revengerat | 3cf32b77fcb1783f3c5dbbf82bf6630618691f3d51dadd015a9fd43e92d7bc6d

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

6.3MB
MD5

c5312ef3c2394517918f27aeec8b97b3
SHA1

9f49b322a92a3ce3914aaf30f6c8163b987ec678
SHA256

3cf32b77fcb1783f3c5dbbf82bf6630618691f3d51dadd015a9fd43e92d7bc6d
SHA512

13e6b5461d165d217a48f63052ada527b16bb9be4e1e68adf53ba2d8b895ca292e8301a86ca0d091c1449242375d069a19f5adc81bb4509d903a1a74c589fd27
SSDEEP

196608:hgcWmJcIhc9dDxt7xhw5ZV983405QYtsTEB08T8HehLvkU:7CLdltlhaZHwVdfB08TOeh9

Score

10^/10

revengerat system service evasion persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

revengerat

Botnet

System Service

anonymous83.ddns.net:4040

Mutex

RV_MUTEX-nawrHJfWfhaRC

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

FINAL1.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions FINAL1.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	FINAL1.EXE

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
behavioral2/memory/5092-279-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
behavioral2/memory/2564-283-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft

RevengeRat Executable 4 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE	revengerat
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE	revengerat
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE	revengerat
behavioral2/memory/1060-157-0x00000000002C0000-0x00000000002CA000-memory.dmp	revengerat

Drops file in Drivers directory 1 IoCs

Processes:

SYSTEM SERVICE.EXE

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts SYSTEM SERVICE.EXE
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

FINAL1.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools FINAL1.EXE
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

FINAL1.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FINAL1.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	SYSTEM SERVICE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	FINAL1.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FINAL1.EXE

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exesample.exePACKAGES.EXEFINAL.EXERtkBtManServ.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	sample.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	PACKAGES.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	FINAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	RtkBtManServ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Service.exe vbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Service.exe	vbc.exe

Executes dropped EXE 11 IoCs

Processes:

PACKAGES.EXESYSTEM SERVICE.EXEFINAL.EXEFINAL1.EXERtkBtManServ.exebfsvc.exesnuvcdsm.exewinhlp32.exesplwow64.exehh.exexwizard.exe

pid	process
936	PACKAGES.EXE
1060	SYSTEM SERVICE.EXE
3920	FINAL.EXE
2140	FINAL1.EXE
2308	RtkBtManServ.exe
648	bfsvc.exe
4312	snuvcdsm.exe
5092	winhlp32.exe
2564	splwow64.exe
560	hh.exe
4176	xwizard.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
behavioral2/memory/5092-279-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2564-283-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\FINAL.EXE	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL1.EXE	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL.EXE	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL.EXE	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL1.EXE	vmprotect
behavioral2/memory/3920-176-0x000001606B780000-0x000001606C076000-memory.dmp	vmprotect
behavioral2/memory/2140-174-0x00000000002E0000-0x0000000000362000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\FINAL1.EXE	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SYSTEM SERVICE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemService = "C:\\Users\\Admin\\AppData\\Roaming\\SYSTEM SERVICE.EXE"	SYSTEM SERVICE.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip4.seeip.org
24 ip-api.com
34 api64.ipify.org
35 api64.ipify.org
14 ip4.seeip.org
15 ip4.seeip.org

flow	ioc
18	ip4.seeip.org
24	ip-api.com
34	api64.ipify.org
35	api64.ipify.org
14	ip4.seeip.org
15	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

FINAL1.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	FINAL1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	FINAL1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1096 2140 WerFault.exe FINAL1.EXE
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

FINAL1.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S FINAL1.EXE

pid	pid_target	process	target process
1096	2140	WerFault.exe	FINAL1.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	FINAL1.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FINAL1.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FINAL1.EXE

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

FINAL1.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	FINAL1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	FINAL1.EXE

Modifies registry class 1 IoCs

Processes:

