revengerat | 40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2023 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01474899.exe
Size

142KB
MD5

ff621b3ec028ff34e6dd40649434e246
SHA1

2bf21078ee8f88b70291c41f7e41ab03fad0a27d
SHA256

40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790
SHA512

2bc1dcf4bb3cc887f8bd9188df7eb01eebe1516c7120a6b355af2a85790dcd3d9ffcd9cc529de5e5613178efe264dcb3c99730b1adb6f1d84b9e4afc0f4bb368
SSDEEP

3072:uSDDjXTV/uzgjk28xguWthZfeZtb6PRX:uSXjjox28jEfeP8

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4352-135-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral2/memory/4352-137-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe	revengerat

Drops startup file 1 IoCs

Processes:

InstallUtil.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs InstallUtil.exe
Executes dropped EXE 2 IoCs

Processes:

helper.exehelper.exe

pid process

2328 helper.exe
1760 helper.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs	InstallUtil.exe

pid	process
2328	helper.exe
1760	helper.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

01474899.exeInstallUtil.exehelper.exeInstallUtil.exehelper.exeInstallUtil.exe

description	pid	process	target process
PID 2224 set thread context of 4352	2224	01474899.exe	InstallUtil.exe
PID 4352 set thread context of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 2328 set thread context of 4720	2328	helper.exe	InstallUtil.exe
PID 4720 set thread context of 2256	4720	InstallUtil.exe	InstallUtil.exe
PID 1760 set thread context of 1612	1760	helper.exe	InstallUtil.exe
PID 1612 set thread context of 4860	1612	InstallUtil.exe	InstallUtil.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InstallUtil.exeInstallUtil.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	InstallUtil.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4376 schtasks.exe

pid	process
4376	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

01474899.exeInstallUtil.exehelper.exeInstallUtil.exehelper.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2224	01474899.exe
Token: SeDebugPrivilege	4352	InstallUtil.exe
Token: SeDebugPrivilege	2328	helper.exe
Token: SeDebugPrivilege	4720	InstallUtil.exe
Token: SeDebugPrivilege	1760	helper.exe
Token: SeDebugPrivilege	1612	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

