60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
141s
max time network
147s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-06-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation file.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Drops file in Windows directory 1 IoCs

Processes:

file.exe

description ioc process

File created C:\Windows\rescache\_merged\3720402701\1568373884.pri file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 1340 file.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	file.exe

description	pid	process
Token: SeDebugPrivilege	1340	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 1340 wrote to memory of 212	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 212	1340	file.exe	vbc.exe
PID 212 wrote to memory of 1740	212	vbc.exe	cvtres.exe
PID 212 wrote to memory of 1740	212	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 3120	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 3120	1340	file.exe	vbc.exe
PID 3120 wrote to memory of 1588	3120	vbc.exe	cvtres.exe
PID 3120 wrote to memory of 1588	3120	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 4508	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 4508	1340	file.exe	vbc.exe
PID 4508 wrote to memory of 1072	4508	vbc.exe	cvtres.exe
PID 4508 wrote to memory of 1072	4508	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 4740	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 4740	1340	file.exe	vbc.exe
PID 4740 wrote to memory of 4420	4740	vbc.exe	cvtres.exe
PID 4740 wrote to memory of 4420	4740	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 4824	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 4824	1340	file.exe	vbc.exe
PID 4824 wrote to memory of 600	4824	vbc.exe	cvtres.exe
PID 4824 wrote to memory of 600	4824	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 4296	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 4296	1340	file.exe	vbc.exe
PID 4296 wrote to memory of 1832	4296	vbc.exe	cvtres.exe
PID 4296 wrote to memory of 1832	4296	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 4616	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 4616	1340	file.exe	vbc.exe
PID 4616 wrote to memory of 3976	4616	vbc.exe	cvtres.exe
PID 4616 wrote to memory of 3976	4616	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 3820	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 3820	1340	file.exe	vbc.exe
PID 3820 wrote to memory of 532	3820	vbc.exe	cvtres.exe
PID 3820 wrote to memory of 532	3820	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 4784	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 4784	1340	file.exe	vbc.exe
PID 4784 wrote to memory of 4388	4784	vbc.exe	cvtres.exe
PID 4784 wrote to memory of 4388	4784	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 4380	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 4380	1340	file.exe	vbc.exe
PID 4380 wrote to memory of 4332	4380	vbc.exe	cvtres.exe
PID 4380 wrote to memory of 4332	4380	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 5080	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 5080	1340	file.exe	vbc.exe
PID 5080 wrote to memory of 2392	5080	vbc.exe	cvtres.exe
PID 5080 wrote to memory of 2392	5080	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 3724	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 3724	1340	file.exe	vbc.exe
PID 3724 wrote to memory of 1492	3724	vbc.exe	cvtres.exe
PID 3724 wrote to memory of 1492	3724	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 5096	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 5096	1340	file.exe	vbc.exe
PID 5096 wrote to memory of 440	5096	vbc.exe	cvtres.exe
PID 5096 wrote to memory of 440	5096	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 224	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 224	1340	file.exe	vbc.exe
PID 224 wrote to memory of 3392	224	vbc.exe	cvtres.exe
PID 224 wrote to memory of 3392	224	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 4804	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 4804	1340	file.exe	vbc.exe
PID 4804 wrote to memory of 4864	4804	vbc.exe	cvtres.exe
PID 4804 wrote to memory of 4864	4804	vbc.exe	cvtres.exe
PID 1340 wrote to memory of 1072	1340	file.exe	vbc.exe
PID 1340 wrote to memory of 1072	1340	file.exe	vbc.exe
PID 1072 wrote to memory of 1848	1072	vbc.exe	cvtres.exe
