60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 3564 file.exe

description	pid	process
Token: SeDebugPrivilege	3564	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 3564 wrote to memory of 4960	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 4960	3564	file.exe	vbc.exe
PID 4960 wrote to memory of 1624	4960	vbc.exe	cvtres.exe
PID 4960 wrote to memory of 1624	4960	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 3480	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 3480	3564	file.exe	vbc.exe
PID 3480 wrote to memory of 4608	3480	vbc.exe	cvtres.exe
PID 3480 wrote to memory of 4608	3480	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 4156	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 4156	3564	file.exe	vbc.exe
PID 4156 wrote to memory of 5024	4156	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 5024	4156	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 4560	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 4560	3564	file.exe	vbc.exe
PID 4560 wrote to memory of 1056	4560	vbc.exe	cvtres.exe
PID 4560 wrote to memory of 1056	4560	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 8	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 8	3564	file.exe	vbc.exe
PID 8 wrote to memory of 2868	8	vbc.exe	cvtres.exe
PID 8 wrote to memory of 2868	8	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 4184	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 4184	3564	file.exe	vbc.exe
PID 4184 wrote to memory of 2272	4184	vbc.exe	cvtres.exe
PID 4184 wrote to memory of 2272	4184	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 2208	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 2208	3564	file.exe	vbc.exe
PID 2208 wrote to memory of 3060	2208	vbc.exe	cvtres.exe
PID 2208 wrote to memory of 3060	2208	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 3900	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 3900	3564	file.exe	vbc.exe
PID 3900 wrote to memory of 4940	3900	vbc.exe	cvtres.exe
PID 3900 wrote to memory of 4940	3900	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 4976	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 4976	3564	file.exe	vbc.exe
PID 4976 wrote to memory of 1508	4976	vbc.exe	cvtres.exe
PID 4976 wrote to memory of 1508	4976	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 4696	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 4696	3564	file.exe	vbc.exe
PID 4696 wrote to memory of 2420	4696	vbc.exe	cvtres.exe
PID 4696 wrote to memory of 2420	4696	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 992	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 992	3564	file.exe	vbc.exe
PID 992 wrote to memory of 4996	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 4996	992	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 116	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 116	3564	file.exe	vbc.exe
PID 116 wrote to memory of 2228	116	vbc.exe	cvtres.exe
PID 116 wrote to memory of 2228	116	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 3204	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 3204	3564	file.exe	vbc.exe
PID 3204 wrote to memory of 4088	3204	vbc.exe	cvtres.exe
PID 3204 wrote to memory of 4088	3204	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 1664	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 1664	3564	file.exe	vbc.exe
PID 1664 wrote to memory of 4908	1664	vbc.exe	cvtres.exe
PID 1664 wrote to memory of 4908	1664	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 5116	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 5116	3564	file.exe	vbc.exe
PID 5116 wrote to memory of 3420	5116	vbc.exe	cvtres.exe
PID 5116 wrote to memory of 3420	5116	vbc.exe	cvtres.exe
PID 3564 wrote to memory of 3276	3564	file.exe	vbc.exe
PID 3564 wrote to memory of 3276	3564	file.exe	vbc.exe
PID 3276 wrote to memory of 1284	3276	vbc.exe	cvtres.exe
PID 3276 wrote to memory of 1284	3276	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l30x5rln.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A2D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc511A2EF6C6C7471981B6472542F3430.TMP"
    3⤵
    PID:1624
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dknev6u9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68D1B2FADEA74615AA58CC789373A64D.TMP"
    3⤵
    PID:4608
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yfahnaxt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B36.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A928EF9E7624AEEA3DEB75D3EA0611.TMP"
    3⤵
    PID:5024
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tjzz8t00.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C71A2D117114ECEB87BD093DD125DED.TMP"
    3⤵
    PID:1056
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lpqmf0qg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28305AC447CB49B98CF28F59B6ACDA7F.TMP"
    3⤵
    PID:2868
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xidiww9x.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE18B00E6636448E983F5158FFB4979.TMP"
    3⤵
    PID:2272
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyfw0d7h.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7786216944C5BA83BE8889E368DFB.TMP"
    3⤵
    PID:3060
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z9fpcpzd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15531943ACD4486A35D2875BA6F658.TMP"
    3⤵
    PID:4940
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xu17z7ad.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5DC0186EC9347A5BE4E3CCF4FA31.TMP"
    3⤵
    PID:1508
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4jzqavn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4692E8742E1A4B60BDEE9C3960B98DF4.TMP"
    3⤵
    PID:2420
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5dqxehlu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA6FF64030454BDFB4764CCEB8D491.TMP"
    3⤵
    PID:4996
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hz3pvje0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1CD746BFEC0474C993B40C53BD068B0.TMP"
    3⤵
    PID:2228
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t93elawy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc782E92C2C8614343B8DFCFC0B28950C5.TMP"
    3⤵
    PID:4088
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zqpixs_s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ED0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6770AC079337467983D68694753332A1.TMP"
    3⤵
    PID:4908
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fzectkkv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE11574FCBDD8464E92D7C5604A76A91.TMP"
    3⤵
    PID:3420
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ipjl5jxj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc758E8A1527B340D6B8CC322CB4567155.TMP"
    3⤵
    PID:1284
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dxeoatgj.cmdline"
  2⤵
  PID:2280
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B49A646C0974C68BFD1C4D4ACED1F6.TMP"
    3⤵
    PID:1400
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\umvwxnnf.cmdline"
  2⤵
  PID:1112
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA009.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD97FFAA4462143B68B69ED55DAC6E2F3.TMP"
    3⤵
    PID:4768
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1pvaycoa.cmdline"
  2⤵
  PID:1960
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA047.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63C3A197642A419DABA362B0ACC813AF.TMP"
    3⤵
    PID:4776
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ejuljywa.cmdline"
  2⤵
  PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA086.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51C8436C15C449EAA79FC6B7C7DA23D.TMP"
    3⤵
    PID:4140
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tft87bgq.cmdline"
  2⤵
  PID:688
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc738F4201EE1949BA82E91525DFD114D0.TMP"
    3⤵
    PID:2500
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adbzpgt3.cmdline"
  2⤵
  PID:4540
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA103.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF1079074B2F44A3B6137048C91D3BE1.TMP"
    3⤵
    PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dqxehlu.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dqxehlu.cmdline

