60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
135s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 2320 file.exe

description	pid	process
Token: SeDebugPrivilege	2320	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 2320 wrote to memory of 4388	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 4388	2320	file.exe	vbc.exe
PID 4388 wrote to memory of 3912	4388	vbc.exe	cvtres.exe
PID 4388 wrote to memory of 3912	4388	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 3848	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 3848	2320	file.exe	vbc.exe
PID 3848 wrote to memory of 1904	3848	vbc.exe	cvtres.exe
PID 3848 wrote to memory of 1904	3848	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 4536	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 4536	2320	file.exe	vbc.exe
PID 4536 wrote to memory of 2592	4536	vbc.exe	cvtres.exe
PID 4536 wrote to memory of 2592	4536	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 2488	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 2488	2320	file.exe	vbc.exe
PID 2488 wrote to memory of 1832	2488	vbc.exe	cvtres.exe
PID 2488 wrote to memory of 1832	2488	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 1824	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 1824	2320	file.exe	vbc.exe
PID 1824 wrote to memory of 1864	1824	vbc.exe	cvtres.exe
PID 1824 wrote to memory of 1864	1824	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 2788	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 2788	2320	file.exe	vbc.exe
PID 2788 wrote to memory of 1576	2788	vbc.exe	cvtres.exe
PID 2788 wrote to memory of 1576	2788	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 3612	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 3612	2320	file.exe	vbc.exe
PID 3612 wrote to memory of 2792	3612	vbc.exe	cvtres.exe
PID 3612 wrote to memory of 2792	3612	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 860	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 860	2320	file.exe	vbc.exe
PID 860 wrote to memory of 3100	860	vbc.exe	cvtres.exe
PID 860 wrote to memory of 3100	860	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 4824	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 4824	2320	file.exe	vbc.exe
PID 4824 wrote to memory of 4424	4824	vbc.exe	cvtres.exe
PID 4824 wrote to memory of 4424	4824	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 3424	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 3424	2320	file.exe	vbc.exe
PID 3424 wrote to memory of 2840	3424	vbc.exe	cvtres.exe
PID 3424 wrote to memory of 2840	3424	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 1788	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 1788	2320	file.exe	vbc.exe
PID 1788 wrote to memory of 4784	1788	vbc.exe	cvtres.exe
PID 1788 wrote to memory of 4784	1788	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 4676	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 4676	2320	file.exe	vbc.exe
PID 4676 wrote to memory of 2332	4676	vbc.exe	cvtres.exe
PID 4676 wrote to memory of 2332	4676	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 4968	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 4968	2320	file.exe	vbc.exe
PID 4968 wrote to memory of 2224	4968	vbc.exe	cvtres.exe
PID 4968 wrote to memory of 2224	4968	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 3964	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 3964	2320	file.exe	vbc.exe
PID 3964 wrote to memory of 4324	3964	vbc.exe	cvtres.exe
PID 3964 wrote to memory of 4324	3964	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 4116	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 4116	2320	file.exe	vbc.exe
PID 4116 wrote to memory of 4564	4116	vbc.exe	cvtres.exe
PID 4116 wrote to memory of 4564	4116	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 4352	2320	file.exe	vbc.exe
PID 2320 wrote to memory of 4352	2320	file.exe	vbc.exe
PID 4352 wrote to memory of 4340	4352	vbc.exe	cvtres.exe
PID 4352 wrote to memory of 4340	4352	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\us0rqafv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62D7E5B2E2A4D23A07890461F99184.TMP"
    3⤵
    PID:3912
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6v29yrsc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF760.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FB8E22012D6410E89614369B57840.TMP"
    3⤵
    PID:1904
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ashnsgtq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF82B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2460153AE9A492C9EBA1D4B75C34CB8.TMP"
    3⤵
    PID:2592
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dwhtc7pz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CB0B27EFC4645339942ADB35C631C4.TMP"
    3⤵
    PID:1832
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7f4akbna.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF935.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4174F4FBF61A4835B6435F645572C.TMP"
    3⤵
    PID:1864
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\flldcfns.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44AEA07633C742E4B31DE443FFEBFD0.TMP"
    3⤵
    PID:1576
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ociedmxf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc660CFA2360D04D97927C1AB98A5F369F.TMP"
    3⤵
    PID:2792
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8zuulsrb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA692DD85C8444D669C8BBA6CBEE578B.TMP"
    3⤵
    PID:3100
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\huxsvxks.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc794856869E7416FB4C9B66BB2F710B2.TMP"
    3⤵
    PID:4424
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jn9p2ma_.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29ECB160E12142F0B745DCFBECAD6553.TMP"
    3⤵
    PID:2840
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oiwyexie.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75FFDD347B0E407B8C6066BA29426653.TMP"
    3⤵
    PID:4784
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1zcc9hnq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73A76C1D88FA449DBB74D07BCFB8E670.TMP"
    3⤵
    PID:2332
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6oq-quuy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E85418E91094F3AA7B31A88FB44FF.TMP"
    3⤵
    PID:2224
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjibwuoi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc335B2B24F4854D06A29C6D12E6116756.TMP"
    3⤵
    PID:4324
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uznkacxc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93D8DE45D5154434AA204F4C9A49CEC2.TMP"
    3⤵
    PID:4564
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zsrbtpsh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE512AE9F5F8045E2997DE3E8F7121192.TMP"
    3⤵
    PID:4340
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0dfnwv5b.cmdline"
  2⤵
  PID:1504
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD14F34C9B8494D9896221DAAC52BF84F.TMP"
    3⤵
    PID:1796
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s8cco2un.cmdline"
  2⤵
  PID:4772
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD66E9D3BDEB4F93A8CECB361CA84D6.TMP"
    3⤵
    PID:1948
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w6xqgywj.cmdline"
  2⤵
  PID:1668
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF8719AB4E154A89A7734159C195616.TMP"
    3⤵
    PID:3284
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u9ibkhiw.cmdline"
  2⤵
  PID:5044
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B0735D4FA50480D8BB478B09633287D.TMP"
    3⤵
    PID:4964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\46tty5ms.cmdline"
  2⤵
  PID:64
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8FE591065524A14B5ED66D41C2D853.TMP"
    3⤵
    PID:3120
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4j0i-9dx.cmdline"
  2⤵
  PID:4284
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES172.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc775BF5FEEE6417B888CB0583214B02C.TMP"
    3⤵
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1zcc9hnq.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\1zcc9hnq.cmdline

