64c665b2dbdaca4a20aaef96d625091757008c88b49d71070e4eefcd45d986d8

Resubmissions

10-05-2024 17:13

240510-vrrk4sgd7t 10

10-05-2024 17:09

240510-vphv7abd29 10

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

High Priority/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\High Priority\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 228 file.exe

description	pid	process
Token: SeDebugPrivilege	228	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 228 wrote to memory of 4728	228	file.exe	vbc.exe
PID 228 wrote to memory of 4728	228	file.exe	vbc.exe
PID 4728 wrote to memory of 1044	4728	vbc.exe	cvtres.exe
PID 4728 wrote to memory of 1044	4728	vbc.exe	cvtres.exe
PID 228 wrote to memory of 844	228	file.exe	vbc.exe
PID 228 wrote to memory of 844	228	file.exe	vbc.exe
PID 844 wrote to memory of 3576	844	vbc.exe	cvtres.exe
PID 844 wrote to memory of 3576	844	vbc.exe	cvtres.exe
PID 228 wrote to memory of 3444	228	file.exe	vbc.exe
PID 228 wrote to memory of 3444	228	file.exe	vbc.exe
PID 3444 wrote to memory of 1088	3444	vbc.exe	cvtres.exe
PID 3444 wrote to memory of 1088	3444	vbc.exe	cvtres.exe
PID 228 wrote to memory of 4044	228	file.exe	vbc.exe
PID 228 wrote to memory of 4044	228	file.exe	vbc.exe
PID 4044 wrote to memory of 2352	4044	vbc.exe	cvtres.exe
PID 4044 wrote to memory of 2352	4044	vbc.exe	cvtres.exe
PID 228 wrote to memory of 2212	228	file.exe	vbc.exe
PID 228 wrote to memory of 2212	228	file.exe	vbc.exe
PID 2212 wrote to memory of 2436	2212	vbc.exe	cvtres.exe
PID 2212 wrote to memory of 2436	2212	vbc.exe	cvtres.exe
PID 228 wrote to memory of 3260	228	file.exe	vbc.exe
PID 228 wrote to memory of 3260	228	file.exe	vbc.exe
PID 3260 wrote to memory of 1196	3260	vbc.exe	cvtres.exe
PID 3260 wrote to memory of 1196	3260	vbc.exe	cvtres.exe
PID 228 wrote to memory of 960	228	file.exe	vbc.exe
PID 228 wrote to memory of 960	228	file.exe	vbc.exe
PID 960 wrote to memory of 3256	960	vbc.exe	cvtres.exe
PID 960 wrote to memory of 3256	960	vbc.exe	cvtres.exe
PID 228 wrote to memory of 2236	228	file.exe	vbc.exe
PID 228 wrote to memory of 2236	228	file.exe	vbc.exe
PID 2236 wrote to memory of 3408	2236	vbc.exe	cvtres.exe
PID 2236 wrote to memory of 3408	2236	vbc.exe	cvtres.exe
PID 228 wrote to memory of 2292	228	file.exe	vbc.exe
PID 228 wrote to memory of 2292	228	file.exe	vbc.exe
PID 2292 wrote to memory of 2776	2292	vbc.exe	cvtres.exe
PID 2292 wrote to memory of 2776	2292	vbc.exe	cvtres.exe
PID 228 wrote to memory of 1044	228	file.exe	vbc.exe
PID 228 wrote to memory of 1044	228	file.exe	vbc.exe
PID 1044 wrote to memory of 1848	1044	vbc.exe	cvtres.exe
PID 1044 wrote to memory of 1848	1044	vbc.exe	cvtres.exe
PID 228 wrote to memory of 3612	228	file.exe	vbc.exe
PID 228 wrote to memory of 3612	228	file.exe	vbc.exe
PID 3612 wrote to memory of 3276	3612	vbc.exe	cvtres.exe
PID 3612 wrote to memory of 3276	3612	vbc.exe	cvtres.exe
PID 228 wrote to memory of 2668	228	file.exe	vbc.exe
PID 228 wrote to memory of 2668	228	file.exe	vbc.exe
PID 2668 wrote to memory of 1080	2668	vbc.exe	cvtres.exe
PID 2668 wrote to memory of 1080	2668	vbc.exe	cvtres.exe
PID 228 wrote to memory of 648	228	file.exe	vbc.exe
PID 228 wrote to memory of 648	228	file.exe	vbc.exe
PID 648 wrote to memory of 4816	648	vbc.exe	cvtres.exe
PID 648 wrote to memory of 4816	648	vbc.exe	cvtres.exe
PID 228 wrote to memory of 1500	228	file.exe	vbc.exe
PID 228 wrote to memory of 1500	228	file.exe	vbc.exe
PID 1500 wrote to memory of 4740	1500	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 4740	1500	vbc.exe	cvtres.exe
PID 228 wrote to memory of 1780	228	file.exe	vbc.exe
PID 228 wrote to memory of 1780	228	file.exe	vbc.exe
PID 1780 wrote to memory of 4856	1780	vbc.exe	cvtres.exe
PID 1780 wrote to memory of 4856	1780	vbc.exe	cvtres.exe
PID 228 wrote to memory of 3956	228	file.exe	vbc.exe
PID 228 wrote to memory of 3956	228	file.exe	vbc.exe
PID 3956 wrote to memory of 3256	3956	vbc.exe	cvtres.exe
PID 3956 wrote to memory of 3256	3956	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\High Priority\file.exe
"C:\Users\Admin\AppData\Local\Temp\High Priority\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxnfztzt.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FFF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8038458E543B47849E7158BDA91A7D.TMP"
3⤵
PID:1044