Filesize
268B

MD5
a9ccb9e02234d14dd579136a30521297

SHA1
e2d58c39874a0e41805142924cc58bf52bdbe630

SHA256
9c6db1a4ad9127fe8355bedd7666c076d8c78e901c7260108844b2982cc0de68

SHA512
4c4c3fdba761903d3f15d4717d146cd444281315a5ae5678a782fb54f78503f1d645d0ed0b0d2d1e9fa16a5c7c4ef73a95254976b68a0adf1817f5dede5b5513

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A2D.tmp

Filesize
5KB

MD5
b67c44ad1164d3db91696d1536b89842

SHA1
9fb6dcc3f8f5d09cd936e1ab83b7773c8b3daa19

SHA256
5e181dc48b9caf6f21a3fb513cf1f911036ee45e1ffa61cf60c86a83b9fae7ad

SHA512
81261bd489b166388ad5c25a8fc44a067f7841b99e0071e409a669a47ab937faa8790673b19df0404f79f56138cacf72b7a7beb05814af8c9ea72904c4842c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9AD8.tmp

Filesize
5KB

MD5
e979a47a11d8a9a4ac5509cede7e1434

SHA1
fe8fb305b8e5c2e5ffcc5f19836cd3ab905b90dc

SHA256
540cb64eaa76c1b617491f295899f39acd952990ef30f8bfe91d5aa564062364

SHA512
70fd62a21987ef2253aa75724df347ec8632e2aaa6b22bfb2f200881f9f6e44a7b064d43304614df6dfd175b80174e61243c2df1796d1a97545c89d971d4a9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B36.tmp

Filesize
5KB

MD5
aff67060a5cabed07ba1859497d3a2b1

SHA1
9d031f2d302dfb2171bf149ca6b7c86b9c902605

SHA256
eee3d7a5b47b614cd89a1cd8f1e3d83d0f6985749b95337a0bc972bbaa021f44

SHA512
5c610810d4f509fba3e30ef6b4964c5bb1bb759e948f697b1083973ed0f2dcfee5433504753dde4e57a25d992cd1c0a9045abfa49df2f11a0d4e364ce12b401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BB3.tmp

Filesize
5KB

MD5
465f3355f6413266b7975d700be1a05d

SHA1
a99b8fd1cd9202b07cab0b36d0f0ffc1d6d1873f

SHA256
142c87a4f18d1f3df472c9598a941a052db693f4362c969e1bb74793f0ffe0f7

SHA512
1f354aff735bcf6b4f13e9828fce56af89c7e8d0b56734a810d97b6470e53d720e5f0e37d2e498adda7d9af5142664617d0c40b758c38c5e0e7fd0f0aa9f91e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C11.tmp