RtkBtManServ.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings RtkBtManServ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	RtkBtManServ.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

snuvcdsm.exehh.exexwizard.exe

pid	process
4312	snuvcdsm.exe
4312	snuvcdsm.exe
4312	snuvcdsm.exe
4312	snuvcdsm.exe
560	hh.exe
560	hh.exe
4176	xwizard.exe
4176	xwizard.exe
4176	xwizard.exe
4176	xwizard.exe
4176	xwizard.exe
4176	xwizard.exe
4176	xwizard.exe
4176	xwizard.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SYSTEM SERVICE.EXEFINAL1.EXERtkBtManServ.exe

description pid process

Token: SeDebugPrivilege 1060 SYSTEM SERVICE.EXE
Token: SeDebugPrivilege 2140 FINAL1.EXE
Token: SeDebugPrivilege 2308 RtkBtManServ.exe

description	pid	process
Token: SeDebugPrivilege	1060	SYSTEM SERVICE.EXE
Token: SeDebugPrivilege	2140	FINAL1.EXE
Token: SeDebugPrivilege	2308	RtkBtManServ.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

sample.exePACKAGES.EXEFINAL.EXERtkBtManServ.exeWScript.execmd.exeWScript.execmd.exeWScript.execmd.exeWScript.execmd.execmd.exeSYSTEM SERVICE.EXEvbc.exe

description	pid	process	target process
PID 4632 wrote to memory of 936	4632	sample.exe	PACKAGES.EXE
PID 4632 wrote to memory of 936	4632	sample.exe	PACKAGES.EXE
PID 4632 wrote to memory of 936	4632	sample.exe	PACKAGES.EXE
PID 4632 wrote to memory of 1060	4632	sample.exe	SYSTEM SERVICE.EXE
PID 4632 wrote to memory of 1060	4632	sample.exe	SYSTEM SERVICE.EXE
PID 936 wrote to memory of 3920	936	PACKAGES.EXE	FINAL.EXE
PID 936 wrote to memory of 3920	936	PACKAGES.EXE	FINAL.EXE
PID 936 wrote to memory of 2140	936	PACKAGES.EXE	FINAL1.EXE
PID 936 wrote to memory of 2140	936	PACKAGES.EXE	FINAL1.EXE
PID 3920 wrote to memory of 2308	3920	FINAL.EXE	RtkBtManServ.exe
PID 3920 wrote to memory of 2308	3920	FINAL.EXE	RtkBtManServ.exe
PID 2308 wrote to memory of 4652	2308	RtkBtManServ.exe	WScript.exe
PID 2308 wrote to memory of 4652	2308	RtkBtManServ.exe	WScript.exe
PID 4652 wrote to memory of 5008	4652	WScript.exe	cmd.exe
PID 4652 wrote to memory of 5008	4652	WScript.exe	cmd.exe
PID 5008 wrote to memory of 648	5008	cmd.exe	bfsvc.exe
PID 5008 wrote to memory of 648	5008	cmd.exe	bfsvc.exe
PID 5008 wrote to memory of 648	5008	cmd.exe	bfsvc.exe
PID 2308 wrote to memory of 4340	2308	RtkBtManServ.exe	WScript.exe
PID 2308 wrote to memory of 4340	2308	RtkBtManServ.exe	WScript.exe
PID 4340 wrote to memory of 652	4340	WScript.exe	cmd.exe
PID 4340 wrote to memory of 652	4340	WScript.exe	cmd.exe
PID 652 wrote to memory of 4312	652	cmd.exe	snuvcdsm.exe
PID 652 wrote to memory of 4312	652	cmd.exe	snuvcdsm.exe
PID 652 wrote to memory of 4312	652	cmd.exe	snuvcdsm.exe
PID 2308 wrote to memory of 4968	2308	RtkBtManServ.exe	WScript.exe
PID 2308 wrote to memory of 4968	2308	RtkBtManServ.exe	WScript.exe
PID 4968 wrote to memory of 1808	4968	WScript.exe	cmd.exe
PID 4968 wrote to memory of 1808	4968	WScript.exe	cmd.exe
PID 1808 wrote to memory of 5092	1808	cmd.exe	winhlp32.exe
PID 1808 wrote to memory of 5092	1808	cmd.exe	winhlp32.exe
PID 1808 wrote to memory of 5092	1808	cmd.exe	winhlp32.exe
PID 1808 wrote to memory of 2564	1808	cmd.exe	splwow64.exe
PID 1808 wrote to memory of 2564	1808	cmd.exe	splwow64.exe
PID 1808 wrote to memory of 2564	1808	cmd.exe	splwow64.exe
PID 1808 wrote to memory of 560	1808	cmd.exe	hh.exe
PID 1808 wrote to memory of 560	1808	cmd.exe	hh.exe
PID 1808 wrote to memory of 560	1808	cmd.exe	hh.exe
PID 2308 wrote to memory of 1096	2308	RtkBtManServ.exe	WScript.exe
PID 2308 wrote to memory of 1096	2308	RtkBtManServ.exe	WScript.exe
PID 1096 wrote to memory of 3744	1096	WScript.exe	cmd.exe
PID 1096 wrote to memory of 3744	1096	WScript.exe	cmd.exe
PID 3744 wrote to memory of 4176	3744	cmd.exe	xwizard.exe
PID 3744 wrote to memory of 4176	3744	cmd.exe	xwizard.exe
PID 3744 wrote to memory of 4176	3744	cmd.exe	xwizard.exe
PID 2308 wrote to memory of 4016	2308	RtkBtManServ.exe	cmd.exe
PID 2308 wrote to memory of 4016	2308	RtkBtManServ.exe	cmd.exe
PID 4016 wrote to memory of 4940	4016	cmd.exe	choice.exe
PID 4016 wrote to memory of 4940	4016	cmd.exe	choice.exe
PID 1060 wrote to memory of 4632	1060	SYSTEM SERVICE.EXE	vbc.exe
PID 1060 wrote to memory of 4632	1060	SYSTEM SERVICE.EXE	vbc.exe
PID 4632 wrote to memory of 224	4632	vbc.exe	cvtres.exe
PID 4632 wrote to memory of 224	4632	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Roaming\PACKAGES.EXE
"C:\Users\Admin\AppData\Roaming\PACKAGES.EXE"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Roaming\FINAL.EXE
"C:\Users\Admin\AppData\Roaming\FINAL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs7OohLZbYJaRSbgsdL3qHF+VKeg3jSI1WOfwSiuA/HV0pW9mgP8G3srknd2b3lBPGQ/wYBQmiQtGN1ZgtVC4saKgVIi0+sj0BECZLtzV+WpWqdHQYq1pK/EV5nF3StzFak=
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
7⤵
- Executes dropped EXE
PID:648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
7⤵
- Executes dropped EXE
PID:5092