01474899.exeInstallUtil.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 2224 wrote to memory of 4352	2224	01474899.exe	InstallUtil.exe
PID 4352 wrote to memory of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 4352 wrote to memory of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 4352 wrote to memory of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 4352 wrote to memory of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 4352 wrote to memory of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 4352 wrote to memory of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 4352 wrote to memory of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 4352 wrote to memory of 4828	4352	InstallUtil.exe	InstallUtil.exe
PID 4352 wrote to memory of 3056	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 3056	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 3056	4352	InstallUtil.exe	vbc.exe
PID 3056 wrote to memory of 3652	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 3652	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 3652	3056	vbc.exe	cvtres.exe
PID 4352 wrote to memory of 3308	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 3308	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 3308	4352	InstallUtil.exe	vbc.exe
PID 3308 wrote to memory of 1256	3308	vbc.exe	cvtres.exe
PID 3308 wrote to memory of 1256	3308	vbc.exe	cvtres.exe
PID 3308 wrote to memory of 1256	3308	vbc.exe	cvtres.exe
PID 4352 wrote to memory of 1632	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 1632	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 1632	4352	InstallUtil.exe	vbc.exe
PID 1632 wrote to memory of 4596	1632	vbc.exe	cvtres.exe
PID 1632 wrote to memory of 4596	1632	vbc.exe	cvtres.exe
PID 1632 wrote to memory of 4596	1632	vbc.exe	cvtres.exe
PID 4352 wrote to memory of 2532	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 2532	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 2532	4352	InstallUtil.exe	vbc.exe
PID 2532 wrote to memory of 2396	2532	vbc.exe	cvtres.exe
PID 2532 wrote to memory of 2396	2532	vbc.exe	cvtres.exe
PID 2532 wrote to memory of 2396	2532	vbc.exe	cvtres.exe
PID 4352 wrote to memory of 3832	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 3832	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 3832	4352	InstallUtil.exe	vbc.exe
PID 3832 wrote to memory of 4796	3832	vbc.exe	cvtres.exe
PID 3832 wrote to memory of 4796	3832	vbc.exe	cvtres.exe
PID 3832 wrote to memory of 4796	3832	vbc.exe	cvtres.exe
PID 4352 wrote to memory of 2392	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 2392	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 2392	4352	InstallUtil.exe	vbc.exe
PID 2392 wrote to memory of 676	2392	vbc.exe	cvtres.exe
PID 2392 wrote to memory of 676	2392	vbc.exe	cvtres.exe
PID 2392 wrote to memory of 676	2392	vbc.exe	cvtres.exe
PID 4352 wrote to memory of 380	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 380	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 380	4352	InstallUtil.exe	vbc.exe
PID 380 wrote to memory of 2372	380	vbc.exe	cvtres.exe
PID 380 wrote to memory of 2372	380	vbc.exe	cvtres.exe
PID 380 wrote to memory of 2372	380	vbc.exe	cvtres.exe
PID 4352 wrote to memory of 5060	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 5060	4352	InstallUtil.exe	vbc.exe
PID 4352 wrote to memory of 5060	4352	InstallUtil.exe	vbc.exe
PID 5060 wrote to memory of 488	5060	vbc.exe	cvtres.exe
PID 5060 wrote to memory of 488	5060	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\01474899.exe
"C:\Users\Admin\AppData\Local\Temp\01474899.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
3⤵
PID:4828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfknuhjo.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA83B488DCB94E7DA4447E95A4669A89.TMP"
4⤵
PID:3652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i2-ncy1r.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6B9C47F448A40AE852756F2AFB2EE8B.TMP"
4⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wiukm3lj.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F08F10370240AFBA2C665896AB1C65.TMP"
4⤵
PID:4596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\td2_mqj3.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES106B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE26927205441497C8E533D541D64AF1.TMP"
4⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zef0c3xe.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1146.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0992C3FDC84E8D8DC2F0AE33DBD4D2.TMP"
4⤵
PID:4796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y8o0o3zf.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES126F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc539D0B05D5374E598E776E89CDA421A0.TMP"
4⤵
PID:676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ohy5olyk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1349.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc936158ECB4F1413589E824238B5CA527.TMP"
4⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m0uz-omc.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1463.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF989FD1BE8004B1A97105E3A8397A01A.TMP"
4⤵
PID:488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zzdvh5ms.cmdline"
3⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES155D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5FD2F9DDE32428FA176FA4B908C363.TMP"
4⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j6vzjehx.cmdline"
3⤵
PID:3728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1685.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B9446FB18EC492E8E9482FB1282D431.TMP"
4⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tlgrew6p.cmdline"
3⤵
PID:4940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0037A5B339C4E1BA3634DE057A0D6C1.TMP"
4⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z0ipjh09.cmdline"
3⤵
PID:3732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc475010E44304DE1B25B5D2A7D551018.TMP"
4⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbmfw_im.cmdline"
3⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE34FAC94504B369EE29F4113E4A64.TMP"
4⤵
PID:4092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ocfqvnlg.cmdline"
3⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2387858A658A43AA8E5369C8E7D7B032.TMP"
4⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmxkiajz.cmdline"
3⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CB0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D21119CB174F96B155B2B358AE766.TMP"
4⤵
PID:244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y4zh_ii3.cmdline"
3⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E8626EDCAD4834B91ECF6985601324.TMP"
4⤵
PID:4124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dgg2lgkq.cmdline"
3⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA70B16F31EB4BBAB72BE929F77EE4B8.TMP"
4⤵
PID:4484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hhjxfotn.cmdline"
3⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES201B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc198BC1FD7ECA4FDB9E472C9CB4A9831F.TMP"
4⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ex20vwkt.cmdline"
3⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2105.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC03168742CE44C318EEBD7E972644FA6.TMP"
4⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\liqqavg8.cmdline"
3⤵
PID:3180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52BD5E496EEB4C198B9F814DC173BE8.TMP"
4⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\csmfqej1.cmdline"
3⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC556DE2E48F540B78B369BC4A9CAFD3F.TMP"
4⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ymt6q1uc.cmdline"
3⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74A9AEE93F75406D92DE75EB62B83F7.TMP"
4⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avswslhv.cmdline"
3⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40C3464FC9C14756AC3D1EF2203C74BA.TMP"
4⤵
PID:488

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
4⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
5⤵
PID:2256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Torrent" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe"
5⤵
- Creates scheduled task(s)
PID:4376

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
3⤵
PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemNT\DumpStack.log.ico
Filesize
4KB

MD5
9430abf1376e53c0e5cf57b89725e992

SHA1
87d11177ee1baa392c6cca84cf4930074ad535c5

SHA256
21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381

SHA512
dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

Download Submit
C:\ProgramData\SystemNT\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\SystemNT\vcredist2010_x86.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2010_x86.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\SystemNT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\SystemNT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES106B.tmp
Filesize
5KB

MD5
845182634f209f2e9d6cda4ff6a0d9f5

SHA1
b7b8f9a39215224ceefbcb5316c39a923675a1e7

SHA256
34684f79d75fc4ca1a529a4949d8e9b26b05715865841b72915625ee4a46ec81

SHA512
f4fcf93e4857d91f767011d6f07f8d4e021fba8730eab1cc5b06c4558c5c6dcc476d2aae96b11d0d79f4497f6adfd4cb75196feb4ea54ce01ed396b83a5b8c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1146.tmp
Filesize
5KB

