60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 1856 file.exe

description	pid	process
Token: SeDebugPrivilege	1856	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 1856 wrote to memory of 4380	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 4380	1856	file.exe	vbc.exe
PID 4380 wrote to memory of 3336	4380	vbc.exe	cvtres.exe
PID 4380 wrote to memory of 3336	4380	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 2780	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 2780	1856	file.exe	vbc.exe
PID 2780 wrote to memory of 5048	2780	vbc.exe	cvtres.exe
PID 2780 wrote to memory of 5048	2780	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 3864	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 3864	1856	file.exe	vbc.exe
PID 3864 wrote to memory of 2988	3864	vbc.exe	cvtres.exe
PID 3864 wrote to memory of 2988	3864	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 1884	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 1884	1856	file.exe	vbc.exe
PID 1884 wrote to memory of 2024	1884	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 2024	1884	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 3216	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 3216	1856	file.exe	vbc.exe
PID 3216 wrote to memory of 4200	3216	vbc.exe	cvtres.exe
PID 3216 wrote to memory of 4200	3216	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 616	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 616	1856	file.exe	vbc.exe
PID 616 wrote to memory of 996	616	vbc.exe	cvtres.exe
PID 616 wrote to memory of 996	616	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 3056	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 3056	1856	file.exe	vbc.exe
PID 3056 wrote to memory of 3836	3056	vbc.exe	cvtres.exe
PID 3056 wrote to memory of 3836	3056	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 3420	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 3420	1856	file.exe	vbc.exe
PID 3420 wrote to memory of 3508	3420	vbc.exe	cvtres.exe
PID 3420 wrote to memory of 3508	3420	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 4004	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 4004	1856	file.exe	vbc.exe
PID 4004 wrote to memory of 3728	4004	vbc.exe	cvtres.exe
PID 4004 wrote to memory of 3728	4004	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 3188	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 3188	1856	file.exe	vbc.exe
PID 3188 wrote to memory of 372	3188	vbc.exe	cvtres.exe
PID 3188 wrote to memory of 372	3188	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 5024	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 5024	1856	file.exe	vbc.exe
PID 5024 wrote to memory of 4460	5024	vbc.exe	cvtres.exe
PID 5024 wrote to memory of 4460	5024	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 2440	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 2440	1856	file.exe	vbc.exe
PID 2440 wrote to memory of 1020	2440	vbc.exe	cvtres.exe
PID 2440 wrote to memory of 1020	2440	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 4984	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 4984	1856	file.exe	vbc.exe
PID 4984 wrote to memory of 1744	4984	vbc.exe	cvtres.exe
PID 4984 wrote to memory of 1744	4984	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 2452	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 2452	1856	file.exe	vbc.exe
PID 2452 wrote to memory of 4976	2452	vbc.exe	cvtres.exe
PID 2452 wrote to memory of 4976	2452	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 1996	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 1996	1856	file.exe	vbc.exe
PID 1996 wrote to memory of 3688	1996	vbc.exe	cvtres.exe
PID 1996 wrote to memory of 3688	1996	vbc.exe	cvtres.exe
PID 1856 wrote to memory of 2008	1856	file.exe	vbc.exe
PID 1856 wrote to memory of 2008	1856	file.exe	vbc.exe
PID 2008 wrote to memory of 2444	2008	vbc.exe	cvtres.exe
PID 2008 wrote to memory of 2444	2008	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hrtgna-h.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7268E9CDFBAF4C43875D9994F0B181B.TMP"
    3⤵
    PID:3336
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fkk5pb2d.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA75C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C72C8F913AF4045A7CCE0713536D02A.TMP"
    3⤵
    PID:5048
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stkazoml.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BF5B4D0764D45579CE27AD6A9659C8D.TMP"
    3⤵
    PID:2988
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bhjudcd8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9B8D476934043DA8414553652BAEDD3.TMP"
    3⤵
    PID:2024
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8vn7vw9z.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF65D9171E80F44D0BCEA7E851AF8345B.TMP"
    3⤵
    PID:4200
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y8dcr9ao.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC14E712ACF84D8380D31DD827D7B462.TMP"
    3⤵
    PID:996
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_rcaf2uy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABE0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc379187A67C64AE2BEF365D0AF937FDE.TMP"
    3⤵
    PID:3836
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxox9cqf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc558583FE6B124D1CB1E21D85969E9E9.TMP"
    3⤵
    PID:3508
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jxbgwmrf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B73A90710554780A3802A3C415D7557.TMP"
    3⤵
    PID:3728
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dh4qdtjo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52788E5D96BB4291A35C3394ABE5D0C1.TMP"
    3⤵
    PID:372
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmpozi5x.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD38.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE40B2562A22C43F4817E2F26519FBC83.TMP"
    3⤵
    PID:4460
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvijhap8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9531F1F7B4594FBDBDD4F842F29C3FB8.TMP"
    3⤵
    PID:1020
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tkeevizu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39F97246A7C4486D8EAB972DE965047.TMP"
    3⤵
    PID:1744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\utl-iseu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBF1CC0ABAC34BAAAC948F329F94E86D.TMP"
    3⤵
    PID:4976
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2stbssbw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC40C709676824C07A9682A892C89CF32.TMP"
    3⤵
    PID:3688
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zx30_ank.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD95A1F5FB444A8BA9ABEC47B5F4DB6D.TMP"
    3⤵
    PID:2444
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cubzixs_.cmdline"
  2⤵
  PID:1816
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc217BB54471A2414DABAC9DB78D2CA58.TMP"
    3⤵
    PID:4188
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qj7kulu1.cmdline"
  2⤵
  PID:4956
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFD7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB2437E8D7154550857E3D88A7855284.TMP"
    3⤵
    PID:5040
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_zylej4o.cmdline"
  2⤵
  PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB016.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20561298BA3C4DD085CD64711A8FA5EF.TMP"
    3⤵
    PID:4676
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iaemtnhu.cmdline"
  2⤵
  PID:1608
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB074.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33DB86DE77E24AA7A4CE9CBCB1EFA.TMP"
    3⤵
    PID:648
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u5dqsm09.cmdline"
  2⤵
  PID:3256
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3BC9CFAAAE4C59B0A8E942B2308B96.TMP"
    3⤵
    PID:4920
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\exkyvt3k.cmdline"
  2⤵
  PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA5FD3E7FC7E642E490EB2650A98CC28C.TMP"
    3⤵
    PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\8vn7vw9z.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\8vn7vw9z.cmdline