PID 1072 wrote to memory of 1848	1072	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1cvjstpj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC0CDE7D208D4A57BCE6AE709F11747E.TMP"
    3⤵
    PID:1740
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qi2jscms.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE6A07C6BEAE4FB692B975DAE42C68A2.TMP"
    3⤵
    PID:1588
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krkug62f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD716.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FC7471E145A42309341F9E6A464A4CF.TMP"
    3⤵
    PID:1072
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gfhdjl6j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD793.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC3B7F1E2F0C44FEBD106A8FA739CDC4.TMP"
    3⤵
    PID:4420
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wlw4unqj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD801.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5097A63A93614303A73D7BC4B3507E2.TMP"
    3⤵
    PID:600
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\anglpnq9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD84F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7D4B59E58A0646C99C5E1A1518551B7.TMP"
    3⤵
    PID:1832
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yx-c_o1_.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD89D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84CA4A417CD343FAB6A6C890B8529A2A.TMP"
    3⤵
    PID:3976
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3s_uurdw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED01CD0E5B9D44C698A263C6E35CCB50.TMP"
    3⤵
    PID:532
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2afl1xam.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD92A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29CB9A5B44DF4765A27C2E4713D3FE5A.TMP"
    3⤵
    PID:4388
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5gdco0sn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB86CC978B5A4C189FD97A67E3AA2030.TMP"
    3⤵
    PID:4332
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wh04khfz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6B39C0CC8B402286EBA2926A27CEC.TMP"
    3⤵
    PID:2392
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\urfufxeh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45AE3881DE6F4A15B35C60CE36D43A88.TMP"
    3⤵
    PID:1492
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxjgsh9n.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAFE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBC2AE41CE4F30A874F1914D21EAD5.TMP"
    3⤵
    PID:440
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wbx9lbyc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B61C6622CED4836B8C7E1656502D66.TMP"
    3⤵
    PID:3392
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\990cyk3m.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7D38572E14B47BE8AAE75A55A34B3CA.TMP"
    3⤵
    PID:4864
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzqd2qpk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45D0C7B86BB34603A93296CC1CD3C067.TMP"
    3⤵
    PID:1848
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q6sf2qhx.cmdline"
  2⤵
  PID:3896
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0405455670E43A7949996A795CA5346.TMP"
    3⤵
    PID:3136
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l4abamyv.cmdline"
  2⤵
  PID:308
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5A8E0F75E9A4B9383E58CE587127AB4.TMP"
    3⤵
    PID:4944
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gavkf5ny.cmdline"
  2⤵
  PID:4140
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc130E2DC1FC37441296F605F2DF89830.TMP"
    3⤵
    PID:1832
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v3i98pbr.cmdline"
  2⤵
  PID:4296
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc567102883A744674A4201EC32ADC6EE7.TMP"
    3⤵
    PID:4896
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e4v4ddcr.cmdline"
  2⤵
  PID:1636
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc729DC4D23A664C2EBF21CAA87B623885.TMP"
    3⤵
    PID:4484
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rj9nrgvb.cmdline"
  2⤵
  PID:5056
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc459EB6248A234A158C8D8197D8C8E6D8.TMP"
    3⤵
    PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
d5997b8f3f9665fe1cd7defb29cff584

