revengerat | 887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1

Resubmissions

10-06-2023 17:44

230610-wbfpcagb5s 10

10-06-2023 17:33

230610-v5b3ksgb3y 10

Analysis

max time kernel
1787s
max time network
1792s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2023 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000.exe
Size

141KB
MD5

615a60a3ed965581edbcca2b9a26646e
SHA1

44228940403b156db8aef47c2807fd8b8cd382df
SHA256

887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1
SHA512

c6db373c283703994fa5f28405e0532a98c35763cf772e61f714c9f0acc086a09ce91765a7f1b42e66ea35878a75a0c1d881077c2678b8192e15205006e5ad18
SSDEEP

3072:Wh7Lc4VoziXk1nwqEgsCFlkan2hlxVjSXUg:WZcJziXIwxMQ5

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/3948-135-0x0000000000400000-0x000000000042A000-memory.dmp	revengerat
behavioral1/memory/3948-137-0x0000000000400000-0x000000000042A000-memory.dmp	revengerat

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

000.exeMSBuild.exe

description	pid	process	target process
PID 1180 set thread context of 3948	1180	000.exe	MSBuild.exe
PID 3948 set thread context of 5036	3948	MSBuild.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

3948 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

000.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 1180 000.exe
Token: SeDebugPrivilege 3948 MSBuild.exe

pid	process
3948	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1180	000.exe
Token: SeDebugPrivilege	3948	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