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6wikd4fv.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6DD0BF925C14AB6884E66ABF27D67D.TMP"
3⤵
PID:3576

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qwsotkjs.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5493.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D039BE4BABD4C5D8D50B8B1F342B59B.TMP"
3⤵
PID:1088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihlwpdpp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc758E6FC483F2445699FD579C1229C9D0.TMP"
3⤵
PID:2352

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\btq_nyds.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5649.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6255A322B924C7D89ACDA1C6531D1A.TMP"
3⤵
PID:2436

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hee447yn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C4A3F1D16BF40D1ACB3C86CBD672484.TMP"
3⤵
PID:1196

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\07vbhe-z.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5772.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F5DB4F0971F4FA68C52C31EE3E1792.TMP"
3⤵
PID:3256

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rbnz27vq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE0A333AB1DA41409F53B12BFF2C57E4.TMP"
3⤵
PID:3408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mlbfzqs5.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES584C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A55608A9F2B4EBC8B6BF6A98662529.TMP"
3⤵
PID:2776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t3qs8sbd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1227DE81A19E402AB7747A42B8525A69.TMP"
3⤵
PID:1848

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\szi4skfp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5946.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc435A376F53CD4391881290A484C6BC.TMP"
3⤵
PID:3276

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nd7wdi_f.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc967E7CEAFC524594817E2EBDBE73BDB.TMP"
3⤵
PID:1080

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ncuzr9qc.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6984AD1315774F25A54492BE12D5ACC7.TMP"
3⤵
PID:4816

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oaveeyd6.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5ABD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7662BA126ECF4C1DA517CF87052371.TMP"
3⤵
PID:4740

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-kq2lvv.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE52B2ECF86D4A78BAEE1AC43FAF91F6.TMP"
3⤵
PID:4856

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xm3a4mcp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7E9418175E04896B19BB11137A4EA66.TMP"
3⤵
PID:3256

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mgsway5f.cmdline"
2⤵
PID:960

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC51292BB56445EDB95C104135F9C3A.TMP"
3⤵
PID:396

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bb9bsc7z.cmdline"
2⤵
PID:3268

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7890C985734E2CAC7BD6D3F8704CC.TMP"
3⤵
PID:4732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\apiczcht.cmdline"
2⤵
PID:4204

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFB1909CAA404F5DB525A148EDF81EAA.TMP"
3⤵
PID:1732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i1jq7smj.cmdline"
2⤵
PID:1576

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B0880EEE89746A992FD758A5A7CBEBE.TMP"
3⤵
PID:1988

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s2fuenjp.cmdline"
2⤵
PID:4884

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6C6978C70B4479C9886BE6B242BE3.TMP"
3⤵
PID:4236

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pa6dzbns.cmdline"
2⤵
PID:2668

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3C1EFB95F1948C5A888F565252AC09D.TMP"
3⤵
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\libsmartscreen.ico
Filesize
4KB

MD5
e5e3ca9573f74e3b13b79068aec7cf79

SHA1
a1779b1830d417d2c6ca4612340ba1118678424c

SHA256
fbd9922e4f261aaa2efc66f95a58595b81d361ccb50a70cfcd05416b09e2db99

SHA512
7388c02418d255f31e5e7e1b390387b8bffc3dd56cebc7c8559880b49649b6b91e77e7a3e513644d5358167543ffced1b630a9c98f1cb307cf47fa253a54fe79