MD5
ddeb3f1767ee2dae7ea6e80694745896

SHA1
25362a0add62310c809a79a56e765cbc0f16ffa4

SHA256
b5161562b7547976b87e949cedeb0ff8091c48afe90658390cfc372aeee76ff2

SHA512
cc67edb6141bd2d8dda13a07f45784ed91f3fe6ea56e6b4038e461fdd09a0cc81835a60e268be1be8f78803c204e734904dc34d71c349ecb4d9a5afc5cee6de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES126F.tmp
Filesize
5KB

MD5
6a0669590d97d6176f9bed2602fb8047

SHA1
b93c9843e95bcd0c2e71d7b6599fbc882e68995a

SHA256
427a95f0bc3a1997a7ebe40573ed6783325ea2190d90fbfc47cf3bfa7fe4713d

SHA512
fa2164024da9ea39d67d8258460d2af7cc280ae3e8760e98d6bc58cad36285761dc60c9d7fa95a057ef78a254086c6ec4fe0f95672aec86af9b14528cfa599eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1349.tmp
Filesize
5KB

MD5
288c4f38bf53830fd6a077ea5d14e91e

SHA1
2b73f0c79a1afacbe0fd338e8ad721d19abfa49a

SHA256
4f1875dfbfe39df03d72f3f8973c4e54e2305cca52b1e90c08309fb71778991d

SHA512
84a9cfa5bac85714ec61d9f20cb46b5e79f47286db50edf4f65e409a6f05d278ccf9d24e3437f1e4bcd5bebf68999f835f3c5f5e4814420ad4958267e0f64bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1463.tmp
Filesize
5KB

MD5
a27370aff7983314f3204e10310652ff

SHA1
5d7ebf79a7ae9e69a9add43ec9e132da908ed61e

SHA256
8abad00592f05e4e6b5fbedc2d5ad5cfeabf052dbeef62f52ac95484efcf5e53

SHA512
dd732a1c252dff6850b1f250e926ba14ae69dfe621e165f318fb3d78fbb8d7239f3b6b86bcf969e226dfdf5c40269757db971fcf169bccc0a5ec3715db2b2d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES155D.tmp
Filesize
5KB

MD5
c77a14836e0b7535f0853475a02e3550

SHA1
6fd561af745f2b210e2d7690e9faec55ccc36b5a

SHA256
0dadb8adb612b2d8e0e336204f26bc37017d0495045c89975ed81ff08dc68d0a

SHA512
67fb3e749a93c4beb4f70d13fcf8672a73a8433febf48c8e207bf3067b9cbadb01a52a590aedc5a6d867a77c769f774fcd53e5342550b9abe677ce522cd258b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1685.tmp
Filesize
5KB

MD5
ac565441eb68df3657597928d0e481cf

SHA1
9f8c5180277fb1c8d1e8748d4680c29035bcfd4d

SHA256
ef2d9cf0f3861b94ae36f44f0b9c4028662df68daaca849c50250910b2cb79c6

SHA512
61bb007b1f024ed220580f8ed07481fdb1c1cecfa85eb9ebee3edaafb1c48f2edeb979ddb4ae76d71f1c2d96e7320ed0acd3bac8f0d7a36300be5fc916230296

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES17BE.tmp
Filesize
5KB

MD5
84b15be06ec1d7760567135c7996417a

SHA1
e965ccda1cbd36da5ffc748ff369683cdb787a80

SHA256
acbbffced02cb4e6083ba2829f5bb677eff206b413ec32b6bbb97cb65e770763

SHA512
0f65de07ccbbec9b0b13527550fc3c4c3515654ae2b51010906ddd6ddc788227e9c81a9dbc6f80024246d7d37cd73d55ff73272ab851d9d6c7c50a305d40ea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES18F6.tmp
Filesize
5KB

MD5
521803e2367bee3e1d0b1815253175a4

SHA1
bfc34ce3a51d12093c217b4a59ae8c6ef2be506f

SHA256
614dceacf6b0a87e6665ae73d6e78899c4881dab1b1b3ff8f4665e8065f968fa

SHA512
29a7b6e4f33378606f3696919686c2f95a40019d382308539d6c32a7a81bb820363a28f9033aded1ca72f703bf6f55c2ea2cdf2a5e6cc9dae066a114b18919e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBF6.tmp
Filesize
5KB

MD5
5cc1524b084d30e60d0531ade2a222ca

SHA1
328ebe62cda0d78bed81d1afc2ee36592fa9f5b1

SHA256
e06ceec29e581e44e857483aae31b3c1d331a9b2eacef7d501630def983ff09b

SHA512
a263ed397502b8bdb6b9ec8cbc9ac13f1cf927c599dacd890d1b83e96c56f1740e1847b6cc35a7e2fe70b9e194825e7a63da962ab1da0db7ca0f868eb42d9235