000.exeMSBuild.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 1180 wrote to memory of 3948	1180	000.exe	MSBuild.exe
PID 1180 wrote to memory of 3948	1180	000.exe	MSBuild.exe
PID 1180 wrote to memory of 3948	1180	000.exe	MSBuild.exe
PID 1180 wrote to memory of 3948	1180	000.exe	MSBuild.exe
PID 1180 wrote to memory of 3948	1180	000.exe	MSBuild.exe
PID 1180 wrote to memory of 3948	1180	000.exe	MSBuild.exe
PID 1180 wrote to memory of 3948	1180	000.exe	MSBuild.exe
PID 1180 wrote to memory of 3948	1180	000.exe	MSBuild.exe
PID 3948 wrote to memory of 5036	3948	MSBuild.exe	MSBuild.exe
PID 3948 wrote to memory of 5036	3948	MSBuild.exe	MSBuild.exe
PID 3948 wrote to memory of 5036	3948	MSBuild.exe	MSBuild.exe
PID 3948 wrote to memory of 5036	3948	MSBuild.exe	MSBuild.exe
PID 3948 wrote to memory of 5036	3948	MSBuild.exe	MSBuild.exe
PID 3948 wrote to memory of 5036	3948	MSBuild.exe	MSBuild.exe
PID 3948 wrote to memory of 5036	3948	MSBuild.exe	MSBuild.exe
PID 3948 wrote to memory of 5036	3948	MSBuild.exe	MSBuild.exe
PID 3948 wrote to memory of 3588	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 3588	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 3588	3948	MSBuild.exe	vbc.exe
PID 3588 wrote to memory of 4100	3588	vbc.exe	cvtres.exe
PID 3588 wrote to memory of 4100	3588	vbc.exe	cvtres.exe
PID 3588 wrote to memory of 4100	3588	vbc.exe	cvtres.exe
PID 3948 wrote to memory of 3372	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 3372	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 3372	3948	MSBuild.exe	vbc.exe
PID 3372 wrote to memory of 4592	3372	vbc.exe	cvtres.exe
PID 3372 wrote to memory of 4592	3372	vbc.exe	cvtres.exe
PID 3372 wrote to memory of 4592	3372	vbc.exe	cvtres.exe
PID 3948 wrote to memory of 4504	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 4504	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 4504	3948	MSBuild.exe	vbc.exe
PID 4504 wrote to memory of 3840	4504	vbc.exe	cvtres.exe
PID 4504 wrote to memory of 3840	4504	vbc.exe	cvtres.exe
PID 4504 wrote to memory of 3840	4504	vbc.exe	cvtres.exe
PID 3948 wrote to memory of 1656	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 1656	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 1656	3948	MSBuild.exe	vbc.exe
PID 1656 wrote to memory of 4964	1656	vbc.exe	cvtres.exe
PID 1656 wrote to memory of 4964	1656	vbc.exe	cvtres.exe
PID 1656 wrote to memory of 4964	1656	vbc.exe	cvtres.exe
PID 3948 wrote to memory of 3096	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 3096	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 3096	3948	MSBuild.exe	vbc.exe
PID 3096 wrote to memory of 2836	3096	vbc.exe	cvtres.exe
PID 3096 wrote to memory of 2836	3096	vbc.exe	cvtres.exe
PID 3096 wrote to memory of 2836	3096	vbc.exe	cvtres.exe
PID 3948 wrote to memory of 2968	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 2968	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 2968	3948	MSBuild.exe	vbc.exe
PID 2968 wrote to memory of 2772	2968	vbc.exe	cvtres.exe
PID 2968 wrote to memory of 2772	2968	vbc.exe	cvtres.exe
PID 2968 wrote to memory of 2772	2968	vbc.exe	cvtres.exe
PID 3948 wrote to memory of 4380	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 4380	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 4380	3948	MSBuild.exe	vbc.exe
PID 4380 wrote to memory of 1180	4380	vbc.exe	cvtres.exe
PID 4380 wrote to memory of 1180	4380	vbc.exe	cvtres.exe
PID 4380 wrote to memory of 1180	4380	vbc.exe	cvtres.exe
PID 3948 wrote to memory of 708	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 708	3948	MSBuild.exe	vbc.exe
PID 3948 wrote to memory of 708	3948	MSBuild.exe	vbc.exe
PID 708 wrote to memory of 1292	708	vbc.exe	cvtres.exe
PID 708 wrote to memory of 1292	708	vbc.exe	cvtres.exe
PID 708 wrote to memory of 1292	708	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\000.exe
"C:\Users\Admin\AppData\Local\Temp\000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nrsskqnk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF549FBB3BF3A462F80CFA8B937C2F12.TMP"
4⤵
PID:4100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhvk87uz.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC17E8972D5C14A86B8AA7EB64F20A37C.TMP"
4⤵
PID:4592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f5kzlctb.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AD4D7DC651C475FACC8F38D9396DA9.TMP"
4⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73E4273BAFA41FFA87C8C9581C1E399.TMP"
4⤵
PID:4964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c8umzdzr.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E6EDA5CECA646C599198227ED8DAF8B.TMP"
4⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES119.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CD0E7A76624279A9B845AFB393E46.TMP"
4⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kevcsdxy.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7E0CCF1C6A41948AB37D06863CFA0.TMP"
4⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc788E422DCAE4EF3A2AA2C82DB72834.TMP"
4⤵
PID:1292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cpjl14pd.cmdline"
3⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B5041648BD649F9BE2AFD74F9A494E3.TMP"
4⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvisb9si.cmdline"
3⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE20253BB71D942D682D165BEA4E849A0.TMP"
4⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yilcx8eu.cmdline"
3⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FA0548AF4B449BAA6AF6BFBB679ABA3.TMP"
4⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ct870yop.cmdline"
3⤵
PID:1068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES714.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4C1BABE871F46FE81A49B46BB5465.TMP"
4⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuibuxjf.cmdline"
3⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC56CDEDEE734EE2AB19E12094C289FF.TMP"
4⤵
PID:3372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nopfwp3_.cmdline"
3⤵
PID:5076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EE2420893534B55BA3DAFB1D2376CD1.TMP"
4⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1rvuonnj.cmdline"
3⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5210E0E5BE042CEA771EEC268F75F7.TMP"
4⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf6k8j9l.cmdline"
3⤵
PID:440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8323490CAC4C440791F7ADE9B1C3A5EF.TMP"
4⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rolsjezu.cmdline"
3⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BBA658D6F9B40DB866399F5238529F0.TMP"
4⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2tdlziu2.cmdline"
3⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6ECA277BB8C3417ABEE0201BD17C792C.TMP"
4⤵
PID:700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\objv59zr.cmdline"
3⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB3A395B76244212A74081FA37453068.TMP"
4⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0n1myqg.cmdline"
3⤵
PID:3232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc170D6C2641A14484992E81A4B2CE813A.TMP"
4⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcakypem.cmdline"
3⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88A16BEDCAC84BCE9A748090C4FBBFBD.TMP"
4⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_4xvd9bs.cmdline"
3⤵
PID:1820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63303382E87548FD9033A39FF5CF99B8.TMP"
4⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yehjjita.cmdline"
3⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1175.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BB421E947E14000AFD9A299FB14C42.TMP"
4⤵
PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\DumpStack.log.ico
Filesize
4KB

MD5
9430abf1376e53c0e5cf57b89725e992

SHA1
87d11177ee1baa392c6cca84cf4930074ad535c5

SHA256
21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381

SHA512
dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES119.tmp
Filesize
5KB

MD5
9ac907a569876d62babb8e9cb04f020a

SHA1
e486678ae67e7ae29b4a144da273c3fda6d95b46

SHA256
78398fbd2940ba16f1c94c97dda3e0f290589c6a2b926296cac97002aa9e3779

SHA512
b1128f7e0b3f3482ccfa7c72ada2a20102fa0637151d0ac2b253f0051438e3ac3dbd7fc85d4f36af1cc898a85ba3dc4e3ab3767ada14e4f888edef6a61d6ca1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E4.tmp
Filesize
5KB