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\07vbhe-z.0.vb
Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\07vbhe-z.cmdline
Filesize
270B

MD5
2998f9ccfd7226f769f4c9e01d8f188f

SHA1
1d037d11a96ab48e6bb0f264d43d777bf208abe5

SHA256
8e7c7ac25346b4a53bc3f9672e63e65e2b381f913bc4269615a90a182672b7ce

SHA512
c174585439ed115f9afab3780cd5fa66956e838e11747ff6b3f84d6a1f9c4302108ce0ce83302a9520742682ca6357a77c06a9a2be19ad9e3ffbec4b1559c31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wikd4fv.0.vb
Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wikd4fv.cmdline
Filesize
256B

MD5
a40998d76669053790bc62ee4b36a640

SHA1
6a113da85d70b38a342853522f88cbd2b63ea265

SHA256
960c778b201bbab1a7e5ee9afea27b713da6c7a56d9698b10cc89d73c072342d

SHA512
83aed460320497e6488469df163eb22fb54459faa21c0ecd410636c076a92ea655ce2b4d60409e7f165d767d6965bcd824bfaf7a0c793687c44eed26789ed928

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FFF.tmp
Filesize
5KB

MD5
de52062fbdac2d3189456f1c3ae66e62

SHA1
bbfb2d991e70375e421aa6e3793732afcaffe671

SHA256
92e8b5e8f6c449f95c074b11179fdb8e478bd420f8cea818ca6f83aff5bdae73

SHA512
785d1125f7fc6629381de251ad608c28624a16eac4d46a47f571a65b23300ae7d676e73372e217b96c0b375ab66feee711bf0345524a7ba7d055b937244d6643

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES52DE.tmp
Filesize
5KB

MD5
df3413e9a61fe87499afdb50650896e4

SHA1
8d01105347d75bb1f7af2e2a3507402d6b0e2326

SHA256
dafb6a927c94f1a5c9be73a0d13849e5d1b6e1cccb6c35b1d22dc11f30eb3186

SHA512
2701331bbfcff1b11024d0d5b76d9be1127ad39840fd279371befd0198b6539829c2ad103171d276547bc27e083d2445fa085c68d2f89cb9d6483d56c7550e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5493.tmp
Filesize
5KB

MD5
f44ba57f57fd12ff14b11db04697cf1f

SHA1
7ad2c893a7a14e654e2fcd50be635227956573e6

SHA256
b384076c731096c7c6c9cce6794e9fa090f3835ca1ecd2873fcfb61f3ddf1f3c

SHA512
b5eeabdf18d57871acbffc2fe019e8d2dc9774249e1dc0612ec9a4e96b865b3b5f6c2a186104d0200f13e1722f974200329c95cd053373c305dcbfc668f123ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES55DB.tmp
Filesize
5KB

MD5
11b9d124b9b4232d41cfb44d1708d405

SHA1
b2772de888c23842e85798b6dbdefdbb16019bc8

SHA256
a8a9e6bead34998b2d2e8ec7d71a58d9f7cf169313994823fcda8fe2ec8ceea6

SHA512
3c53c492c374045616674ed8375c7625e41944f86def3c9805157c774265957f66891fe08fe337ffa48e07cf04453fe152232d1d83207f1dc4a513325ccabc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5649.tmp
Filesize
5KB

MD5
54b80658e8b9456422aa43ec75a4df2a

SHA1
b174abc352c8186c71439c55f3ff5a1d4cf5a6dc

SHA256
46bc0a6d5f2199d9a3f21bee341614743ba76092c96e72b75750b444782b0a1b

SHA512
9b8d14dec6d25b930ac6f3253fba7cf6d2bf6e9184c55fe9b51325e699db89f0fa76b2291f65fa2948579d4aa0709d0f84231da9bb856b66bd12c6c4fa707189

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56E5.tmp
Filesize
5KB

MD5
5690248c4a16cb1c7c36213d0dd3c88b

SHA1
439030e2e7d2e84ee1d4519f191cf06d9bb29964

SHA256
91b37c8486e4308ebe7466d88b1dead254f108bfc4a6ba113120c876cca558b7

SHA512
70f53a370a190708e970a76f9155412befb0bf850c783558610988c8bea8898b6face64d1b2b8a4e872f7a9defa6b1adda7791cb6264fde29cca1a626be3ef15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5772.tmp
Filesize
5KB