C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
7⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:4940

C:\Users\Admin\AppData\Roaming\FINAL1.EXE
"C:\Users\Admin\AppData\Roaming\FINAL1.EXE"
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2140 -s 2252
4⤵
- Program crash
PID:1096

C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
"C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkd6snba.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EF3164F9AAF42F98ED6E13FC9B77771.TMP"
4⤵
PID:224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 2140 -ip 2140
1⤵
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin_History.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
Filesize
4KB

MD5
b891b5489cce16fc87e912561bde5993

SHA1
08a8441427e19e47c4bd412c89d43b9904ac57bb

SHA256
f0743811f753d2fe3176907e4388d752b1d3e62a16863b31638f8dcf98767235

SHA512
6a81ff2e45f86c377614ee8696ca86a0ccbdcb3edd9225b70808aca45eaf3e2fc18cfa67486f46be30ef1862579cb1d1016c4b2368c94fb6432d80f4b9f5dd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies1
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies3
Filesize
11KB

MD5
4e8642aab067c28fba0f2a8496b126a5

SHA1
946c586f69555fe958b1268852d01537fe7180df

SHA256
e5f0c8bd8fab399e39ae040cf17db61288df0990da72a4f09dde88ed3cc6f1c4

SHA512
83563f06e6fcc04809c4ac4f5da73fd4418145b04e60e8625877d87d1d6ce56e438df8c3db786474a528fced723e87a5e88681db8a7b7af5b97bae2697cc762f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D3C.tmp
Filesize
1KB

MD5
cdd2fe5a070e6d5b0fa33715c236bb9b

SHA1
4f6d5a0922c43ac81438fb68ba18f7b9dbfd5bac

SHA256
93a7b0a5dacebc3f878afd25d8863e67455ddede2379a98277a9bf14f89ca81f

SHA512
5ac01f193d7acf54749d11c698c425bf15c1de4a485dd0b44f7447a59af0bd49e62fed53e782f67d7c68a35d8696a7cad245fa40472cd2586c760ec0c08b5208