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDAC.tmp
Filesize
5KB

MD5
8de96b4279963cfb79ba78abc057abb5

SHA1
99de137ea1583a3c843f700c2db165fe57f3f2e6

SHA256
c6a5e3f272417710c2242c7baaf5f96663d5b227615d163a48f96e8465e10a5a

SHA512
11b26d3c49e917279f0b6bca989f6c0a644214e472a2eda2829e9f2f42bcf90e2f702222834fa9111812adc3b865e16a1dfc52b0831822fde5de8fdfce3267bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEE4.tmp
Filesize
5KB

MD5
0e5a87bf3500cad69e2140434156df31

SHA1
9f4788af6aaf29a50404e425be80871dc4078442

SHA256
15e35384880f615fe9dbcdfeacc826bcca03e00108d09aba7a66b7351cff0514

SHA512
0d80d1ba469020464aeb6a4a35b4cae49613aa69d425587b7ab622b8879c9cb7ce586f9a5587c474ca2b16bb864fc31fb18be5fe609ae9e5ee7f9eca5cea7ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2-ncy1r.0.vb
Filesize
368B

MD5
ae8eb6b25868950391265416771ed2f9

SHA1
c9c896e76d98d9b79b99fa46f22250829ac4fb81

SHA256
8f0ec724460841189bc388b37cdf45bf47cab57d331e20c599bb6cdaffff0122

SHA512
ae299a04f8f986690c691059e532dcfb71370f2e3c74098fbd1a3c3e4f8536d8293eff7cd4beddc5be6a754691b6a007f196d997dc77e81f8a1ad0689aa0c14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2-ncy1r.cmdline
Filesize
254B

MD5
34c2c712656ac7f9047a533d3558f022

SHA1
22a3ed3948315db8266202209b36ef17a836725e

SHA256
53a679f9138246354e4df07c15e112cdb1e10a37d6443de4c4461836fe031123

SHA512
06c3c0ee8fc1c01506f6d5237ec006e8f57a71f88d86f529a7129a836918b8803c0aec56c4ac288a12906e49569981b0bad77136d5bfdd3d4e134f007a065fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\j6vzjehx.0.vb
Filesize
374B

MD5
4ecc0d3873c865192b79be5a94fe4d63

SHA1
89220b757311564e4227f9fd4395bfe9f0408f4f

SHA256
5da4cdf3b60f9cb494723d69a453e06e568345348f4dba51f4f8aa042fdf00b2

SHA512
3108c43ba6ea9525dc6ffafe458b06d14441b39667121fa936f8bfa38309811be57a07ee7045279859d2e23c91d6abaa6fc6768550627268c7d7beb60a1e432a

Download Submit
C:\Users\Admin\AppData\Local\Temp\j6vzjehx.cmdline
Filesize
266B

MD5
ea7a1acbd852b5493f35f39ce9e744eb

SHA1
faa6f0eb04ad6a0eaff8e6f81c741566492f1288

SHA256
633b2182e0d7292baf8ed8981103ffd02ddc9c93efe405305098eb6ccb54fa82

SHA512
9dd71c8268dca0b5a762fdafbc76b792bf7bea6c83f7525c0dc206aa67782b9eba9b36d28d0cd2c2b5a63a40084d3c22d0428e95cefb450312e4cf84f9a7ae16

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbmfw_im.0.vb
Filesize
377B

MD5
31713838be24004aa9b4c15004456de3

SHA1
41a586504ae3b70183e649ada59cf61ec3d6fa30

SHA256
c67a4ada1f2814dd08248f3f1973466ef2a8765b43e08dfe7f9f7cb5933bf7a9

SHA512
402b776be3d3c10ffd8872f2acd0dddac9dbf0ae9b1d351f20494797d675bdbe1b96f56f08d8dc6a3f2f5bfb179ebc490f8dd628cc1f5153d593c23341be261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbmfw_im.cmdline
Filesize
272B

MD5
fa1933c2aa3938c1f152454b65211216

SHA1
ec72c4ab8358e1a77ce2108c5f4d961e9c023aa0

SHA256
3620f821cd820ea9f387a055df7bb6a72d6245f0b9b68d18283d20cd630e929d

SHA512
a4ef2c414e7848051c0165c0151047d5f60756dec078962d40eb40362e222e84b8996f0b264df92e9de19cef8e0be2d3602c974efeadb7e5b0a13ff0ee62e4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0uz-omc.0.vb
Filesize
372B