MD5
8f285a748b777cb6f74ca4628d36e897

SHA1
dccf7417de9bc73975f496d3b9872227a4552d2f

SHA256
19d71d53e16f8fbac650ddafc6115d8782db1ac63b78c5f6bc11ff76e49eb609

SHA512
601af8eaa1ac9383dd618e0094e9d9c7d1f52e85c6dfa519705605d434f84c8d9110cd4f8f38c05c6dbbe4dacd09e75178ec5090cd5643492c33ceb1cbcc8f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES57CF.tmp
Filesize
5KB

MD5
bb0c4cd452f6f5a6e5bff3bf37095a94

SHA1
01231904c1433a30b8081d9394a27d5555dfff2f

SHA256
844e2e8dcee711b95229f8ce149d816bae0422e56cd7c0c0172ff1279ac4525f

SHA512
307fd254ed764301084c3fec23a0ff8e18f40eda991935eca0540f5b76cb623e2a02ac8bb1561316057cea7645b48071f8c623fe88fd859b14b5919afe1cd516

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES584C.tmp
Filesize
5KB

MD5
b0c77d9e9e0dab6da7ba83d1c7704e09

SHA1
00de8e0f706b61800c5f1f19bd1c5f5d19cba625

SHA256
c102cca308313b1adfba0a1c5375de91fc9a9296d126e11e46bc4f4fcae564f5

SHA512
46c8987b21b5da040fb9d583cdccf12938151e87d8fcf52cb60b7e116622b2867e6c334f4f8fd9f70fe4b111d6c0f734592b13f7b900e7c3a592bdc8bd8483ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES58C9.tmp
Filesize
5KB

MD5
5a4ea7cb68fbe2fbf14951418ff5727e

SHA1
815f7d81d96cf4f94f9ff9e639faf421532a0b36

SHA256
73b43f8ca3e91e4989f62f8e43949eeb983d9100b66245a0cfe0e7975cfd2e96

SHA512
997f3ae60ca90512f3570e44ca243d05dd7125a1f30566e828c1e0e1776981117e757af2fce09d55467cdff16006c92add9a5e048b4a4ef9231512765635470b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5946.tmp
Filesize
5KB

MD5
f759e566a91282577b8f4347dda769ee

SHA1
ff2f94c46c622ba0d31e98651e6d987b9c95160b

SHA256
f7cb1d1e204ba0dc55c00db5deeaa45816d835534af54b88d3dd009ff9e7a093

SHA512
64df3f4bca38bda5a2299d73bb6d09efb1cb6cf531cea08e09f25abc2e98554b4d41eca82da83d268cf7de0c476cdf7f16ea9c1793c041cf6b1855e81a9eb3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES59C3.tmp
Filesize
5KB

MD5
6afe9382ea419d231dbcb406991d2182

SHA1
73ae26a3ba9c17cf9cf056a898cf11c3d976e032

SHA256
3fd96f1b21a6ac45dca16ff68021d7f4614142fe0f83a66890ecd928cdff958c

SHA512
cc6e47ea2dbeeec6e5e3e2bdfef3b476c548574a58743a9fcb7a809d4e23a263c4b6515f06e5a0245a9b62895c0dade55be21b6c921f95d76e6ccfdc462f4740

Download Submit
C:\Users\Admin\AppData\Local\Temp\btq_nyds.0.vb
Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\btq_nyds.cmdline
Filesize
227B

MD5
e83ba4c5823a6a4bc4a93b0531db6282

SHA1
c051a3710eacaca4a2a45b1a566d8ae54ad156d8

SHA256
bbb915507607be33497d070ea002248ba6fac41a8bafc1918748fb6099bb37b7

SHA512
175fb6ee4bff94854ca6d4d93d236d03b35887e9dd92df7dac8a044ce21b3700dcf658b0f7b1b2f9833a1f7f174a1e7edddc21cfe03c96144e046b0216ac6194

Download Submit
C:\Users\Admin\AppData\Local\Temp\hee447yn.0.vb
Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\hee447yn.cmdline
Filesize
264B

MD5
ee367fb4d808a8cd7de9f9ff1efee0ae

SHA1
07537dc57b0e4229a26a3ab4bdec4b8fee7800f8

SHA256
da455fab275c37e3e82968b95aa3d572492e7a6b9d927fa685fe8d3c757015e5

SHA512
474ad19011d6629ef4c3bc81919def4872b3a11d3791ab607df564e13c0fa2cbdd15a3f44ebc7ec80d6f5dd50fe17b1e8b561313fd95e4a55247458b7bb05969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihlwpdpp.0.vb
Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihlwpdpp.cmdline
Filesize
256B