Filesize
264B

MD5
e096cdb72b48dbdcd807a7bc31d951cb

SHA1
05f008c6d140462b354b7fc390f446c60d1192c1

SHA256
e61959583a0be932189f898ba794ba2bc82577e9fef6e2315a687f02e545556c

SHA512
bacdf3129aa8d4bd75f31fb39bd7303e936be1475d63e11e40cf77d43cc82ef2e8c6b62a5a86db5befce7a479cb9b999648ec651d68709c447b8d6da427ffbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA4DB.tmp

Filesize
5KB

MD5
b80afcbdfcde293c7221ad42a3c50a11

SHA1
d5d8ed8672ea0491c9709bbef3df528f6aeb7629

SHA256
661af704bb88d3e1109ff6071946646ebde817d098a8f83c50093f1527d4fa2e

SHA512
e580e53290eebb24aa311d63a4be82dcb30bccbeb015841b7245ad5e4265d6b81ae710a9ad224be14a6559a52200065d144543e4f53783b10fada9fd85a09ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA75C.tmp

Filesize
5KB

MD5
d0a74b995978118d8ee04d2eac9d7c7e

SHA1
8563ec02372a34ad02fcb7cfa7b4e58eaef9bbc5

SHA256
fc3962d74ab82180b9e6b0cc38b7287fd573599b37fcdf70b204002e5cdb23e7

SHA512
e7585518917178eb654f80836b0ac27cddc469a02b4ef0566bbc2f840a59fbd4ec79d95bf829e179887b2ee96c3c237eb766c1618d4b63887e1f16be46f073f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA69.tmp

Filesize
5KB

MD5
7f52e469259c5be47dfd6aa64307894d

SHA1
02d24eee81715abf97fa129377f31fab00d8da79

SHA256
90af9a18307cd414b079d2faf8283b64f72e58911056f0ed219b1b26aecb6c5e

SHA512
cddec2626d5b739f8cb13448c2552de0cd06a2b61b5b8481bfe941d0d8d4202f4fc8ae6471f85366ea79025b66d126a148e530a5694c7f65bb66cfb57089e5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAC7.tmp

Filesize
5KB

MD5
d942c0febf4d5779df99dad432421676

SHA1
fc42b78da6d456b01a2eb6c2e4d013d67f3903c7

SHA256
062067480365bd6fc846de38d4232be57ee3b9121671aa5ce9e4eb76b99c8944

SHA512
3470c5fa42f9da9a1ee0cd9a6847e047162a570a48a8f412e22bbf2103fb87051b98206faade64f28372ca433fb0eca4e37e07d13c7536e21e1f73d59f690651