MD5
6c33c1dc16de9a18f8fcd8ed77fbc525

SHA1
c2c1d8528db8cfae4db90cd4a4e3a253d749f250

SHA256
deaf8b916144f0f4fbc1862b5d1db11a9f1d3d62cb337b99accc1887b6b35a22

SHA512
ec82c3ed676fc74f4d3d58ec6a00dee0319b206ae5f9fb95c4049adaa5c08d7d6754a43c484fa23add1c7c666a370480b8d98b4e69c20f90f7657b3b09f96a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0uz-omc.cmdline
Filesize
262B

MD5
baef93ee9da144011ae667eb01796963

SHA1
0de83b39f9084057e4f7e25b1cedf37d34f87f01

SHA256
e40fb17fe31041e2e38bc006335e13506e24d98f4df16cf3a1ce413d75f2258c

SHA512
49b1ae862e6945b7c51f644eb6d4cfdf37245c288519bca09d2a56b4fd4d78a1cac81e4a9cacaaaea2bae59207986a01ac846e88d4b69a28113da8391754073e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohy5olyk.0.vb
Filesize
375B

MD5
bebb2f77c5da61a9a0a2aefb983bd6aa

SHA1
a5d7aff92823b5b0dbbd67756ca135c3f6491892

SHA256
99a6596d1b483149a13368c4a4dcb9983d71e061ced2a82b11c3d3ca360c0446

SHA512
365102693d823c21e28d879ed3bc3e6b0872abb886f42a957b5719019f06d8c670b99fdeb37d9b9e47cd573c47aa5ccd08749e646ba990eb9196e42ad3ffdae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohy5olyk.cmdline
Filesize
268B

MD5
f00635dba085c20e969e539a51efe884

SHA1
69b0f637b459a283e8ec8f9e92f999c1b8ad8669

SHA256
73f4fe2b49da2d4fdd829c021eded8af6452b5f0ef5121c44fdb55f10241c354

SHA512
fe2296d3847a02d13ae0bbd4b6ade305e06cdbb733080206f1ff5e7372f3317643a2280638ee52f664ea220b1fb099cb780dc0cd43c4ab2d8d0d0cdea1cc4283

Download Submit
C:\Users\Admin\AppData\Local\Temp\td2_mqj3.0.vb
Filesize
368B

MD5
6632b8e6623b67be6e47b7578982b4af

SHA1
0e3dbc159228c41b62c33fc1dd79ef16b1e75608

SHA256
16832bc9cd3e97005002bc7ff2f885e16f1931fc1906e54aecb0c9926d350257

SHA512
241f25665d841e5c783279177c97b55f40a53ae7e44739d64607ccf408a413c994cc6d110af37e46ffb08cfb3251da129c8ca35bf3b3d9c9ad0f899896ec3cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\td2_mqj3.cmdline
Filesize
254B

MD5
f78fa6d1c6c2d4909ec645a3dd466b37

SHA1
f3f111f59c46c9846e5ecbd694271f997c4027a1

SHA256
44ff11cc61c97454f8ce14c0a3ee39c06ea3fd64d4b5f58ab3a37d81a7b1ddaf

SHA512
29e3c26792c3f8120690e9073cc544a8bcb5e1300317ca1e13a30743e0a88e0486ebc2b3d60f8d546f1eea622cdb409617e8a42804997f3ebffb61ceb4b0fd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlgrew6p.0.vb
Filesize
377B

MD5
aa4759a2f16e274da63c66556a9bfaff

SHA1
47301d24dfe22eff3e6127d6aef39e29569b68ff

SHA256
66ae36ff98ae7035a2707e5cd07a5e8db7527ea8407f1b56023b4dcfc0fb776b

SHA512
aec075b88c400f991db2ed4c9c8dcc9a171f7128fdfdb9dbc048b21e1c69ea286e98ce0c3ce979761c775c1787440f0e6d3fa9b1e745f03d90ec5e681ba52b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlgrew6p.cmdline
Filesize
272B

MD5
60373325a118eb7869b9781205708946

SHA1
45ce7e36d6590b50334372eae82f46a1922c94dd

SHA256
d565d7f9420e340a2bb61dbdda3d9c26441706c9bc0f02b593143a69372fd849

SHA512
3a2e80defae321b61f5f437832846ea4c8a1afb8f06c1dc533a854f9b932676f18140f98e88e211ab4fc5b455d5531f07555c52e1568103a9d7012d514e29036

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUUgHRHX.txt
Filesize
46B

MD5
648c96743656a09f128dda6f0d353f54

SHA1
8aac85991244ad39e28693bcf5916effa91e3772

SHA256
3e941b6cf879079b8443e6ed30502aef6a000774b5e0d4bc653cea60ac734370

SHA512
f9493bdd2dbd5efc934089d87af92c358788238cbce2dd5f4330f6221df7af0124645e24ec563821dbca7138aeeafe061ae2d3757d0e746d93b0a9b18ec3e90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc475010E44304DE1B25B5D2A7D551018.TMP
Filesize
5KB