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg
Filesize
529B

MD5
5242530a2b65089696f3cf8e5ee02ff7

SHA1
d604293148cdd953b3368c54920c043cffe9e1c1

SHA256
239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781

SHA512
7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhvD110.tmp
Filesize
14.0MB

MD5
0f6fd2b3e320840c29a1f3f1dc677921

SHA1
a2f861982931f78838cc4571fccd9f6bff9775a7

SHA256
a7223d67a3f3418d878c01bb35319f3ea7bc602e6971d92f57083ebf20e5e2d2

SHA512
508e7b2aa7d8877ff566ebdb1e563b272af442c4694607f4ba4cde2351eb679cc257cf621d063bd65c7e3d59200d606550928ced3cf111c66d0e264e63ea4ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
71B

MD5
91128da441ad667b8c54ebeadeca7525

SHA1
24b5c77fb68db64cba27c338e4373a455111a8cc

SHA256
50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

SHA512
bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
70B

MD5
d90accebb3f79fe65cd938425c07b0ae

SHA1
9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

SHA256
aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

SHA512
44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config
Filesize
107B

MD5
5cf0b95f68c3304427f858db1cdde895

SHA1
a0c5c3872307e9497f8868b9b8b956b9736a9cdf

SHA256
353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa

SHA512
5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkd6snba.0.vb
Filesize
158B

MD5
fe4eabc997c7a167e1fbeac9bac62c66

SHA1
e5aa37e2a368dee352b6755947c0ee03bc565bd8

SHA256
c1f7fdedad51c8b8e2c6597763eb043b571a82720879dd35ef8b4588ecf0c289

SHA512
65ef77f64dd327c3d1e6b519618d111775cee709566e56207f5f92229964feb0b31d8a9eceb756127f39d25a5ecb8c4d1aaa5eb6a458d7cd038f77a0c0e3c9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkd6snba.cmdline
Filesize
202B

MD5
c76f5c6c4b6f7b6678c61592109e46bb

SHA1
1617f33729ca3078bf7084b75883b21fa3104d01

SHA256
46709f3123cf3bc7c7aa2e34c273d28d13b3d2724c64f1851a7835d9450d381d

SHA512
9f87845227cfbbd8875bce57b514b0086c500055621f1db00e324d5a1d0ef81cdb161181dc8e37d108580fa531f9393d46c9cfd5dc1533da001356b11d222b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1EF3164F9AAF42F98ED6E13FC9B77771.TMP
Filesize
676B

MD5
751ae76305422d9d886fdecfe0ee4507

SHA1
11235253cdcce52c566cfb6a47d556a884c45aff

SHA256
55d58db029cb1d62dece14ba90803a552d1bdfcf4ea34f66e4d9f8b1d6b13cd8

SHA512
a6bee99cbc516aa567b02a0f696a015cf77410f5fa0048cf34d84eb8ff2cf34d8a85ae17a484dd7fa3f397177406b414c69846c4f0b51bdcd755a323dbfa9b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\whysosad
Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
Filesize
1KB

MD5
ae8eed5a6b1470aec0e7fece8b0669ef

SHA1
ca0e896f90c38f3a8bc679ea14c808726d8ef730

SHA256
3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e

SHA512
e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL.EXE
Filesize
5.9MB

MD5
84f0399f855ceff7bb020bca9c3bee1b

SHA1
4988dea4cf742dab85defdc89afe3ce092fc0a87

SHA256
bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd

SHA512
79c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL.EXE
Filesize
5.9MB

MD5
84f0399f855ceff7bb020bca9c3bee1b

SHA1
4988dea4cf742dab85defdc89afe3ce092fc0a87

SHA256
bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd

SHA512
79c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL.EXE
Filesize
5.9MB

MD5
84f0399f855ceff7bb020bca9c3bee1b

SHA1
4988dea4cf742dab85defdc89afe3ce092fc0a87

SHA256
bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd

SHA512
79c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL1.EXE
Filesize
293KB