Filesize
274B

MD5
36839554fa6c7c106c3a5cdde4169123

SHA1
879009130a2cafaf3f495806a0929dcde431fd45

SHA256
b1bc83f95f60abb17da80a1efeafc87b81ed8db3436163ca6c37b655408e9b5e

SHA512
f26ec9ca84099a8e92344b302bc3030c308385598077287ad257f1ec4fd2a3251c39724305e6d001e038999dc84c53919116d660f12dbfddea77edc6d2d47828

Download Submit
C:\Users\Admin\AppData\Local\Temp\6oq-quuy.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\6oq-quuy.cmdline

Filesize
268B

MD5
e5816b839292196bc260088ab021ddba

SHA1
a19a259074b5fc9e959b6b783c64e1543d435061

SHA256
a7e8260371a566a80a909e365d81b9e1a3777fea619379348165e91130619472

SHA512
277d0dc3c0272a3472215bade6401c0f34def96635f8d25fd6239adc8fefe7e9791c9be48ee49fe1b8005d3d798de98daaafe4694a40daeb4d2045c0abebf2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6v29yrsc.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\6v29yrsc.cmdline

Filesize
227B

MD5
f769e591176884e647075e9ee4699459

SHA1
973d780e2e10a658eaa4585f7f943e7d4518c45d

SHA256
ea28888eb2402c62dd26595e57e9ecae781409cdc10ad7f6840912a7e6d390e7

SHA512
485864b7208b7f8901a7247fe95351a190e78d935fdb625e514c79ef82000b9e11f1e0d9606662fada292df45766371fbae44be7be4d2833ee42fbe5fbb48b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f4akbna.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f4akbna.cmdline

Filesize
264B

MD5
5503e5ade3b21c1c9f495e30cbc16b31

SHA1
d18c944f2404a9fbedc832b5ddd82f2e5eecae4b

SHA256
549becf2d9e5aaea4602e07e026da1daf49af73b37f5c1d38adc4bcb3db69bd0

SHA512
cac17d422e14f0c1911b9e2318dcb01dcf2858d6a6661ebc55be4e396574d20fcd996cec2544d864271d9f3fba6ebcaa20d48fb9d5c1efa5ba7266c949c69f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zuulsrb.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zuulsrb.cmdline