MD5
dfe580c621254b33c2371200646fad27

SHA1
650e29e19a849ec8d9760948ac119c81a7a97287

SHA256
4817c0d9f3fd90caa10904f3990ac9bab54c55f1d5b8afe1a9e9d8e2efb90320

SHA512
c14d7603d95c1e9f1dc564bfde2b18b67f294fe42c8a2ed7f666e477043a3edab0c6c3afd09cfa58e34cb92f6caf4b888ac459718cf7dcc094ad6656c0ba26df

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc539D0B05D5374E598E776E89CDA421A0.TMP
Filesize
5KB

MD5
7565dee9ba6fd50bbcdd048ad8d9b85f

SHA1
7d28bfc1f716af87fbe07e4355357f25362677e2

SHA256
aedf3bd9c37684c05bc91f1155b42a72ed24c348a16b3205836bb44ef878bc67

SHA512
96353c8ab995a05d48f400548896d5e04dadc917e6b9e5a1740f9392b87a045d60cb2420b12d9674722ff12ff96c6bc2e2cc1d9cbd348a530232fd188c9c114b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6F08F10370240AFBA2C665896AB1C65.TMP
Filesize
4KB

MD5
506d756ef9ee3af1d1ff4d2802cb43d4

SHA1
04085ee08cd57df307c02443ae739060d0ae5000

SHA256
190840c65b42bc660897addc40f3286ac804db334800f04c59028aceb36ca6ed

SHA512
2e822c12858d51a4031239d778fa7513fe63cbc973f0555f8d858510a73d00d2cbdc5fd44bdf80de8d56d39e11f82e9f1c673568dad41b0d22baf0400aea5931

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7B9446FB18EC492E8E9482FB1282D431.TMP
Filesize
5KB

MD5
3836b35d64f2cf7981583961bc82aea5

SHA1
aa11f0a968f60d29365eec8160050089dff737a7

SHA256
410aa0919c98bfc8f7b28564d7afa59a4646361b2ea6f277d597007b14464408

SHA512
dc436cc5ec5bde83a646e550c8673e4ccc3687bfae8b0764c4c71977fe755bf2ccfc3304c5868b4076304a776a7c25fd54d5d5e08840bd93a98013a1747060f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc936158ECB4F1413589E824238B5CA527.TMP
Filesize
5KB

MD5
58f4a79de09bb9373c85aba22acad5f9

SHA1
347bf8014126146547b26f3c4cda4afee441245e

SHA256
e00c230d0655532bbf8092d0fd663417447b5a44955817e8bf4fbd09778faa3e

SHA512
6e8fe48474931c060ac14849e05c00990bd962119c63793bfbad82962c5cffe9c5b624e8a1c3e370bb6c7894ffd11543abc0adda8758d530d8fc833fd1e88c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB0992C3FDC84E8D8DC2F0AE33DBD4D2.TMP
Filesize
4KB

MD5
64d92313519afe8c0854995a32474a96

SHA1
984e9efd70477eccf59a41ecb30fdd8ecb3e7faa

SHA256
d22e19b391b6f4a966cc994786a3f5ff8a8589f49825f941425fcd94e9a28496

SHA512
d60f1f35a39195d4101181a2568b2ab763448ddcf492a7899e9605813c2b44721fe1474b96d1ed921e00e9f4e6af2c1b5669e266c06aa557aa507597355cb4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC5FD2F9DDE32428FA176FA4B908C363.TMP
Filesize
5KB

MD5
9cae177db3cf54f21171914cfb3956a2

SHA1
8f141b266a354fb014bc99e4c60299b9b58c2556

SHA256
2f8ec8fa77d8ee06b821a12a37bb7fbe071eabfce60e1a336caf1bb1a368eed8

SHA512
87dc7384d0e76954161590e5d4a956706a7a83f76e34c13f4846f2ca6cf3daac50791a93b9694b56b02162ce19aecb571415a5748ed5b0c0f181bc9846713ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC6B9C47F448A40AE852756F2AFB2EE8B.TMP
Filesize
5KB

MD5
a7d4a5ae829469f0518aee79d6b5fa0a

SHA1
f670f426b6e98df955b7470801660ea524fedfd0

SHA256
b9d146373463b77ad2d77df73ab8394a962d6697d5fd431ae932c0588b1fb8ec

SHA512
b82064c6022f406cdf63ddb86777939acf0aa6faa220bd6dc1eac33b1e510d16c33f7cf2f1e4d9bade2d6de423505b75683dc6e79a7e9b1c74b14983578288e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDA83B488DCB94E7DA4447E95A4669A89.TMP
Filesize
4KB