MD5
7d2a82bef998a7d14f62d640dfe5f082

SHA1
99877701d2650ac05003a052854b0cecacea7e9b

SHA256
0c704ab9ef1ffa84509698afc92fde6383da85504a18a1a9296dd6498e68d5a3

SHA512
cb1969ce16b6f4dd886183dd82169d213ab5663b6cae42517b180d34f9a507234d4eeca22ae93364d43689f1bcf070ef8dbcd52597b0852f0e23506bf8653a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES32C.tmp
Filesize
5KB

MD5
5770530bec1093942de86751caa9eb6c

SHA1
26e7b858bd36a15ed2da8336b9058c9daea932af

SHA256
d94abcefb527e32a473148e50bfca01f465cbdf70c7b88fde3a5e37f0eb9632c

SHA512
cc781b675763f6a5506dacbd488d87b21b58cff2143de9bfdf50018419f7adb31bb13fe5a5af6d52314708a18c1701b1937ff242e75ac137f40f78c2cf3b6b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C9.tmp
Filesize
5KB

MD5
ccf1edd9fa341aed868a41cd3fe33b32

SHA1
26f9102ea6cfd4051b6e5c7eac9686f24e847ab5

SHA256
2743ade835033f55bab91c077c484b16ae6895ddefbd52fbc8fba369d3c19a84

SHA512
cef9e4f1510d5a3b6873224fb74a69f3aab4ca1d3760f860f41b7ffba88ca111d1007baeb19587aaea0d37a0104accdcf06ff38fa81870efed9afabcf62d8ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E2.tmp
Filesize
5KB

MD5
839a9284a3d5f8806d102acb12734b3e

SHA1
1fd3e10b08e4e5b78e9bf6a5a0819bb325d5f1bf

SHA256
1d916914525ae99e747cacc956402f1ed1e7205324090e363ac29b9889204040

SHA512
b9fbfc9ef4ed0ed0473c37717eed3357b68fcb853ef7a2665bc73d0827f4160661b3f55463751ecd2f6a1e8e387ce114b2340574aa6ab693cae6dc00dcbb464a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES61A.tmp
Filesize
5KB

MD5
13a4172213c0a0369ac506fcad368a54

SHA1
26aa8a0a2f05afc4d031ea48e3c7cc74bc7a1b6f

SHA256
fb8eddaff0fa13e54742bc6e4f3e3e0cdf3bc7056cf6792e03a631da2214bf5a

SHA512
1c5796c835d0887c6711d30743b992c92727283f7e74c82f539017418c4046a8570686ab9291339e940093108d6b6ccbdc0e671d3222a5b400901af7de6b3163

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES714.tmp
Filesize
5KB

MD5
47a78cdc219e402c92dba4371c938e31

SHA1
84e0b6743df80067176c94ca7a8fb00971d0e875

SHA256
64f9d7855377b50a1b7b958074a3328fc65f433ae95fe15488da1ea4a90f0207

SHA512
824364a8af2f9ebd48e342f6f10b32477769344ed63c4895573015e803c059e90bb01194253358a9c07e792ded536aca444845c82ac70e3da46a8cf6a1c33662

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A1.tmp
Filesize
5KB

MD5
4114dc5205bbac88344049ab5dde71ca

SHA1
dd78ad5b5cb074aa6e0d6a09bea457d41f674a0f

SHA256
02b3c790b20da97e68504cb01c67ca280ffdaa01c3af7a62e07c98b3ab18be37

SHA512
7bbbf833c788cfac5a0072b53ef23633725ed66e4cb9e4168d0d76284b1f28acc1fe570ffa4bd5588dcbe2581718e6012243283802ee241064aab45b5cb74d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFBF9.tmp
Filesize
5KB

MD5
a8b9dedccb90a12614022e1c2746c84d

SHA1
af34913c23760fabfc11a844caa8159e5c2d68d0

SHA256
73112c8fabefa068e993fa1de890315c57bcbadcc21b12a7635a8f115b3d6f83

SHA512
b49437de7694e41377049727bc7731266f9c63d22f107283beb6b82de3e9d54d6c61c366b79db615631e3f8421f657ffe8dfbf4ace0b6467109200db4aea6597