MD5
58721cbb6d51a46209ccabe6a827a426

SHA1
77b974d6375cd0239d7bb91acc5fbed3489fd5c9

SHA256
f99a522d118a95d88c2425f2a6a81523ecd6a262ee77e98bd0941ee4678ca058

SHA512
fc5acc3fb1f144448750164978efb89728256f8fce6638c29be0b727de6cb339027924d667dbe7597e1ad0c7d708581c1a97a78e1dd071f094eb77bda175b569

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlbfzqs5.0.vb
Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlbfzqs5.cmdline
Filesize
270B

MD5
3fca7c3956ffb222c3e58555f8439fd6

SHA1
387e60bdfb9636fed2e09498fef52fe350bd4503

SHA256
0545c525f293bdc3a00239f0a82542dba91bdaccf84ff8a9265009b71f8a08ad

SHA512
97643ddd19b3218c42b29af94aa2b898bc14a8cfcea3a08f0f1c306fa5b95c0f1ecff95e09d64e64b9227c8933025420fca40ad57c1f32ea7b2999d5c6a24c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncuzr9qc.0.vb
Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncuzr9qc.cmdline
Filesize
274B

MD5
e7878043541b2ca281cedb5e8fb5f029

SHA1
6585392410c76cb2d0bf382c7bf6ce095b85c020

SHA256
5c8e97ae3958794cb61c93b471e2a305c48d0af64369fa3de08a21eca34190ba

SHA512
e589f67c5909173142e7f51580e2e063e7b494eb991895c14a540ee6303b06f38b649d2b0336e85343ad39f600155015d02fcdce6c962915872920ac391c62fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nd7wdi_f.0.vb
Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\nd7wdi_f.cmdline
Filesize
268B

MD5
ca47b4b4e6e1f85f4a9fce70ebd244ae

SHA1
183e223d377293b2d7b9b21f5831a3f306e511d5

SHA256
94bcd26aa6414662fc46bb350b7c44071ef5a905610cfddcc36a820e23d8a87d

SHA512
0881274f3e06892a4788345b6651c6adda512d27a238bfe4e5f8a8b79cfb2099d55281e044ffedf132cf7a4f15efee237bbb862a3ebfaf921bd0d786f0896778

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxnfztzt.0.vb
Filesize
355B

MD5
1d5920ca826b304931c938be871defd3

SHA1
7ecc6286cca874e193ded478fe18b8f11be2b788

SHA256
9f078d86982c51c8c9425e73ec10c0d1ca0bddb592599cbfe03a9380a711e317

SHA512
22bee9ea363d5dc9e8f90613decc55000ec2872a3b4887c9b82f27c3212619238b4672362eb3add6c5c71b53adb9c1294014122f3d23fe4966a64c8eb1f08012

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxnfztzt.cmdline
Filesize
214B

MD5
3f36bdfeaa96496399a2d8982d0aec9a

SHA1
5ec1ffd34c560542cd32677136cb1a7ff67621de

SHA256
0e8358d2c055da65d1aa5f1a282966093413130fed630884e5a0a10e73ba7354

SHA512
8ac2e0400d2dbd1b44335326187b9de10c0e333ca2737e60a956e1926b61899d87a136d1ff8b40720cd18c616422d0bd4964a2dfe85d03be2cc5b5f87d132c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwsotkjs.0.vb
Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwsotkjs.cmdline
Filesize
227B

MD5
f7bf677a96a01d4aed5a9861f7e7260a

SHA1
f2d6e9614e529633784ec6f4d4371755fcc99360

SHA256
b80bdeebe7e46ca1d0628dc99be61f253769af84ca7aac8773306a0e7de2bd05

SHA512
bc365cb948019f82739435b4638189da966fb84ef573c9f522e083d1133d7dfed4420f31bbc2a1ae46ec725fca7c802c26d21569c6454c579b60b2f37546b9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbnz27vq.0.vb
Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbnz27vq.cmdline
Filesize
264B