MD5
cf5d89e63a979fae6a87015048f89bf6

SHA1
c42a88b41fab3213d14f838b68fed362bfa4d3e5

SHA256
cd9d0006ed529263fb5b321bb4d9b39158340e480d6535b9139af436f4a63518

SHA512
ef90170e9a3f605f1ff7b421b2e5b34c6023d5c7a72532aa04ac7bd1032d1a6c55d4aa2d11f6a0a0146e0978d675fa54c2de56d27bae87a0708125c1a31841c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE26927205441497C8E533D541D64AF1.TMP
Filesize
5KB

MD5
3257a11829a1fd132f6ff644cffe623f

SHA1
c0f0fd2b796691184e391e5bbee897572556de33

SHA256
61f238a3b40b588282576c33b78ce0d4e61beb8c10a03ec5d96ce74e0913809f

SHA512
5fda46c1a643d6433fde99a877ba59439bc07e4097fd684e9c9456e13dccfef9cd156cf8f9eecb39ba3524f233f3e161b8f7570ccb51c874d8db5bd83f510fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF0037A5B339C4E1BA3634DE057A0D6C1.TMP
Filesize
5KB

MD5
c50210246cd334c244efca51f02dde1a

SHA1
e665aa8437b5372fa123bed3f465127e15a229ac

SHA256
e94f815441464ed0c553e332fca76156aa995d5c6e08df225bb8e810dd63d609

SHA512
e06ba1f9ce5303daa99ad33a570b0dcd2aa46e28a2463ccb3778b8de50d5c1f44e33a040641efad8d13ef12ca70acdd2a840f62c31b00abcd1f0c1d94c7a2b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF989FD1BE8004B1A97105E3A8397A01A.TMP
Filesize
5KB

MD5
d2481a81163b082edeebe4f323a32b7a

SHA1
17c12804948d6b3c9a37dc4a5bc83522dd22f2df

SHA256
a984cada28d4b60ea896a916911db264f2a365c86dfb5154415ec2fc006879cf

SHA512
4977cb8097e2429326024b04f4d365f01ce0691bfd48182553cfceb288650ee274f34e58330f99dabcfae40f487472e2601b012186f06f66bb021b8bd023f8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfknuhjo.0.vb
Filesize
346B

MD5
a4e20aa77b5a3e0a9f761a525f4a4837

SHA1
3df6cbd065ec2ae8003129520fae1ab6ee44d55b

SHA256
8655eb0d27b6d2dfda9683384b739b392fe23dc939f19c7cc6fedfe41a7b98ad

SHA512
ef9c4d81911d5908f4369843e3f706fe6ebdb9c0b04b394d89f79b33596e616d37e712c69077c0ba9e548645ad6c4454eb8c8457e554ae395c77651728747bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfknuhjo.cmdline
Filesize
210B

MD5
5a5f12bc444585b47270492eb1a370a0

SHA1
826b8044812491e81ee8e9bf2810a067668ff73e

SHA256
4cf9b6a99840deae9e50903b4d912c43d8a72d7c8b9d1f31bac17789acc26ad0

SHA512
cce4523f6578e3e3753a5ad14842842852a906c7592a20a33aa951bf5c31151566548e3a173b612ab384352ae3edc2f8607c301ac74e010874d3e4c3adf2de63

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiukm3lj.0.vb
Filesize
354B

MD5
9fc1c2986a78e48303c69f262df98597

SHA1
9cb67d8927c71f03d6502a7b8899f223db773455

SHA256
fb34f1ab5e8e6f8c507f2ecba343c202faff530baff5c35e34af8632a03e535b

SHA512
38cff9bccf507bb11b9f7441a0446b94312da7b7b051f34d763a3dea84ba9561b043702678987f81a4464b621eefad53a211da6e7591b0417490807e787cff33

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiukm3lj.cmdline
Filesize
225B

MD5
fa555ae4a863ad5b31a0ec8b1c674fb5

SHA1
ce444c9c6b5e46c4f939c5310162647f6e723b6f

SHA256
54dcf00ac2050b41fe03020380ae5fda2e0c2bfaf494530c7f80103c21f9f820

SHA512
55650fc24fd5d394e49aa584c1f47b9980d5ba8a57ba1d7809bf242c9de44b62bbdefa89841561f889e49677d638d45386dc4edbb764f9fe2a61459b1ac8e21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8o0o3zf.0.vb
Filesize
372B

MD5
eb62dd8b855a24369944d001d4c24b85

SHA1
a6793f997279ae1b59d1c7d5ec8643a3257eccc2

SHA256
d08cefb33628dc8316d3791b7f33384cf3106d9383547ce0a947bda69eb3010d

SHA512
bd120e3fba8f0738a12273680e37e5618907635e6b0c21559509b4870ac21238b12cd5c52db2504558b219c517db62b5a63b1b6c2d657c7c3048b1865fdb1ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8o0o3zf.cmdline
Filesize
262B