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB24.tmp

Filesize
5KB

MD5
2e8cfc1b6d79fe26d1003e11bfa5f28a

SHA1
f54396439189511bc3fdd60c74cf82484baf5687

SHA256
b6a857cc274f73444b1582ebe040e2593b5e2cacf78daccb1774a05c51b862e7

SHA512
295b1f8399879e0745f4fd558486044f3a1cb297efec5234e33947959eedac4bfc46ce0e74e3fa6f161b7f283eb374a184a993683da22e149efb51c9b204e095

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB82.tmp

Filesize
5KB

MD5
2cdbfc15449a9b31a69ab8965a1c2387

SHA1
3b4fab375d219c5fbb81aac21441a68c79c5ee2c

SHA256
a08183d26d62f29ac7060538db0f15f757346b95516de0cea1f31ac8c0931fec

SHA512
80bba6d939b0745264181d8b923f9c48c46df8c1dbf14b471f7ca774ddb561cbf3ae964779679d0528ea2e4dcb75766b9afb71d69fab9e39825120d2b2d71345

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESABE0.tmp

Filesize
5KB

MD5
a981fa2b372449b598dd69c032f9f3e1

SHA1
0a20a9f756680a79d0dbd19885864e73db9d5aaf

SHA256
82a1eb79594d3c7eaee3753c56e71e3d704e0a61a014247fbb4a38fd777897f1

SHA512
8c9bb3a29f359fbf021309dfe982ff0f0040d7c425b41f8d9b382c18e54fa7bb583b80b9dc1ec584fd4a507d1e2798ef319367d8c075c21b7c433a4a8c757996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC2E.tmp

Filesize
5KB

MD5
7287b893fdb4309a4e184d285d8e3d62

SHA1
3d355a9e7815dd3de8e0229ad7e9e4644d868e6f

SHA256
59caa8687039b3a8a67aec305583737915fe67eb957b2c57d5b63ff86d102d41

SHA512
f632b17f0bd5d2743f27b111d2d6a065ac67610ff71cb11497030e64e43b5180e86437b0c5f53141c40e6ed9004ce2375a1604e8e53630823f61e873e141871c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC7C.tmp

Filesize
5KB

MD5
7855989fe30144c600456bb0a3bfd35e

SHA1
1fb805e154a867d5e9876f0e876e2c60a157dc16

SHA256
2edc8dd3d2f49696fe676d3bd600d7b5c06dd3f7a6d93b5c8a119839dde15b1f

SHA512
05bcff17ff84469aa04d523e1a384cf4b0335b942e5be2b388297188c7f159884cfee1fe976c768965a28eb230c1607bf4e1df2f5bdf9bde78ea25174ee1a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACE9.tmp

Filesize
5KB

MD5
9a9f55f64a7e2ea03c3e2a9fb5385a48

SHA1
d464fa5deb266490d60929534c779c5515e08923

SHA256
c28d2a832cc870c9c32453c7a846e511432768dcc924b96cdede7e486241f1b1

SHA512
d09461bf2d1dd2f3c4328b7fd9b2f55eda95b95d6575e3f8709d90631ae8b5297d4375e6812aa7dfc1c80d187c4b1c229b0563382cb0e65f3b27d11c2847f223

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAD38.tmp

Filesize
5KB

MD5
a1963b80651649c5091f59f58bc51ea3

SHA1
99a68ce92a5115bc266b20ba4a422c7fe4098330

SHA256
cb67c590a66f727d22e4c1ab9574c9f0d5d9584605d6238764b22db19edb7ab6

SHA512
9072b372b40926dbcda8243922ea7a9dd3f868c4d8fa0fb35389b37a998c5008cb77996a190ba83a4615d3bb976dbadf72f5745b1319bf0acff67ed4130a37e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADA5.tmp

Filesize
5KB

MD5
3a0db7f65ef5e6f0b98cb77f11fc1220

SHA1
fe4837b68d136bc83f5fcc777daeddc1a18e75b4

SHA256
efa88a385b56cc6c8ce2236ace1efbd3029097a56b0ac5bea99b6324db42d4af

SHA512
f7b2e1215c37dbe803f5fba686a16456c7921a2fec9ccf8bc3900f924a2a931f93427b86ea7b1f4007c6154fdcd32729efcd1cd2f85ebaf157d7413e4e75f66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_rcaf2uy.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_rcaf2uy.cmdline