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp
Filesize
5KB

MD5
9a8a7e3396fb1f4de11562592e34b58e

SHA1
77d68a7f4462d4a7236d07dd12f4f19fcbdd0842

SHA256
ad351314a58f98dc0732dc3136aca9f01e120d307b8d56f3bc831a8626673729

SHA512
8f0b109ccd975825c44c269d900d0e96ed0c30a3cf08754bfedb80456707793c0ea971aaf068ccd12d24e723bc17aeb744998b801d67400718fd8462c6cfbf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE3B.tmp
Filesize
5KB

MD5
e28a530a906688e6936619e2e0c6f42d

SHA1
5457181edcaefa36d2ce4b7721069db708d8747a

SHA256
73a202a829db5deabc6ce4bee2338cdf887ce00eefcc189a87063eb44418066d

SHA512
a4e3b816e2fa4bfcc2a7832a5297a3df0f9c50b5c2a10a6d3dccbc0bbc613886d84110193774ea9ba14a2e9b7a0fbacd95ed8da643ee3112942e8ed0cb955a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF25.tmp
Filesize
5KB

MD5
3d500ce33b771274d0e468449a159fa3

SHA1
2887d0cfd4faf0620c16a15818740eee21c1cf6e

SHA256
3c3e6484891bbd50f8745f94052578f231e580adea0843d0b717bed940984768

SHA512
db77fc6c1165ce6bd05df7d3cd85dd29ad52b95a632049b56b4b98071b93d3df853438bf9a37cab8288dd72062087a9a89a7e5a906fa33045b0ae3c9fd07a362

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8umzdzr.0.vb
Filesize
358B

MD5
e4959cefd2ff3c5415bedb52ac89f7a8

SHA1
23089808006f7d07242e1cc2e83f004bb0d8b5be

SHA256
16d50cf1ae681bca71fba00d9f82b1d29fd3b90d2af544642e83784b7a5e1935

SHA512
687e93387bea5d0f9ff76e71e61bd985a044883cc15566d00a1365e7cd91a4081ba7e10c939965d7f27291a1425ade281e903aa0ecec56d06ee43eb491b2c06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8umzdzr.cmdline
Filesize
227B

MD5
dad1f08e7b1654ed3908b9739bb88297

SHA1
d94fb2a0fc8d9658776fb5e48a88120366680a09

SHA256
3764c3c26433e0c0455f3048730ff520d655645f94e0b62ade5b2791aee8836e

SHA512
3067bc6917e71507f028da1ae0a54189efa96e046a2ab0d65b39135cd785176e72900d7ea15f786a1e236aefc790c67fd6245dd809650ff965219f3357797c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpjl14pd.0.vb
Filesize
379B

MD5
498dc79ea1ee0bdd0a6d1691278f06c0

SHA1
6748ac2850a2e26a2378b85856b87c25edd86496

SHA256
ad939bcfff331f168ab9f4e374c10c37753cb6a86b0492dc1ff6da96ad569a11

SHA512
42afc7a0cc08fe9dd55b3d29f23615620626c1a20bb7f04d4385471b65867a88f9a24632be9c8999845a90167b434a98673ba611aad5173bd6ccd84d82ea2cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpjl14pd.cmdline
Filesize
270B

MD5
658a735aaa2fb176078bc3e9a00bf7c2

SHA1
c79dc34ac11eda390f3d5e248ff47de59aaa6628

SHA256
bbd55778d87f9e25492e533484110dd2c177ecffa1f3ef299c3ed8822e1c82a5

SHA512
d208ba42151b9a8417c160f9725f556cd91ccd8db533fbdef20fad853f3ae5489102329dc77993d349f11c78b6f371851525c19ea60d56ea79461b6b82659406

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqqNLCGR.txt
Filesize
41B

MD5
1900bc8dcd330462ccd0e7aaeb3be7eb

SHA1
fe66e62e4de26262015301abc7eca5fb37cb6c97

SHA256
acb2c9433101c210f72b7b0d27be53f4f9a64ab13127e576df203e05822d930c

SHA512
35f735f588b5feb58bdb7d8657d41087b2693066b9850d458dafa54209e8773dc5bfa69340b848f1562bb25f4ac7a41625c0922a47b9406d517463d33f2873b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ct870yop.0.vb
Filesize
378B

MD5
4c51c2a6df97bfd5a2a86ed2caea6f00

SHA1
a4bf7d0bf652d6882539e63b4b0acd7201a443aa

SHA256
e1cd3aabb0abcb0bbf888cc98c8aae0b8a2c5bbe476eccf8b9ad60a2be75c820

SHA512
f8fca348ef04d148039bcfbdbea60865a32e99c02ec7679f2a9d401aa203f874e9796a9a8c381d8353c9be3f2984b29bf9c6a30a840fc1966d78e1a4e733967a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ct870yop.cmdline
Filesize
268B