MD5
4e7d7aec4df0b635e61a00e530f639df

SHA1
e252866cb1dd1a88d4a74997591190448b0b00c0

SHA256
20d1f0f133a6093849ed5e3802f715606ea43611a0033e403d954cca60378c00

SHA512
b00b066af0089acb8a4a523556ccc8a0da554ab0552b3eeb703b58378a4a455051727b53c9c128627a4da0bf7704079222cb30a4f13ca9046e8fcb6cc38592bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0ipjh09.0.vb
Filesize
374B

MD5
9d9dd2aae1451faa6b296ce2fc5f13a2

SHA1
6d6d39fb4fc80b4bf216a8edd884a91932ebf7f3

SHA256
e777028474493f4e41937e1df998a988a1c5c5cf5f364963ca10abc13d8c2c25

SHA512
ae2d6458871cd4352cfcd2e299b427e63c17f2f75d6ccfd44cb339eb4c5897ee048cb8785e54896724780ab3f1b426a32744a181b6063d019f03b150e02667df

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0ipjh09.cmdline
Filesize
266B

MD5
2b546c42b2a3af749950a8c7eb542de4

SHA1
81f83e2615a88ab95962396bfae4369a1de1d99a

SHA256
3db10bc2be71f53e36ea536cc6f7e1af516ac435e7180cf66ffc7a51edf4c928

SHA512
3fc6b5e9beb76af7987f479fffc1018ce0ea21400ed457eca074ad6119ea7e6da23ee79c82051567ed49432b258f32a6c056dcd9b3c1212190371e6e2bbcefbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zef0c3xe.0.vb
Filesize
354B

MD5
b23bae69c4cd1679b6eaa5c338f78bf8

SHA1
c07d3a742abe9705f2917ab4e6494631ba278ee2

SHA256
6c725586f404da5b8e1514863a8016a82ad6ed12da153bb038ee2472d12b3a4f

SHA512
01d31d9ea0a59562df993f12c288ad63942d18ea0cab27e0e8c863839548eeeb0a26664ce497ef9ed68095bf96754efe2bbd735e60b1713f4fcef4e6b97d63a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zef0c3xe.cmdline
Filesize
225B

MD5
566f50915b248fca81a49afd5bfe89dc

SHA1
29955b7dbe1b62e8704928a2f4f7014513543c6f

SHA256
0720f7a02eccd661e66af1cf8bfc9b901566305564d494ec2ee60ae7e63a34e4

SHA512
a23ae6a43cbdab0bb9300f41e81f0c6dd7c11b3c39e5d2b02af32ac53d137d06f8fc9e8649a6cc6d90c746ce9eceb1f3080c0139518ef4016c0224b55b148f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzdvh5ms.0.vb
Filesize
375B

MD5
89b6dc723b152e03561de0fb538d6c0f

SHA1
f8bda82033ab5b1902cfa6391b05dc6dd6c1f58e

SHA256
1307ab55a59f7e00b4bd5028de6b5592d160fd0beeb4d79df3ef1ab563c01df5

SHA512
a7917740e6594cc5ccdcddc9aa56545fa40912d08e6a2fe3c3d427498b46e337a12bc85497b5668bd0add65c690a3ff0c0d0ae5f61574c454358da8deaa86f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzdvh5ms.cmdline
Filesize
268B

MD5
728c90d2b9ab89f401a37b0470f09e47

SHA1
29dd42b2453469e1c2afd6b6ae39a6a02b9604de

SHA256
40c0acc05449a30d339b3a723233651a7bbe0e1c840946004cac4f3ba8a5ffab

SHA512
91c54e1932c9b904dc2c98997b0067730ef9a61d07c33e4c5bdc82a0d48569311af108a6d9c96f9a415c11d135f3c70668a0f2cd6b3c0c8d86e1058562c15ea3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\helper.exe
Filesize
142KB

MD5
ff621b3ec028ff34e6dd40649434e246

SHA1
2bf21078ee8f88b70291c41f7e41ab03fad0a27d

SHA256
40254755e4c6325be6f0678fe1f3daa23cbf639714142449740a0dc5dc4a1790

SHA512
2bc1dcf4bb3cc887f8bd9188df7eb01eebe1516c7120a6b355af2a85790dcd3d9ffcd9cc529de5e5613178efe264dcb3c99730b1adb6f1d84b9e4afc0f4bb368

Download Submit
memory/1472-335-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1612-460-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/1760-455-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2224-133-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2256-452-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/2256-451-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2328-445-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/3180-406-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/4352-404-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/4352-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4352-138-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/4352-142-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/4352-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4720-450-0x0000000001B20000-0x0000000001B30000-memory.dmp

Filesize
64KB

Download
memory/4720-453-0x0000000001B20000-0x0000000001B30000-memory.dmp

Filesize
64KB

Download