Filesize
264B

MD5
61ae8ce77130335ee85fef1f22cf322e

SHA1
3a3e3f82fe7665853788db1df9eb07284d52183c

SHA256
1ef2a0dff863cec6032083dfaab983cf8776353afad2c731107a7c5211e8e28a

SHA512
f3af69bf8cdf5f12a988849093f93303111ca99b7f420f4e8a4e718a1c22bf0ca0f466a1041d255bcdbba5bf55e78969a23dcc63d71a1a37c7d29aeaa239408a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhjudcd8.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhjudcd8.cmdline

Filesize
227B

MD5
1747bc7093bd69577d0017d6222cf2ab

SHA1
19617262c0ad0633f39d5b89bbba839582d6e4ae

SHA256
e9fa3d02c4c95b231a78dcd4607861a5f6f786d658f7429f787157265a63ff2a

SHA512
0891f416b9384339e2fffaa1c82397d04fab580a08b10113035dd72b1e13461dc7bbb55ba2dca385e48c9d6013313e4ec999967437afee77ae0e430edb4d2edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dh4qdtjo.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\dh4qdtjo.cmdline

Filesize
274B

MD5
396acc6a7c96544d290200295e38311c

SHA1
88bf2eba4a911b2389802ed9307d82c2eeb47083

SHA256
c565c609b0c785fa4d5cc7ffc6825846420e113018a97e2a46210179d64b7373

SHA512
43aa0e337ab631a6d055af036c42a5c5e1b4144a5bc2d6c79d54354f7de1c031d5c8a46b63f457793920e65d95fe25731ecdb8b7681565d96735b4fc7762ada0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkk5pb2d.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkk5pb2d.cmdline

Filesize
227B

MD5
34bd5deb82ade4f521c6791ce1e5e415

SHA1
77aab601214761c120632b4ad162319fe4e064d7

SHA256
7660929ffd1f280839a3423af7e2368da1a7b83a2d67ca5a4193ae3575273e5d

SHA512
54642272e23a7e118a4a81dbd0c1933e09631ee18c0ac0c7f214f2cc5dd35e725b63dd6f75d70daf38e633e010748b11f77146ac5af8b5b6441f771ea274dcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrtgna-h.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrtgna-h.cmdline

Filesize
256B

MD5
8a84229094804b21f1f9c4bfcbb52c71

SHA1
dbe2791349f50d851028101877c7ec99534a59b3

SHA256
bf8f94a17e19dae6dad791098837d4efbf5c15058749ed601db21a6cddfcdee6

SHA512
4d120815c462c0e3a0354d38e74928bd80d6bae02440c12363ea46866f24215ff3c534f4df8439946f8999663b8b19dfc7b9b12e5220b43ca77abec47461a073

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxbgwmrf.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxbgwmrf.cmdline

Filesize
268B

MD5
6698cd736ee0a09424a96a226b1b1b67

SHA1
c11be06c049933931a1de3618b1884a4c361a086

SHA256
051142fdd0af449504a6448bc6e27275722547df5fbb2817c1057a1dbf66ec2d

SHA512
90d6329ca22eef4c6b7429634c736ab1e0f31495ba33279c25f98c656080c7c2877cc2f3055fedc0397b1a6336bf25883f1e09fbd79de9dbadd8aa290c079dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmpozi5x.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmpozi5x.cmdline

Filesize
268B

MD5
52d4958b45ebbf1287d2a40a228a08ec

SHA1
a988d902a083b7b6d59ebcd04e526153007c14ea

SHA256
0ff9394698ee585811bfe2de7efb4dd9977be0d6181fabf898be64b38adfdb71

SHA512
2b73c6bad556cb426a457061a5e50900fb1d253b8d7f49a545180e1fb384d483d9c98651342bbfa376f7f3a80b56ac1e5610894f94ca8007b103f2ac0efba0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxox9cqf.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxox9cqf.cmdline

Filesize
270B

MD5
432262118de3d7cbbdfddf879abace3f

SHA1
894ef65b85b5de4890524eab852da660e7656c44

SHA256
310e53e9c8deaba4f7103eb83d862d877323747877ea67c3ec1869164d16a31b

SHA512
d0fecd487e3a59c255a75df0ffdbbb37644d9eada52ef1b8f0efbb522da65439fdf86cd6efe5aa24ef05d21b6a030ffec28e2cffdbf4b9878642322b32933647

Download Submit
C:\Users\Admin\AppData\Local\Temp\stkazoml.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\stkazoml.cmdline