MD5
2df7661d3e2604513c54355dc5f311ed

SHA1
90ed5201b6459b9e6fc37aa568022215eb4781da

SHA256
a3e373f599b5a14dc685ad33a0072e7c3f118a476db101a5c5ae6d2e357d5d60

SHA512
9cced7efdd23f36dc73c4ef5e6003ba47dfa5b31abcbbe0667f2b2f00b6f76759205b0d3e479fe0135d3d86ad2bbf624ea93be62123b741bec23d8fc08195060

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5kzlctb.0.vb
Filesize
358B

MD5
614076d5efe1de7e69ba1be9b1a9c5e7

SHA1
d85b9dfbb362e4a0a44dc5edcc45ccc29138e0c9

SHA256
6dabb422abb23ac6a5008aa1580a15a19ed40bddba3a974350efa3c91581db8d

SHA512
820be266935fe4fe5c670e37ca5bd6a5f3ebeb2d4af0f426a2b405aa2ce53912d6682946c9322e714e28ef79ae1dfc86dd6229662808ca42c2778a0e07b05cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5kzlctb.cmdline
Filesize
227B

MD5
b5a62ea1962ea1d41432a545b2d5fe6e

SHA1
897041a85cd29aec030b4506b2521bf8352b374a

SHA256
8b32003f4af509eaeb5edf3902a703b5f5875aebc8dcf0d55c65edcec61ddaa1

SHA512
27adf128f74e608471cc601c9105addc372e015edd036619c15f893f2b3c0a5d15b3ae4cab0ea776fcacabece6c265a8e71d05dc1148dd7ca4f28902b504acf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.0.vb
Filesize
376B

MD5
a6a965310e6da43b15e010a1826400ce

SHA1
0acf08e8c17584d808a29b2a73ae5ecd31223ec7

SHA256
52d3dc1d95ba8761a4f118ab59aa448eaef95e0a610a386dba42681ab7cdedab

SHA512
9d94778b0b435edf31a2a50cfb10cc8afab134443a08ef4f60ca6f75db943f9ecd8f5848a2babe0c1f5a773c01f034f1c2f930d1c67acd4f405796958e3b62a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.cmdline
Filesize
264B

MD5
5c849cbfd392fdb71ba7d52d36f6fe29

SHA1
03082cf68d209dc24749c1ff9f22990b4ebd5eba

SHA256
0bf8cf58bbe8a8e127215b22a1ef66bbf12ecfeaf704871deefe3daf36b5c220

SHA512
577ecbcfc67e551c6c557a37bbea0e43279a2fd79f9a09dffbefa06d67afae48d8dec34dae1f029f8904b01a58d0471862300728483edc3411a51da98574c29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.0.vb
Filesize
372B

MD5
8704035c09268a122bdc833805dadaf6

SHA1
c2d0d60ef2fe865180440a690fa750e8ccb3c6e0

SHA256
3e02ef64a1267dd8fc89176000d6a173b0f5fea17538b5127182e4aac927a5a1

SHA512
d1946cbc09fe0b42b58e3e6b6ee6633564c94eb3612bd0e3da3dc8ad8675ce7038a2c3f3aa9ff86cfbcba32fb53a4d5cc226bf926b363d782e59c6c059291922

Download Submit
C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.cmdline
Filesize
256B

MD5
32eb951c579e8a8fd56acd13e32bbf11

SHA1
0e540d1505b65be6c488e3e859d7393b9228f9fb

SHA256
1caf08041db765fd327d5ea6d745b3a0da2ac69a8481fd38b3912b6856951087

SHA512
93e3825ab6910a7d0207aa86aff1f62573abd4f7e649f2005af33296b8765f2e311584558ead7e94331fb8bb0ea43dc22f329a4637d9604d70cdbfd2d5bb2951

Download Submit
C:\Users\Admin\AppData\Local\Temp\kevcsdxy.0.vb
Filesize
379B

MD5
a1e5e5a25d9102776eacb7f02b8d5dbd

SHA1
a06149d75d2081fdb900b87a547b5b37377c014e

SHA256
aa2c704fb48d1e689dc92966dd951d647251aa892c93c3aa9a60454bdf88140d

SHA512
5e0f6a71974254118768a2b5b083f74278fa9bf2d4ad433a54bb068bc070553b87c06b76dcd00baa146bd10ba499b9033c7e58e0cdb54dedad0754708199502f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kevcsdxy.cmdline
Filesize
270B

MD5
b8fdf40cdbc058254c0eff078310ef11

SHA1
905f98c9248341c899951a495457ce19ca04290e

SHA256
fd13193e422b50d50532fcedb811af449e1a076e34b5968b2cdd9729886e8707

SHA512
1afe8ef5c5f6674a4918681ae5d0f0a6fe7bd51c579e282b5c2e960569781d551e9c3e522df360239cf38234a2b6c0236c3ea0dc8d184553ddfcf079a77ccb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrsskqnk.0.vb
Filesize
350B