MD5
2d130764b0b91324b036b9914eaa1939

SHA1
1a81822ee0c0c40174be7ca9a0078bdb8a488f27

SHA256
e013a7672528d4837fd8a9222780788485b40c52685115d7ea7ffa138b64e1c8

SHA512
9d9795292fc42addd988774b52b3ced825026dc8605d9ac7a6adfe97b9056addc0ae3b162be910017fbca72a4e10e9c4246b2334b72e2fbc30c70a3c5b4a3bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\szi4skfp.0.vb
Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\szi4skfp.cmdline
Filesize
274B

MD5
75a40e3944b877b5c6a1c2941395c737

SHA1
51286a1be7eff3de1eb7857ef920185336d5e8ad

SHA256
560f03908a372d656342a327de484b9e44a4699f9e21e42e2aed64f910b9626a

SHA512
f9d322bd1c3c75c96e2ebf9ed97cdab7362daa39105c307d65dbff11f17d934df38484d0fc3aded8f9b360174f212e0d18ddb842ee6c5b4174cd16e0e161c364

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3qs8sbd.0.vb
Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3qs8sbd.cmdline
Filesize
268B

MD5
3c309200a22aa47d797cd84f182acd70

SHA1
dfa15ff0c27bfc2eb298da8469cbcf213dc5b192

SHA256
9ceacd45145d76cfc61a823e6686b1fb23c4814df40184a525b2b37d6c3b45c0

SHA512
82d015163ffdbeeb9e968cf498108302d7e13224aa321d434e43ef6d138c008cb8971659ce874dca54a3dea39dfb05f7394ababaa87dd7f9db774c01d71f1b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1227DE81A19E402AB7747A42B8525A69.TMP
Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C4A3F1D16BF40D1ACB3C86CBD672484.TMP
Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1F5DB4F0971F4FA68C52C31EE3E1792.TMP
Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2A55608A9F2B4EBC8B6BF6A98662529.TMP
Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3D039BE4BABD4C5D8D50B8B1F342B59B.TMP
Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc435A376F53CD4391881290A484C6BC.TMP
Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6984AD1315774F25A54492BE12D5ACC7.TMP
Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc758E6FC483F2445699FD579C1229C9D0.TMP
Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8038458E543B47849E7158BDA91A7D.TMP
Filesize
4KB

MD5
0474e6df2e561a8ed76e4e5c5c979def

SHA1
0e10aaf43e738092115471ba6de2f9487028e78a

SHA256
c1564f6d669366a1900b121e3e6c131f07778fd0f6e255fd255636856b9184d1

SHA512
d9b4955c99683db380337aa93a621772b49abf2b6b288f8c6cfab2ce12d24ca81c7626a5212d34ca5af87f89aada98c8a07731ef49dbdaee40c376e11116db2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc967E7CEAFC524594817E2EBDBE73BDB.TMP
Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB6255A322B924C7D89ACDA1C6531D1A.TMP
Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE6DD0BF925C14AB6884E66ABF27D67D.TMP
Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE0A333AB1DA41409F53B12BFF2C57E4.TMP
Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
memory/228-10-0x000000001CF30000-0x000000001CFCC000-memory.dmp

Filesize
624KB

Download
memory/228-3-0x000000001BB50000-0x000000001BBF6000-memory.dmp

Filesize
664KB

Download
memory/228-0-0x00007FF9904D5000-0x00007FF9904D6000-memory.dmp

Filesize
4KB

Download
memory/228-2-0x000000001B680000-0x000000001BB4E000-memory.dmp

Filesize
4.8MB

Download
memory/228-4-0x000000001C300000-0x000000001C362000-memory.dmp

Filesize
392KB

Download
memory/228-6-0x00007FF990220000-0x00007FF990BC1000-memory.dmp

Filesize
9.6MB

Download
memory/228-7-0x00007FF9904D5000-0x00007FF9904D6000-memory.dmp

Filesize
4KB

Download
memory/228-1-0x00007FF990220000-0x00007FF990BC1000-memory.dmp

Filesize
9.6MB

Download
memory/228-5-0x00007FF990220000-0x00007FF990BC1000-memory.dmp

Filesize
9.6MB

Download
memory/844-43-0x00007FF990220000-0x00007FF990BC1000-memory.dmp

Filesize
9.6MB

Download
memory/844-40-0x00007FF990220000-0x00007FF990BC1000-memory.dmp

Filesize
9.6MB

Download
memory/4728-17-0x00007FF990220000-0x00007FF990BC1000-memory.dmp

Filesize
9.6MB

Download
memory/4728-26-0x00007FF990220000-0x00007FF990BC1000-memory.dmp

Filesize
9.6MB

Download