SHA1
7b281c8982b042d77e7a53ce282eab7f8417adc7

SHA256
ba40f96904ef649d30f9477d2e1b770b312832ba81e6345946645c15dd4ceabc

SHA512
88f66652b43ccdb551c9e876eab1e7f0bdbf2b8c19bb9b871402e94d1e826424b917495dd3b79c228724f49d1495cd3cea49fafb7a14f23e5e1eb6a29b68871c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cvjstpj.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cvjstpj.cmdline

Filesize
256B

MD5
2d49b6302274d2c30db369fa45bcfafd

SHA1
72c7e52dc945cf1ba1b4538163b3a28b3ef227f4

SHA256
20a8b935c4b7774ec26b51f96619ef5c7fa2b29bf56cd33ab54e559e9b00164f

SHA512
f089f6ad4de755529cef16f0219f2fc1a33f02783f77dce28cd98c927d85eb296b237773547b786ded84eae0c110f627f6db22a9cba1e027bcfdaf218904fe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2afl1xam.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\2afl1xam.cmdline

Filesize
268B

MD5
ce0ffd37c8e60768be8040cd3a78c3d7

SHA1
a36da419171480021b3f81ed53624017bfff1e71

SHA256
3c2e0ad078e6a24c621292f3aee234faabb47b9d3843e57342e2ce9845246525

SHA512
08d37ed17cd2a10e123ffc336ef96b92578285e3c45292bca0090afe0355113f9e76ccc9b53806525925426de523cdc6619a9f151274f11c1dfa2cc47a476433

Download Submit
C:\Users\Admin\AppData\Local\Temp\3s_uurdw.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\3s_uurdw.cmdline

Filesize
270B

MD5
a72f02cb63f1bc0688eab47c21d2a4a3

SHA1
ee3698c86a9fde619876f49d8c5f74a38316d20f

SHA256
faf97e3904b156ee02d5cb26e6c9c287ac7bf33f4e3a0329fccad618f5a0e052

SHA512
9e362e74e8e7506832c31bcd886ce17d6c1a395d6439ebce5e593f00bfa392e59548f21b7ba2178ec730bb5c149d3e2eea808ae80a6f366261d6e968f339aaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\5gdco0sn.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\5gdco0sn.cmdline

Filesize
274B

MD5
6f280de6835000a372c23c97b54af2ad

SHA1
3a2056395b57e4792479526feccf8127c70e8845

SHA256
7a87c72bfc03232323e19c4cba444ba355cf24c40c1f94cda9ff30e409886068

SHA512
bf6a2902ed539ad3e649920a7177607b68783bb6dae7289eb5741847bef6e81c230f4fa401507d0ec136dc40e41f766246bfbf6c5727c7d8257e548b8f1cddf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD5FD.tmp

Filesize
5KB

MD5
c61bcfa9ac6c1c272c6532b231e34189

SHA1
ec7218a06b810019790a0a7bec882a5a4079decf

SHA256
a1244b0176089673c9128c7809d2c93bb916c1dfc98b6816eac9bdb927fd3ba4

SHA512
67739efe34987a87f76299b3f1d7be0a7b77ede4a82ccbcfdd7b4f66f36ee0fefa69ed3029360778c71a0bf86fa575614354c2405a73312b0e733dfb9ff54501

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD6A9.tmp

Filesize
5KB

MD5
b9940f7956178a361605fdae82b37afc

SHA1
4a717a545a13f71ff82b2835d3df66d362ae628d

SHA256
33e67660c0ee09f6fb335ff9f33a7471aeef74f8ecb6f6c03db346c0092a2b69

SHA512
23ba0ae82c85ca930e37828035b420061b192c036e06cd59992fbf0cb4489091d19d972272dbe680690697b5c66078fa3856c0b314276b25aea529c95414ea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD716.tmp

Filesize
5KB

MD5
2dd48f41f8a594d166bd7a1cdca416c2

SHA1
88253eb1aa9ea9bcd12766df16db2c94ee2eb592

SHA256
5e77cf6fbfa5d05bf39c1d9bc72adfcb8d0893290c1f0f4b1e6fdca121d1ff6a

SHA512
083669f13d3bbe2ce2ad1e263c5eadbb184b701433940d0d214dfb3f73e7ea24656cd1219fa3b24680aa901ab3774533c5190dc1e59c765c52ab823a7a34758b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD793.tmp

Filesize
5KB

MD5
ee019f2ea00920c3b1dae6789b2ebaff

SHA1
f1dfea9508594dd61c238ffde8a415a226ff2fd8

SHA256
9bd57d8844d3d79a5469c09b976c353501526d7326f634c6b840aa819da0f529

SHA512
246f86592f35bc8525d112009c38e9cd3f4adbb5e83e161434e018b76537e10c76600754efca6236f6d5b3777c1acfda822083845207fc96852718bef7d367f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD801.tmp

Filesize
5KB

MD5
760bde1b9775015dcc4d29e72d5affdf

SHA1
20880bab04dc3003df1a0f254a86c537b9bbb6d1

SHA256
073b89bc83ccdeecab590e92e8f984636c02b8583d39d2c30beeb5e4aca1b7cb

SHA512
07bf4a5eaa5e1683e28039b27ad3ce12492322ea267847bc9623f598e74a8de6d3ab156466aae151548ca9f6e2b80e591e755894a34ee9f3043ca64c85e30d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD84F.tmp