Filesize
270B

MD5
0cd47f68617c74989c55c0b778e8d9bd

SHA1
73540239a2a51bb7d5c1887bf692a1f6da758966

SHA256
805ac65996783dcf5ea04ed85c7d71830213e51cc2b7c84773484c46b7d0e119

SHA512
9f7103804e2368deb92eeb42d5f046ab9719c9ae9695490e49f893c65e2c5c90ed7345ee6ed1fdc35f628c631093c2bfae3002e3f2e3c4649b3a250e3ad6068b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF6B4.tmp

Filesize
5KB

MD5
913adc7243a27ab087826bc00f092741

SHA1
bb1b522a8ec868d671cadc4863a1ce7f61d4f2dd

SHA256
c674b77838b7bfaaa9da7ba80ff7be648ea373f580017303f9b3df3ab1290e45

SHA512
8e04f28d8b479ecd3381af4d55ff46e7d1beaf395e5d9a0be7c201f10061b38b7b89f54d12f2278685be57d2c1072f1ec396e7079efe07c527fa52abffad024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF760.tmp

Filesize
5KB

MD5
a083e36f5a352c535f67d71acbeb9493

SHA1
18822020d0cb1bed3371f646d60ee3da92cf701e

SHA256
ac1dd75eda0942a1b28f914efa4e054153c83d77b4e99619805a29dd6b5f025e

SHA512
0cbc0d0f27d3076c3fafb5e5c5f191929431843cdc7da97db4fe04de2ba751b3d8f08a742892561770d5663ef268f85ffdede924312a909cf7cf51ec08e62047

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF82B.tmp

Filesize
5KB

MD5
4103029e4bb8770d48266407181b4416

SHA1
adec2689f7faeb236481edcccb3524c9f81dde96

SHA256
c38445fdcd435f299af4fe7790e611084850386e28d97eb3446d5244f6d1e247

SHA512
71f481beb18cda0152572a9dfb1a5ed495305e1097951c1477480aa95ed237161a585ac87707c1d75d41d83e8a06eadbe968003aec65a70aa4b89b3445882961

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF8C7.tmp

Filesize
5KB

MD5
9c3f68191c6c198c75dbc0036d763aed

SHA1
00154696741d6ad6cee9bd544ea00848ea59fe09

SHA256
87b8da89db3f362540cb537d446504954dc6fd4cc207fe6ae06cd9ad37a0a994

SHA512
6321e5698caa833aa8a9a3b2cd66ae8387644150e32ffeb49980e11e38c8d5c78bdf5a5c0ccfe2faef938868c3a36af13ec56e6d1b31e643049fa375a29fc49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF935.tmp

Filesize
5KB

MD5
3b4e4224c6a1924863eb9cf12021f725

SHA1
2a2b7d32d0fd42a4ea3740275082f42f6a27ca07

SHA256
28bb4435ac8d3e00f61fe1075aba1e7040328256b810bd47aa1217b4381483cc

SHA512
f792b33f971dd5c5bdd884be631dc34574f5a60fceb438b7470cf64b89db80fe82e93850b73a37262c6c441126ae7eb64c2683544d54efa1cf55c6dc0938f36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF9A2.tmp

Filesize
5KB

MD5
71d3a4bdfca352c7d198e7742af74d1f

SHA1
fe29d31f6b54f4193ba080cf918d3c47a543a9e3

SHA256
edc3cc84d98e8f2df5ad9926f7183d70eca859acd07f43ecbdd77b8b8f27d92b

SHA512
84f19ea1ef2b819595ea7889274f3e1ce27974c56878b0b85f3e84aeefc168d37f3607deb66f0c983129df737f801631da653a78e64553e6f842155073757293

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA1F.tmp

Filesize
5KB

MD5
4e20177081c55f453c79e4d0e6701e32

SHA1
2a9ace9df46dab869f0f172a411a9bae3bd5c480

SHA256
c3b5ba2dc8e22d155045e8d6622de902b682f29dbfc517612c44532fd64801de

SHA512
1bc0022b5725fd6ffa20b2bb4195a037367dc2848373791f279617ffbaeac3c1c33ed8eaf8a6d417732872490de2b19faacd72bb2eec5c1a9f9a0ae463e3162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA9C.tmp