MD5
6317145e389f4d6d3a024cc445158eab

SHA1
4fa8d0d4496a3c0594394ad0dd983525636848bc

SHA256
6a1f06767fe3473e4d6c427e9e8c3b5e42740393e2fb3db3a5851ffabf2ee677

SHA512
ce4e32f6f958c63c1d36cea9932f8515d9121e1f6357e7d003c7a1d2dd397a39052df9ddad2655dc68a2eec98f1e18ec2a1e46ced4b7e05453b06f8e1d92cce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrsskqnk.cmdline
Filesize
212B

MD5
fa7ecfa492e655ed1a94c0573edcc3e3

SHA1
77ae6f5d2d05b5edcb19a2b5445d85e54f3df157

SHA256
6feaf4832446cd3de3ee9bb32c54d4d207a49660935b957e40fbb13f7dd3e862

SHA512
2c6b32d6be297e57863e1f2f337fee7bd934363df03529ad90567b7d34ea151b733a34b128139e55fabd5edfdaee1521a064e15395d27acb2082dfe96b0e422e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuibuxjf.0.vb
Filesize
381B

MD5
f470fe6cc2eba3bfe0c9a84514445373

SHA1
cfd5fbb9d33e7e719211166c8b79adc667c720b0

SHA256
a49242c36e2be53c2b70ff9fe90a3d816ca48ff0b1964af2dcda58e1dcc60e30

SHA512
2df6f346c9367d19d7d98ae8a6a9c9599d9376fe6dc806fce3adf011642b8a9d7b80c28265e91d9b064a00922e284dc68c22e16dea0d3d8f28578ec425cc8aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuibuxjf.cmdline
Filesize
274B

MD5
f3db4ede3e2bb625761d72d8adf96bd0

SHA1
7ead95ff038d9a1401fd94c0a25cfa81b47962d8

SHA256
289e16d72b9d83d97d8e5a550f54ec604a80d24c6719e7f9b1d732ba1679e4ba

SHA512
def44d8352dda9a1a830a4c180333e2f817fe95a9fedabeba90ef4d2453fae86b8464ce8b8624eb642c56e670f3b7c5d25dbfd9fea2609f0d69caee9b422cbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvisb9si.0.vb
Filesize
378B

MD5
8be72add8abbc659561316640fae8207

SHA1
7b1bb257f14ba7c5373749fb720ba7eb05066ae4

SHA256
63dd3ff7e4b6597e1f9c5eb36377938c01d19163776886b382f55a75bb4a4faa

SHA512
2e488eab190eab53665b7867d6bf2f639a55280595bd89afb2cbbe8d0643efc7f5a72a1d0e645740157a4a508fb01dedc65d68d1dc911756c474c05558d1bad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvisb9si.cmdline
Filesize
268B

MD5
7b01b23869bccf7480c0357d1b4e2178

SHA1
b9528169fd08c54b2a35b1c2f22a44b48803eaa8

SHA256
51edf42fcf9e0fb8f6dfe592ed83aa4a200642685f1096637362e2f3bb658fa0

SHA512
7dec60a1826789c71928ba1c771a0259cbb0a94f4c1004f01646e89b4a6cafc2fc046b8193fd2b132f18ed8647437f5ed4b9b83a4501cf3776b78fb94b5b4f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1FA0548AF4B449BAA6AF6BFBB679ABA3.TMP
Filesize
5KB

MD5
025a25a8a6daeb2595e3e35435e3e9ed

SHA1
f398b872ddfbbd7138bc9fc8415d4c006a541501

SHA256
cce3d178ce3631de12a5ae960db1675b1c8ba4f57b8fb48cf40e710534840634

SHA512
6a8fb041942423853bf891216e6172a7896f57e4fb261fc3f7ac56e1db23d875bb46663cdb65e4b385af189dc897c6ba593b67c7b64efe31d6001b5a4e962ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6B5041648BD649F9BE2AFD74F9A494E3.TMP
Filesize
5KB

MD5
f557520e852319c05fab72adc937d6d1

SHA1
150d40155b074dc17ce54603558034e64873b264

SHA256
b432200836c325f4bb6f9165dac643d17fea71cf3c9a7aa65379341f71775b2e

SHA512
5a0f58f7a3539a3e82c02812b7046d380b4e8c48a2d672dec75a4189a285afbce344b2a19ccbb9a75dc75ec86923fa67ce1c8a1054a18d115fa5dd95f2efb96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc73E4273BAFA41FFA87C8C9581C1E399.TMP
Filesize
5KB