Filesize
5KB

MD5
dbd7eab40c5f88015d1528cc615fdb9a

SHA1
45c108a04dff37f0989fbaddea01c527407fe845

SHA256
a3587657b9eac838822c7d8c499f32cad99f2b492ec0d854e9d8935e8808280c

SHA512
711b7faba5beaa18a7675b651f352dd3b15f7498dd30779124708b24288f3ddd930a8e40b28341d4b2d1b1545d2e6c5fff3e859919caa68cf7b1fe5bdc6f9c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD89D.tmp

Filesize
5KB

MD5
28bfad916ead005254b2dbaf95052eba

SHA1
a75c236a51e7aa5edcfddd366a679fa036c28442

SHA256
754b00a1dff16e361bed8b315ffa624d89d8c4b37ee14e82d97ed5420df6a053

SHA512
1501c83e8d1d1bacc86f58a05e41a8b81c00024bf2baea8fb841ffeefea4cdcee3ac9f5df3a3539db780606b42de961b7cad1316f5aaafd690a41cb1fbab0429

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD8DB.tmp

Filesize
5KB

MD5
0709d972a2ad16cb733a84025db41a4e

SHA1
9bb89bd55a3173e6bbaf584843589e9c77fc5d56

SHA256
c49c8b46ea62f55f0233ca30de4f99040eae3156b5e332a26df21fdb152f6bec

SHA512
865e4898df83176e9530cae305d5830e73741455c0a15f8885a515ddd27720dabdc6dcb2ddb3e3dcd14b7f52dda50ceeae445d58f7c67b9e130e67d957fbff68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD92A.tmp

Filesize
5KB

MD5
fa3a0afe885cc07249fd249ecdfac498

SHA1
091bb7a303f147f871dce632afc6205405aa1877

SHA256
c958f305610be4a9837f4329d319236bac511d189762edc4e0a9c21e4fd9ea3b

SHA512
0a3d43e05d6cb145cec1f1fc13b8b5d045e1a6561e00402b8a44e33282c9b2a5fee3e5f6d899dd983569d3b752d99e420191580b6de06fbb88ad279deee7c409

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD9A7.tmp

Filesize
5KB

MD5
1af1a9f2641f1cb5aed98d95bdfc27b4

SHA1
07475515ce1d75bab3a3197fb91ec4343e4f6ff9

SHA256
8ff38d0eb5b8ce2f284eff7e1159e854827cc7d4b16f7d80fdc8e2c8726e8a55

SHA512
e5d001a4c198bda1920bd62edef2978360ca11ae36ce01f40111f42db77063a3d4c36da0f7234037af2d559a4722faeac11a72512fed3f57014f6794e62f2120

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDA72.tmp

Filesize
5KB

MD5
fea759b43e9be9421d5ad4b42f65ad25

SHA1
ad1fc61f6615af5679665ab6bd0e12af506273c8

SHA256
1a0e01ae6fd452d69fcb5bbd2b8500942e1245cc9ffc720e5cfc4393f68798e5

SHA512
8c08773d59c1ae3ad34845557af135c5ce185371f33a3927471f6542e57caf1dfc1c37f761ad581f7e8ce600552cd327800a7a0a912657a10a508191afaa869a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDAC0.tmp

Filesize
5KB

MD5
c756faf4af1b7ed06302fec33d63af56

SHA1
c35d9676e4b1ee6e8d49c17fe75b621df8889abe

SHA256
88bd8adfb0adb2fccf7bbfdce42ebdd97a71630548f81270b2ee5335fb410976

SHA512
ba9636f6d7defee970f66807f3860ae2ee4ce2788b84c5f8ef5ea61d1ccf47fc2bce9c68ea236c7a1395fc77bef8e0151785782b2b17a853d3f5c65966f39c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\anglpnq9.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\anglpnq9.cmdline