Filesize
5KB

MD5
0e6d3c28703b5fa0aed6859f3d8608bd

SHA1
809e474370f73bfda5bf5d5551b76b12abc576f7

SHA256
83bc4bda7686183504fd7d7f9237cc9591e2adf359facd5c4baf03a3164b9b92

SHA512
597efa0b5a0e38df11c161e082e3f5b0c147e5d9f664457bf27ccfb44dfc9c0f0fac7a29fe992a76265cc224e4697cde94e1a1162f779c27a0126691fb1e9b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C5F.tmp

Filesize
5KB

MD5
b9506ff39d191bcc8fa649dcbf6a3d3f

SHA1
d7d6a9dca1c0c29070a3ef13782135147ec23b96

SHA256
a02dbfcc3bbd9eef6dc3593f5a185131156756fb45144b142169a407c072f054

SHA512
8cc5bc66074168740c6577087c1e60a3231e5ad52279d7de142eec342fc831aac5b4f5a2f9042f48574cfb7eb31db500562b49516438e7ac3733519d6620688f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C9E.tmp

Filesize
5KB

MD5
7310f30ae591bd613fa116b7eaef29fc

SHA1
a0d555f308642568cb20bc1f452aa2261de68f95

SHA256
dd8beebfbc34ca6fe144c6ebd968c83f51c4d296e47c1b2a22851bc747fa0b60

SHA512
08a0b9548a045e343a34f4031054b5b692ab586288f099876bb4ae1e75db58bf668a3d7303e8b3a4de8d08872e3f0d8ba30097c4378d33f6d8cb96b921e276d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp

Filesize
5KB

MD5
8d3cb9af324eeebffad7050441c401a6

SHA1
cda99a977ccf8a37f118cb8d80433b33efd981c2

SHA256
aaa4118883f347289b08693928106a29e8a56ab44f0be845fe218ee8c2d38483

SHA512
397b4d90cc690f589ff212e2fd6974bc5a2dfe5a7b47b0150473681dc2c956c279a34c24439a902d806a1ed53f777a2df048a5afd32d5e4edb1c08f7920ef327

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D3A.tmp

Filesize
5KB

MD5
31d598aa85d7853368c03b8d8cb69a03

SHA1
835300597ea88f5789b27dad2b13679100acfb8f

SHA256
793568ce6f008444c0ea694090e862448410b3fd98ad48c614e53fdc1003a6f3

SHA512
5226458425d298bb11df714944fd7ad2ada9f57908622cd1052087d6082b6e18d665e177cdda4f64fd8032b7af1c83279fde43a61de3ee1d1e4383c6661397f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9DA7.tmp

Filesize
5KB

MD5
c8f46286e9cd06c9a39f27b6e90aa075

SHA1
f28dd7c72f7e1f2f8481e7f7d0eb4477856ab40e

SHA256
8edda0ac35f504a3cf31f7f8106e8a28d7a413b887e4decb2daccb92130afef6

SHA512
cde5d2e3a3bc834c588d23164e5a31332013b31521a2fb611c8019e624843c8e48e1720441afa87e20116c62ab79ff9f0779ae9f3ca9f6481338ce634809a8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9DF5.tmp

Filesize
5KB

MD5
361d7ddfc5bfd255e1530f7f154cb1b5

SHA1
3a10dbf806a5ec5e87ef9541da6713e16b95ae65

SHA256
b187a69e0ca7e38b4f64a24354e9d9835bbe1f72f90de1edd503b5099c77cfa4

SHA512
65761e1291ac7a4c6f31288f39943f5fabd38abc1b67cd3a59cf97ff95b6d94fd43c4fba622a501bcf90409a482503ee0cd0bb1c66d33f18e18926921afe1798

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E43.tmp

Filesize
5KB

MD5
76813734804a2c434fdeb89138dc0a79

SHA1
e50c79e152df009913436bad4f853b0e3d9bcd8e

SHA256
72f1c08e49deafde4aa1e4ed19bc90f6adfb2dbf681c55b8c2359d4740251831

SHA512
23e06425580046a56245bcefd8c3d9749c71290bdfb1c3a622c8986199369f712d430ef3a32cd66c1e083bde3df5ddfc72536f6e505479a98c5581f3120f376c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyfw0d7h.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyfw0d7h.cmdline

Filesize
264B

MD5
5c6b3683939437b85631f3e14413a6ee

SHA1
c719fddd044916a741a9b72ef8164c076c2f4f8c

SHA256
5237092d69f77a63c63560a739941ab00dc4c1153f86983d557343d72c61c748

SHA512
81ef9dd392c01ca89ea431aacc5f2407d0b92f4809b20ddd691a7de79486cad4683fea6ab78a1e52acbeeb4937ba06f0b8edcde8a6faf19d8c55e256d3098917