MD5
b858e8f4e6438c69c1772178b9fc5de7

SHA1
5258ccacf418777fd8b852cea183a0fe61dd5e04

SHA256
b49822cf8288ee38c29f53b2f1018ac3a2e2e4a00bf479124047a4f9d42497f3

SHA512
ae16065d25200904eb1847827ca2b0708429adeb9eccf19e4e94c1505986526d75d856e8141da4e3fcf74016730028087aaff1854be49cf91fa0bc22568468d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc788E422DCAE4EF3A2AA2C82DB72834.TMP
Filesize
5KB

MD5
d6bbc349be82118a59e0020234043d0d

SHA1
bdc6524c4d021bb315f0d5d8d92a5da5fb7bdcf2

SHA256
3fc06128d69de18c00a3a199eda57585236ffb4bee7c5ad357a41d33319730a7

SHA512
370d373fb2d21e82989341b2780a7be8fba5ec2f4886838936cf1e0bb815622e7fd60907d60076ebe0270aebeb79bcb6e6a6f90ab721f41b5eea91eaf3ea0a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8AD4D7DC651C475FACC8F38D9396DA9.TMP
Filesize
4KB

MD5
e03e2412642050b377b142a928073163

SHA1
05fdd6fce29bfa4ffb78be95046126e24b1b0afb

SHA256
703a2826bff954014f58e4cb749ba5267e33002bffd5091f29ce6c6f8aaeceee

SHA512
ace602dad2b399eda1af1f919baff12c34308c15f6c3c20adedaa518f72222450e2882243581ff98ba18b5e41ace089ca9c624319d2d3a8c925ed541dff39e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB4C1BABE871F46FE81A49B46BB5465.TMP
Filesize
5KB

MD5
73f205e25119126136665a93a68e0400

SHA1
c703c639f2010e94f305dc3cb9fbcf2c10830bec

SHA256
efbea9e868d0c81684fc036c328f6401d2925a732cae176f2cab5544be524739

SHA512
5c5f14b4921f0fef4504327965bb81d7a398851cb64c9238e16b4e5a5ee9613b18683a499bdb1b5429b6c2b85615dea734b59047bcf08601dde2d6671c4e9a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC17E8972D5C14A86B8AA7EB64F20A37C.TMP
Filesize
5KB

MD5
d4e745f485ca71e0a48e916e43850fd3

SHA1
6932e5203dfa8c5b11a7c57c1bbd4c5a162bdc1a

SHA256
c639d7ec607b36f1bea890a8d3b34da09c2d9569e58c8a470b0fed66a5caabe1

SHA512
859705e7cdaae09c7b474c8a817c82b0cb2a84a975cf28b6df4a4a67ab07fc89175dee19d9335a5ec3a10662936852e54c8cdb8b65137c470d41d0efc1602e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC8CD0E7A76624279A9B845AFB393E46.TMP
Filesize
5KB

MD5
2d99192b40a5816b099c15e88993b677

SHA1
550140c4a3575dc35802d228027e280978a714ed

SHA256
1e7fa02d39fe856b7a24019160bf074626168bb00f4844a60fcc7f4a9243a2c2

SHA512
ba8b072eb62b5808bfd89fe5161eff608d484650520b3f3bcaed22ef981a550fd9af37cf16850429fdfc22ce25d15d1abb3a5cd6f4446d2f22ee4835e708fbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE20253BB71D942D682D165BEA4E849A0.TMP
Filesize
5KB

MD5
25452e7ad0acf7b3346073908e5e4062

SHA1
b8d96c8e2b8cb6f45eb5fd1129597c2d38c48c55

SHA256
27b8abcc44cc11c121d6c96d5e41a8540cb6249e06f37d02fcab22a96a14bafa

SHA512
798861d3648f5aa79e8c711b23b6bdf9129d00d44b76674a87d944cfd06ca992f94e77cdda77016f35b9afecf99bde81891a5400777a9c8cbc37fb09a250b739

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE7E0CCF1C6A41948AB37D06863CFA0.TMP
Filesize
5KB

MD5
268a42dfff773743437a6823a82c615e

SHA1
0840d5f5dc2807408b7d7cfa9cd52a9d3eb32704

SHA256
3b11071cf26a2ca81e3490de9b24d8a7b81b9b58a0e96db68f249930e54338fc

SHA512
c85b51287134854298130c23205c4164815ac63312487976935397515c6d609b1d5dbc3094903e2f73a3f50a8bb5c91c445034e93775f5fefa2ceaee1f9e9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEC56CDEDEE734EE2AB19E12094C289FF.TMP
Filesize
5KB