Filesize
270B

MD5
ee2adcdcb46f1dc3e563d46e6dc9ff5f

SHA1
3c09713bcc78f0d0fc9ba4ec075c58dcd2109112

SHA256
f8251a744cf8bfeb8dd027e4e5a2f9d264cc1fa8205c22f9bdc75182213d2854

SHA512
c699dcfa6a95b83bdbb66cbe88e9c21f43737c8df26cbfec4ab768901c7133b0ccdf91ae5412e9d4867c48ed428a3b68c11c768fe6f58bb689a13635ea222eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxjgsh9n.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxjgsh9n.cmdline

Filesize
268B

MD5
07ec4857b65ee4b154f69185f1bbddaa

SHA1
6f8bc8382eef38ae63f9a24405c279556223a72e

SHA256
a0526806a5e449a924946628d1b6a83bb5fc85fbc662ccba877d024db079de81

SHA512
90eb7cdd4c620245f15a5394d68b395447006081426dc3f61351ed0f69078248aab459107b5f8e80e807da0a2eb3ed05bd46c252faf568248acbc3660e32a956

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfhdjl6j.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfhdjl6j.cmdline

Filesize
227B

MD5
e601ed5943039c7f462d55394f76af22

SHA1
62c5407fd1e2984fe9ccd7e4c8f0e6972dd9cc8c

SHA256
c651f6c42250e0e42a84df51fd84d3a8d9771312863cb431b4256563c8629b32

SHA512
538a17d9da2a0000a67f8ff3270cd13a09ead17e0e06ecd7a3dde96abb0e9e1442f94cfbc554a42314a7728c93092aa28ded55410a006d8b0eb6bfed2b86982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\krkug62f.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\krkug62f.cmdline

Filesize
256B

MD5
eae721446bde226c47ca6d2d0bdc4665

SHA1
78dbc689f7d1c991282ce58b65b313c34aa7c187

SHA256
aca5be1b7139f8cab2d5c73288a7d2332d0b90066859cce92292279e50e1a271

SHA512
cd663f25b064f9cc602ebd654cd122d78ebe36de5717017037095a78553fbccbbd7e72cbfbe15b25b3505dba882d779ef811e087d9b99271b8997a974199ac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\qi2jscms.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\qi2jscms.cmdline

Filesize
227B

MD5
f9ce28465b5ffd323e2b498a6e66c1ab

SHA1
cd3d68af8bd69843bd9e75a69192494c9e402c54

SHA256
5c1e691eda07ea38e81d2c0fe64c3835dbffd8bab6d11d30378a38efd92a2fbb

SHA512
c9993e9212774bebf8fc331b9d8f3d6d20faf224d74900cf66664598e03713cfa02e100de50bb15310b771294c38bfac0a2888b0ce95c2a21ef0dff793a0b075

Download Submit
C:\Users\Admin\AppData\Local\Temp\urfufxeh.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\urfufxeh.cmdline

Filesize
274B

MD5
205c9fc4d25849f6280a9541cdf30490

SHA1
c94f74f5228affcc7dd5635093ece3ca05536398

SHA256
d8f61dd63b34211fa9df4a7aa09ab27000932cdbd864e7b8a376871567dafa1b

SHA512
a452a54af5fc0618ffcdafdf6985fbd6537b52aeee6b6b139c69c778b2c314baa8329a2467de32417c70f2071f9defd741d962b1dbd903e911ee8911ce694b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29CB9A5B44DF4765A27C2E4713D3FE5A.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc45AE3881DE6F4A15B35C60CE36D43A88.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5097A63A93614303A73D7BC4B3507E2.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7D4B59E58A0646C99C5E1A1518551B7.TMP

Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc84CA4A417CD343FAB6A6C890B8529A2A.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8FC7471E145A42309341F9E6A464A4CF.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB86CC978B5A4C189FD97A67E3AA2030.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCC0CDE7D208D4A57BCE6AE709F11747E.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE6A07C6BEAE4FB692B975DAE42C68A2.TMP