Download Submit
C:\Users\Admin\AppData\Local\Temp\dknev6u9.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\dknev6u9.cmdline

Filesize
227B

MD5
9a0dde75cd5b58530f22062b23e8dbbe

SHA1
33f30504ff96cbc6cd77671f3a8ed496bc078eb4

SHA256
86004fc7d0895f383258b9d10eb2324761071750aecee9850685879ea712bcb3

SHA512
5c06cc43f5f2848c9c016e8e28e7a8fe003348a08bf922894e10fbf79751a5b3a0acb09365f8375739abee7ade29ca7c79da4211c44fe2778db5728e584dcc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\hz3pvje0.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\hz3pvje0.cmdline

Filesize
274B

MD5
0a4d9c66a77042eb15637279638a05c9

SHA1
b2b5f3d52697a1f845ef7ac0734196920dc23286

SHA256
7ce6a19dd816b2423c2eb23c923ae459b35f1e27a91fe5c46b1c52b64ef84b3c

SHA512
6551d4bae21864b74012552c0b7e393763b1812f0886071950a040f80d74deb96fc4727bcb8ddd7bce91a737a63e07974d80b7eea1f7b2dc55fabd4aa1630a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\l30x5rln.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\l30x5rln.cmdline

Filesize
256B

MD5
247e0d0ee37a23de66b7d91b83fe474f

SHA1
6107c9bd361d530aa1bbf24dca83a2c70dc774ad

SHA256
32beb7d0b1d2f657ec26fdf4ab4f87e10c5126fb0f4ead2a8ea2f6f0eef4ef01

SHA512
d416d6631f955f8be7c80c8fc35014ec56735f34223cea4d2f929d19414156f3f4e188388971874acd6564d523274a6f37dcc65bf5ec88eba355c55b035d53bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpqmf0qg.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpqmf0qg.cmdline

Filesize
264B

MD5
6a940ad48c9fb2f799522de38dd35805

SHA1
e5f7d854629baa4a8b7ca422bd5bdece41b0f689

SHA256
54d9a50032edafd2690c0685dde39d36a4937ec6079da0764faf3138fd81c757

SHA512
047c2fd62b01179c65f445768792a8eb8005a21745f1d44bb6144018fd58992857e7b78d9a769cfe7bf400fca7ab147b1bc1eaf333a09728b951655db33ac0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4jzqavn.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4jzqavn.cmdline

Filesize
274B

MD5
161c98dad3226cd7fca7c3355e8efffa

SHA1
4351fc15a7818ec3a33b23b84da4458c15c3ed45

SHA256
08c34754105d3eb295cd41a6d7f6512bb8472c0ec82686331f9e15e17db21c98

SHA512
e64f865f8873c8c1dc361b670ad78211803db8818fdc0d31a07e3e2546af1f505fb55cdd9a75727a15aebd5c4c48987be6ae12926e2319474f532e2f7cc0f683

Download Submit
C:\Users\Admin\AppData\Local\Temp\t93elawy.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\t93elawy.cmdline

Filesize
268B

MD5
ef4861ee1992d7ac0bbad0865357b536

SHA1
bbd725d02700966243436220dbeb2425b58ebda8

SHA256
602c28cfafa3109b1ce08dee03aae14ae3d8e765216b0e16e6a87ead9365c45e

SHA512
73860f505fd4c3aa7aa4a16051c55cc2f68a97cfcdb501607f0a60ce8648403b446b80e74e86087a299fa03bddb5df4487e74080cfe8a4370fff7197a769f664

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjzz8t00.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjzz8t00.cmdline

Filesize
227B

MD5
d9119be8b89a69d7d0b3d2c2e4464935

SHA1
4fd2663c6e608d8b7cb87424f98130b94ebe303b

SHA256
5e772df59d8ee22d8ec4a5d62b5eaf5846026f3a7bc41eac45fdb56add6184e7

SHA512
2379be7c3260ce7de419249f9c3e77d03760afcb683a7cc4bdecebb2ce2346c25970cb5fa141f45e927e7e099162c716e0d6342c566efe46980b9e3a11fa8c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc15531943ACD4486A35D2875BA6F658.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C71A2D117114ECEB87BD093DD125DED.TMP

Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc28305AC447CB49B98CF28F59B6ACDA7F.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2A928EF9E7624AEEA3DEB75D3EA0611.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4692E8742E1A4B60BDEE9C3960B98DF4.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc511A2EF6C6C7471981B6472542F3430.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc68D1B2FADEA74615AA58CC789373A64D.TMP

Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7786216944C5BA83BE8889E368DFB.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc782E92C2C8614343B8DFCFC0B28950C5.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB1CD746BFEC0474C993B40C53BD068B0.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA6FF64030454BDFB4764CCEB8D491.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC5DC0186EC9347A5BE4E3CCF4FA31.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE18B00E6636448E983F5158FFB4979.TMP

Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xidiww9x.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\xidiww9x.cmdline

Filesize
270B

MD5
5de4435089d16abfe32d56528b8ff94a

SHA1
1d060482ea3bd70bdb5d6b359baa2601f1ab8ed6

SHA256
0d6a254308439bed8911c2eac1894476abb8ec503f7aa7388003dc66729764fa

SHA512
646e92cee8b22616c9d19bc5a6489cc5f47f4f1298d7fa97af2ad67ef5912b185e03570963b84f10239bba2c47371d9642e2831f5979fe5a91f81ad64a96bcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xu17z7ad.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\xu17z7ad.cmdline

Filesize
268B

MD5
bf03411371216c3ddc477e22579c9327

SHA1
0a5498b60e20bde071c8dfe57764abaee1773b98

SHA256
70fc46cfdf8c6302455e67708cf6f3ea9fca42aed4ba7d6a8b026dd585e76023

SHA512
8e4e1ebbc163a64b74564c4d33a0d972ef3f48297e153fd063988d57e99ca52e3df447405cb8ba6ef9ff4eb5ff89168b082c215feb5fc5e6229be5e55e2cfa59

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfahnaxt.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfahnaxt.cmdline

Filesize
256B

MD5
51d1fd2bacc2794fee120a72a9aefea3

SHA1
1ef5db71e3d1a7a54e6be6ba351079893bd387e0

SHA256
cf63e9e756c67d9b9d28e22052e52d7800e8736cd24cacaf3118341fdac78cc6

SHA512
4292e2b9727dff659f00a91ab4b9edff83c8a2418832e67c20694e7ffe5fd1a11965221b5bb5a34adf6c796c54a1661cfd27a55b72ef57fea3f78a37a7fc3a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9fpcpzd.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9fpcpzd.cmdline

Filesize
270B

MD5
1c23983a46b53af2bcfac97ebfd3b21a

SHA1
4dd5a2932d7ad70e44238b7c0d86f582ecd9771c

SHA256
18719255b8b85955342072ed6f224eac2e56ca761c06eedc35782e1b1453c9c7

SHA512
2aec863980bbc5da8a6be29716bd6cb11f13a3eed3115df918e6deed205158ce6de2548465e08b48c9d3bef63736c369e40e4b8c77e75bc1fb4bb348126b00ba

Download Submit
memory/3480-43-0x00007FFA181A0000-0x00007FFA18B41000-memory.dmp

Filesize
9.6MB

Download
memory/3480-295-0x00007FFA181A0000-0x00007FFA18B41000-memory.dmp

Filesize
9.6MB

Download
memory/3564-5-0x000000001C470000-0x000000001C4D2000-memory.dmp

Filesize
392KB

Download
memory/3564-7-0x00007FFA18455000-0x00007FFA18456000-memory.dmp

Filesize
4KB

Download
memory/3564-2-0x000000001BE80000-0x000000001C34E000-memory.dmp

Filesize
4.8MB

Download
memory/3564-0-0x00007FFA18455000-0x00007FFA18456000-memory.dmp

Filesize
4KB

Download
memory/3564-3-0x000000001B8F0000-0x000000001B996000-memory.dmp

Filesize
664KB

Download
memory/3564-1-0x00007FFA181A0000-0x00007FFA18B41000-memory.dmp

Filesize
9.6MB

Download
memory/3564-10-0x000000001D670000-0x000000001D70C000-memory.dmp

Filesize
624KB

Download
memory/3564-6-0x00007FFA181A0000-0x00007FFA18B41000-memory.dmp

Filesize
9.6MB

Download
memory/3564-4-0x00007FFA181A0000-0x00007FFA18B41000-memory.dmp

Filesize
9.6MB

Download
memory/4960-26-0x00007FFA181A0000-0x00007FFA18B41000-memory.dmp

Filesize
9.6MB

Download
memory/4960-21-0x00007FFA181A0000-0x00007FFA18B41000-memory.dmp

Filesize
9.6MB

Download