MD5
5dbb3523295d9bd09846341ae45fd97f

SHA1
db56bbb585a2a059327acfec13944817ac8e771d

SHA256
3fd512e50a8890db29349430af463e6cd80850c58befab23f8da770e9c796c9c

SHA512
7276d1ce3a4f650d8bf45b7945862c68d87743867692b3f819ffe5b2fa90a607cfcc493e066ac07104eb162483cbfab87fd827dfc8a77155534e6c1f1ac03153

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF549FBB3BF3A462F80CFA8B937C2F12.TMP
Filesize
4KB

MD5
f5bf1ea21a9ae3c416f925a8049b6cf7

SHA1
7b52edbb76f9dd230e63c229e7fda02ebf503d81

SHA256
658e1ef142328abfe26cb5781ab96ee2826904f2b4777ec677c0d885de89d08f

SHA512
0c8d4269a16cb4825c0e23747a1ce1b2a2079ec6afcf2c00184ea6d3693a8f434d213820b9c1bc97b1769e038e6f47b3dff9a944dff47b1bd45343b535b06cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.0.vb
Filesize
376B

MD5
1bf7326f9aa8ca5381ae7b8c90565eef

SHA1
434214895b037bead59b2a6b10e00db0cf56bb79

SHA256
04b1668dce3eb2d1327755627a38b55fd7a26565014adf2d7797b6ff951dca03

SHA512
0788cf256077d311b33e158818a73a7b35d71ada6cf73e0c5504ceb64c8a3e6b61ea852926a063f3ccf3abcd5cf7163e7483b8cef84d57b220aef0da7d19fe59

Download Submit
C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.cmdline
Filesize
264B

MD5
381ba0467b4b86f56944c981b38992ea

SHA1
e16df41748711dc1b3eb6dd631f565b05ee2dea7

SHA256
4567a32cf65bd6a9005a2da3477b5d875dd35e8b59bcaed8c098b29955bf0c1d

SHA512
7c02202f1ccd63fad709bcdfe8e64538b320b04dc6a520a0d42a16fa74d0d117fd70406396d4aa4aa3892a78be467cd84c1e08df5b4c8d8d38fe80c3ee4ea94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhvk87uz.0.vb
Filesize
372B

MD5
8bb4ac6ecb3612fd32bad12e07e32286

SHA1
cfbb9a810a900dab31938b3e4000a20009332f5a

SHA256
f73bb8dcab50874f862227b8a9389e1568fcc499d7de48624fb40d5c0d637602

SHA512
3dca4514cf4736369ee6566fe0732e3d9673a68143a27d59b5daec631f269a276139b095c04fb93609836edd18f9eb159cab3b4022027f5d8ad175e56578f939

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhvk87uz.cmdline
Filesize
256B

MD5
65350ecfd0a3f700151e984bf8a4b173

SHA1
0e117b1ee27d4a8189bc67c66e2e13210e11e8c7

SHA256
d75f6c7d3c4c9645e58bea08f07a99ea9ea2c893f7932df02dbbe5d3bb5f5dea

SHA512
07bbc129bb560cba88b8c578caf519178e32f63bcd1858412e3560c0d09212e5aa6175f25229b047e3e9743d1148efd13fe968481b2df1da6b41cb534e595124

Download Submit
C:\Users\Admin\AppData\Local\Temp\yilcx8eu.0.vb
Filesize
381B

MD5
9a59d8b5ef50b0fce95cde37b3de77c6

SHA1
4630077b1f40e5284edeb068de7615aa765a2124

SHA256
e216741a4c25db1679f20438381da742bbaa705925dc169dd6b6aa761e6774aa

SHA512
97d25a0a1793a59c53d485ac3f8bf042267d8287294edad1f4347e9fe01367c694638427b3ac5ba64c9016e8f1f456ff7dc84ed5006d19fe77a3e8c14df8ba73

Download Submit
C:\Users\Admin\AppData\Local\Temp\yilcx8eu.cmdline
Filesize
274B

MD5
a6ad27f947876afcc1470379586a8a06

SHA1
0d9abb1c509cda97df0051ce7a829d8c75573c0f

SHA256
83e0c8e0eb1909bc95bb3be1c6d703e79d80c140af12ff3d8a29325199d0a7f4

SHA512
db5af185b4e5fc5cfb5cfdf9ee6ea14c910be974db348246882a9e48da6ff2b01f985d3b3052ad545d461c500d18cd3677c6c09c9d84e0895b38c279153bdc3e

Download Submit
memory/1180-133-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/1664-278-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/1664-436-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/3948-138-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3948-137-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3948-160-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3948-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3948-435-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3948-142-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/5036-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download