MD5
7bb3828c90ffa74016c20224368bd2b5

SHA1
f63228f3a89bea826c1d037c2a9f181dea34e2d4

SHA256
53acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03

SHA512
bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL1.EXE
Filesize
293KB

MD5
7bb3828c90ffa74016c20224368bd2b5

SHA1
f63228f3a89bea826c1d037c2a9f181dea34e2d4

SHA256
53acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03

SHA512
bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4

Download Submit
C:\Users\Admin\AppData\Roaming\FINAL1.EXE
Filesize
293KB

MD5
7bb3828c90ffa74016c20224368bd2b5

SHA1
f63228f3a89bea826c1d037c2a9f181dea34e2d4

SHA256
53acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03

SHA512
bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4

Download Submit
C:\Users\Admin\AppData\Roaming\PACKAGES.EXE
Filesize
6.3MB

MD5
671fcb9a314f9edfb0b5367bf8c2a237

SHA1
d394d5b923500848b28b1eda036a1be6118526b4

SHA256
52c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910

SHA512
10c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712

Download Submit
C:\Users\Admin\AppData\Roaming\PACKAGES.EXE
Filesize
6.3MB

MD5
671fcb9a314f9edfb0b5367bf8c2a237

SHA1
d394d5b923500848b28b1eda036a1be6118526b4

SHA256
52c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910

SHA512
10c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712

Download Submit
C:\Users\Admin\AppData\Roaming\PACKAGES.EXE
Filesize
6.3MB

MD5
671fcb9a314f9edfb0b5367bf8c2a237

SHA1
d394d5b923500848b28b1eda036a1be6118526b4

SHA256
52c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910

SHA512
10c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712

Download Submit
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
Filesize
18KB

MD5
965dedfcd9f0a710b833ab55e46516cb

SHA1
25e03377de7902f58fb56674313e5463fbaa2131

SHA256
98920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288

SHA512
c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f

Download Submit
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
Filesize
18KB

MD5
965dedfcd9f0a710b833ab55e46516cb

SHA1
25e03377de7902f58fb56674313e5463fbaa2131

SHA256
98920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288

SHA512
c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f

Download Submit
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE
Filesize
18KB

MD5
965dedfcd9f0a710b833ab55e46516cb

SHA1
25e03377de7902f58fb56674313e5463fbaa2131

SHA256
98920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288

SHA512
c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f

Download Submit
memory/1060-237-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/1060-157-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1060-177-0x000000001C2C0000-0x000000001C322000-memory.dmp

Filesize
392KB

Download
memory/1060-158-0x000000001B550000-0x000000001BA1E000-memory.dmp

Filesize
4.8MB

Download
memory/1060-171-0x000000001BAD0000-0x000000001BB76000-memory.dmp

Filesize
664KB

Download
memory/1060-175-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/2140-179-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2140-174-0x00000000002E0000-0x0000000000362000-memory.dmp

Filesize
520KB

Download
memory/2140-178-0x000000001C620000-0x000000001C630000-memory.dmp

Filesize
64KB

Download
memory/2308-230-0x0000022537E60000-0x0000022537E70000-memory.dmp

Filesize
64KB

Download
memory/2308-232-0x000002251DED0000-0x000002251DEF2000-memory.dmp

Filesize
136KB

Download
memory/2308-199-0x000002251DE50000-0x000002251DEC6000-memory.dmp

Filesize
472KB

Download
memory/2308-239-0x0000022537E40000-0x0000022537E5E000-memory.dmp

Filesize
120KB

Download
memory/2308-293-0x0000022537E60000-0x0000022537E70000-memory.dmp

Filesize
64KB

Download
memory/2308-234-0x000002251DF10000-0x000002251DF18000-memory.dmp

Filesize
32KB

Download
memory/2308-195-0x000002251BEE0000-0x000002251C1BA000-memory.dmp

Filesize
2.9MB

Download
memory/2308-233-0x000002251DF20000-0x000002251DF3A000-memory.dmp

Filesize
104KB

Download
memory/2564-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3920-176-0x000001606B780000-0x000001606C076000-memory.dmp

Filesize
9.0MB

Download
memory/3920-185-0x000001606FB00000-0x000001606FB10000-memory.dmp

Filesize
64KB

Download
memory/5092-279-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download