Filesize
256B

MD5
71069ac2efba09952b33aa34302b5731

SHA1
3f46b03c835be7e8112e197052ede5cddde1383e

SHA256
a7241937088e953326d114fffb68ef5f904e466a6b9920140830e984da246851

SHA512
bca272c53f4de978a993ca96b1d9e1c19b0379df853a758e1134489b861da1eeefee2ba1102aa30e1de76d04ffbdef119577b29a06a17640fdb27e8cdc3fb0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkeevizu.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkeevizu.cmdline

Filesize
268B

MD5
57d06b07f6ac1c151d2760a470f64c49

SHA1
75e35789ab1e1cd0dfa7dbc43aac90cacf009232

SHA256
7838ca20ee8f23cdbc101cede18aa6643100de15988e574f1e4d28341c95723c

SHA512
0ce9c52c759885b2cf78b740fce00391b4f92b31148f8898598f566f4d4fb95da45cf960016cc5da509966b4ebb5bc5d92bdd3ae340a8dd45bcb61af2adbde45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvijhap8.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvijhap8.cmdline

Filesize
274B

MD5
fed3238bba997c26dc620bfe5500c4b4

SHA1
65979bc2752b42e4bb01d2c80dc99bd02897d247

SHA256
fdf866551930c40b36cc87c3de22d4855e50608f232dff276eac62a25aca0271

SHA512
7add27472bab364bc018ed7239b5a1d335f9002f6155818c863f4721e983faec4a60b6dca66d22406f0a61c7600f440fa20cae2c50e81d4f1e96e2ff3b0f2512

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc379187A67C64AE2BEF365D0AF937FDE.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc39F97246A7C4486D8EAB972DE965047.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B73A90710554780A3802A3C415D7557.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc52788E5D96BB4291A35C3394ABE5D0C1.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc558583FE6B124D1CB1E21D85969E9E9.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5C72C8F913AF4045A7CCE0713536D02A.TMP

Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7268E9CDFBAF4C43875D9994F0B181B.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9531F1F7B4594FBDBDD4F842F29C3FB8.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9BF5B4D0764D45579CE27AD6A9659C8D.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCC14E712ACF84D8380D31DD827D7B462.TMP

Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE40B2562A22C43F4817E2F26519FBC83.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE9B8D476934043DA8414553652BAEDD3.TMP

Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF65D9171E80F44D0BCEA7E851AF8345B.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8dcr9ao.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8dcr9ao.cmdline

Filesize
270B

MD5
83f0323b2032db56656c18b814d81b67

SHA1
3564793030bc1e889600a5e58276aa4e66cb43d2

SHA256
54ac5c787873f8dcba72ba1a773be1490db73f4086b7fa4473ff8f1c78a62e7c

SHA512
326807fb95ce55f58a0c6e1c9d291a1c9ae9475f6331ae6cf13d91424af5a9e8e6cd12a31276368c541769b05bc1cf0e41c7e0e3ebcc763ce4385310e7b01c7f

Download Submit
memory/1856-6-0x00007FFF10B95000-0x00007FFF10B96000-memory.dmp

Filesize
4KB

Download
memory/1856-3-0x000000001B970000-0x000000001BA16000-memory.dmp

Filesize
664KB

Download
memory/1856-4-0x000000001C4B0000-0x000000001C512000-memory.dmp

Filesize
392KB

Download
memory/1856-5-0x00007FFF108E0000-0x00007FFF11281000-memory.dmp

Filesize
9.6MB

Download
memory/1856-2-0x00007FFF108E0000-0x00007FFF11281000-memory.dmp

Filesize
9.6MB

Download
memory/1856-0-0x00007FFF10B95000-0x00007FFF10B96000-memory.dmp

Filesize
4KB

Download
memory/1856-10-0x000000001D660000-0x000000001D6FC000-memory.dmp

Filesize
624KB

Download
memory/1856-1-0x000000001BF70000-0x000000001C43E000-memory.dmp

Filesize
4.8MB

Download
memory/1856-7-0x00007FFF108E0000-0x00007FFF11281000-memory.dmp

Filesize
9.6MB

Download
memory/2780-38-0x00007FFF108E0000-0x00007FFF11281000-memory.dmp

Filesize
9.6MB

Download
memory/2780-43-0x00007FFF108E0000-0x00007FFF11281000-memory.dmp

Filesize
9.6MB

Download
memory/4380-26-0x00007FFF108E0000-0x00007FFF11281000-memory.dmp

Filesize
9.6MB

Download
memory/4380-17-0x00007FFF108E0000-0x00007FFF11281000-memory.dmp

Filesize
9.6MB

Download