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC30705245DA6481FBAB28764AA614BFA.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCD2FB150DF634D288A85E473F2561C62.TMP
Filesize
668B

MD5
77aedfc8205b506572ec90bcf77c23a2

SHA1
ef0aa7e6181a365311524f9375d0d472624693ff

SHA256
08eb8f2a897c9e6cd7092806d7fa07a81d491e13ade826a0a4d429ddf0deb9e7

SHA512
b27e6dfbfaf275f64cf9a49c10c6e0768743027e9ba04ef46717a96a9cdf024e709d35df959d7ebcd66e2ed2a7253d02edc33aa1ef402a431d1fab87bcc8de82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbmm-qqc.0.vb
Filesize
289B

MD5
9b3135d599024aaacfa3f6b86a1c7315

SHA1
866ecb39b9932774edb530ad728b22fb1170ef08

SHA256
6fac2b378bc7c4f4396eb1d7df96c0b44654ccd28f2b14efcd6680c34afbe3e4

SHA512
d4851edcce3f47dcaed7f0528162dd6cd850e02ef50df4085628ac5df6eb7a5eedbe0254c66938b09af889486c406092ca438a38d614a3d1285a480d0bdb6fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbmm-qqc.cmdline
Filesize
175B

MD5
a18c7ceaf90982e9bcc8374914f940c6

SHA1
f6e71045150ad2206a3e0b143c9b82e1623fab3c

SHA256
f6721f99e13389d350601f3ff8916a01e349c09d5be4974db0a1c18e88dd251c

SHA512
29ede7b1f57d527445896aa6ca010f2afa8c9e2ec36bb5a4872dd87819346db4251dd49c7c69ca3d568daeb8450c8245b6e177d3d54a37591f02d626598ced2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.exe
Filesize
67KB

MD5
8f5d2e6c2fa3d1e8e10060524ff1d085

SHA1
add5129da13dcfaf912dd81a908cd464509a38c7

SHA256
ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413

SHA512
2e8ece0ad58abc64bb9182843eaa5427f3303f33630823c43b3fd0bf3af096c0ebc81b746a2be410fd8ef7152dd1b903680536cfd77a5e21a774dc10b5c9abea

Download Submit
C:\Users\Admin\AppData\Roaming\VSWebHandler.exe
Filesize
67KB

MD5
8f5d2e6c2fa3d1e8e10060524ff1d085

SHA1
add5129da13dcfaf912dd81a908cd464509a38c7

SHA256
ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413

SHA512
2e8ece0ad58abc64bb9182843eaa5427f3303f33630823c43b3fd0bf3af096c0ebc81b746a2be410fd8ef7152dd1b903680536cfd77a5e21a774dc10b5c9abea

Download Submit
C:\Users\Admin\AppData\Roaming\VSWebHandler.exe
Filesize
67KB

MD5
8f5d2e6c2fa3d1e8e10060524ff1d085

SHA1
add5129da13dcfaf912dd81a908cd464509a38c7

SHA256
ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413

SHA512
2e8ece0ad58abc64bb9182843eaa5427f3303f33630823c43b3fd0bf3af096c0ebc81b746a2be410fd8ef7152dd1b903680536cfd77a5e21a774dc10b5c9abea

Download Submit
memory/748-146-0x000000001C660000-0x000000001D096000-memory.dmp

Filesize
10.2MB

Download
memory/748-141-0x0000000000000000-mapping.dmp

Download
memory/800-162-0x0000000000000000-mapping.dmp

Download
memory/948-159-0x0000000000000000-mapping.dmp

Download
memory/1116-169-0x0000000000000000-mapping.dmp

Download
memory/1500-175-0x0000000000000000-mapping.dmp

Download
memory/1672-190-0x0000000000000000-mapping.dmp

Download
memory/1940-140-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/1940-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1940-137-0x0000000000000000-mapping.dmp

Download
memory/1948-184-0x0000000000000000-mapping.dmp

Download
memory/2312-132-0x00007FFA529A0000-0x00007FFA533D6000-memory.dmp

Filesize
10.2MB

Download
memory/2356-172-0x0000000000000000-mapping.dmp

Download
memory/2920-181-0x0000000000000000-mapping.dmp

Download
memory/3160-151-0x0000000000000000-mapping.dmp

Download
memory/3160-154-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/3336-155-0x0000000000000000-mapping.dmp

Download
memory/3388-193-0x0000000000000000-mapping.dmp

Download
memory/3504-149-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/3504-148-0x0000000000410DDE-mapping.dmp

Download
memory/3504-150-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/3600-166-0x0000000000000000-mapping.dmp

Download
memory/4320-196-0x0000000000000000-mapping.dmp

Download
memory/4400-178-0x0000000000000000-mapping.dmp

Download
memory/4612-199-0x0000000000000000-mapping.dmp

Download
memory/4860-187-0x0000000000000000-mapping.dmp

Download
memory/4960-163-0x0000000000000000-mapping.dmp

Download
memory/5088-145-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5088-136-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5088-135-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/5088-133-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5088-134-0x0000000000410DDE-mapping.dmp

Download