Filesize
5KB

MD5
19fc49755dbde37764cd7f4ea2d3f2e8

SHA1
d0b0760fb3c0d95e29b713a8b1e778be6d4f141b

SHA256
d2508db1037895b67cd6f3e2d183b22c42336acc3246ad9e0fe687fd0f3f8e9f

SHA512
1e261c9a0cebc104429e4162a30bad937f64c75f126b54be9576d9e5d74beadffd34cb116199c6a4ece8d3883256dbb1594ca2340d747a5e1aa2890053476772

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDBC2AE41CE4F30A874F1914D21EAD5.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED01CD0E5B9D44C698A263C6E35CCB50.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF6B39C0CC8B402286EBA2926A27CEC.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC3B7F1E2F0C44FEBD106A8FA739CDC4.TMP

Filesize
5KB

MD5
78f7c3ea70e4aaa3507fef7b8d6ff49c

SHA1
49b5d27ea604cccc3d5c5413fb98c221814971b7

SHA256
42cccf82c9e1ceae42e71d0b2c367ff9a3445ba23318250738cec66245123744

SHA512
a9aa39c5bd0c10ff5b7fd37dd3beaad10312db89b5b15b9ef2825a501200e7b3c717c8a6a125463cfe951c8ecc29ef5d587289198619bbeb6910afc20c6e8883

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh04khfz.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh04khfz.cmdline

Filesize
268B

MD5
fe1330fbff6583dd1a9257ee8f968817

SHA1
c645e0c918dbad6e9f08c6bd630c72b3744cc8f7

SHA256
84340f101f113d874512eb685e63951b2bfbf3bb67e6d7a6bba7f73b398611ed

SHA512
f27b3b0cbe9e408b7652fe2043f6b72b600fdd4fbba720385676d25346802ebc91c3901dadfa33cdd6a8b4c9371c919ee26aa0a669337df19d4836173fb36048

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlw4unqj.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlw4unqj.cmdline

Filesize
264B

MD5
91a552c59f26ee99f3c79ebc399872dc

SHA1
eee00a2fefa2d08a9ff38b1469de2c9f4c8ff901

SHA256
2e34f16896849301316616791a9c8dfd9415ec3df554e29c6c5a54624cc6d8f6

SHA512
e2f252f4a473625504b3d890603f195f3e329ec4ffea8de4694d6bc6b4d547b69137891dcd70ac2e78992d3b2bf45eb2bf50f0e7b6fb6e6bb981ac49e550cc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yx-c_o1_.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yx-c_o1_.cmdline

Filesize
264B

MD5
9e4708d0fe10f66eb0d731cde094d031

SHA1
98898c5362b7d8cc07e73f176976dfcdaf8bcc5a

SHA256
e85f76bc5e5881472319c0844194842197ffc5c97b9a0aa00eb261d319980c9c

SHA512
80bf55bc942b7df643062c3ffa862faab371d823c24a1ce790a4079a29b0f31998b79be382b4a0b97dbbca350a45a6f23fd5ef7a1eeb69b943eb2fafae495b4f

Download Submit
memory/212-20-0x00007FF834680000-0x00007FF835020000-memory.dmp

Filesize
9.6MB

Download
memory/212-25-0x00007FF834680000-0x00007FF835020000-memory.dmp

Filesize
9.6MB

Download
memory/1340-1-0x00007FF834680000-0x00007FF835020000-memory.dmp

Filesize
9.6MB

Download
memory/1340-6-0x00007FF834680000-0x00007FF835020000-memory.dmp

Filesize
9.6MB

Download
memory/1340-9-0x000000001CE90000-0x000000001CF2C000-memory.dmp

Filesize
624KB

Download
memory/1340-5-0x000000001BCA0000-0x000000001BD02000-memory.dmp

Filesize
392KB

Download
memory/1340-3-0x000000001BB80000-0x000000001BC26000-memory.dmp

Filesize
664KB

Download
memory/1340-4-0x00007FF834680000-0x00007FF835020000-memory.dmp

Filesize
9.6MB

Download
memory/1340-2-0x000000001B6B0000-0x000000001BB7E000-memory.dmp

Filesize
4.8MB

Download
memory/1340-0-0x00007FF834935000-0x00007FF834936000-memory.dmp

Filesize
4KB

Download