Filesize
5KB

MD5
658cadc35b28305a1b9102a396a04331

SHA1
5e89b3b80adb1311265b29a9f58cbc5cef3e34d3

SHA256
6df147e4955cd44406ab3077cb9188afac0607f1663a0051a5a5a2d53cb147c7

SHA512
b6215c7fe65a4d55679ed65530526f87bcac9730a7c930b59539ae98da2a109eb96b68df90d8293f83daab4586b8b4d9482998865c72869dec6196a3fd0c2bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB19.tmp

Filesize
5KB

MD5
da9bd69590a742bce014a3b2a0ba70c7

SHA1
f1989c281a87cdc2328ee9ba404dea474cf14bf2

SHA256
a91a89e30960b63dd3246da96c6d1394cd1ed839cc058859c3a84eab5db4c07d

SHA512
c067435399417c0c8d795188d7d7e538adc7a3ad8f8fbafc6f812f38132307a80e65ed2b0cb6d54deb0e84b745f5b9eebee4727ec0e9f9f3a3a832dd6e1971e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB86.tmp

Filesize
5KB

MD5
efd4811642215a7fc8e9616be1755179

SHA1
1f52e0ce57e962149a481a913b9ee00b2a72e4eb

SHA256
07dc4acd79c161c20ffa7ae1489c6d742b4ce6bf190f3f0f207859c9dbac8e0e

SHA512
1f1ee2ddb5c4ff64112adda887a182de726c28c3850fb9237eef6a4db2dd68d59441bedac9d0a49ce87f7eb510040924dd5f1557ac949ba11e429c1071d09762

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC13.tmp

Filesize
5KB

MD5
ca658880c7e87c7028548f9e0c5333eb

SHA1
e7e9699aea57c6834a8f00fb8d1518c8e1935edf

SHA256
a753dc37656686f24a84ea5e91af934df2f9a872e7472fcc8f2e89549a1e07db

SHA512
b29fe0a1c89be9b7510838c8f1bf396b9725aa596df9923832c84612fdb0d793b8e4f9cfd96fe746a86bafa6ebdc81b8a378611364e87fecebe267b50fc3c97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC80.tmp

Filesize
5KB

MD5
2642f31436d0d5db8ccfd34b1712fe02

SHA1
ce7b6cdb60cda0599f93063ddc375660c703ac9e

SHA256
34da5421e29856e9673945e2f2c982970cebc52095bd557eb01673130c407ab7

SHA512
d9876639db3b1bc3dd4b7b4294b9e37a06d1eb1fd9bf6bf1ecbdf88272e7a2a1e797aa0f71a0d59fadc7f3d66a4150b8b186647f49e4752be9fb4308fea0d0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ashnsgtq.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ashnsgtq.cmdline

Filesize
256B

MD5
f605346d96e1a578e330d640c715009a

SHA1
7fea6c372be5cbcc18540b96c3336387212d3e5a

SHA256
e9ea7454bbac2a70e78b70807a417ecf40910f0d7681008d8bf23afad3c07141

SHA512
ce4d6d6672b89432a5adab33ef07a2c22aba9a053b43579d66d85ec83de17549d7be91b9cac0477f6142c84de251ac7fa8c15d4c0d77fa5c33ae1af36fc3758c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwhtc7pz.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwhtc7pz.cmdline

Filesize
227B

MD5
f3a3fda10ae23eb022988cf0f64b94e3

SHA1
84de9414570fbb0855957c82128de5ac9edf0bd1

SHA256
2f5875dd9f4c5c82ba896673f140501ecfa4118df70dfa187e4f504914083209

SHA512
0e81e3714b402874a9a7ff64993c54dde3f8805d0109985a810d543b8dddbe66779d5fc7888a8ff42bf7ec14a4991af3794eb08be6ee29e732e271ba9ea15344

Download Submit
C:\Users\Admin\AppData\Local\Temp\flldcfns.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\flldcfns.cmdline

Filesize
270B

MD5
2845d50615346525ea8c2d0b0bda7f53

SHA1
9894f8564e0905f46affbb96217651bff26e9ae6

SHA256
b65547828f842a41c05c77ad9678b033b56a963b329191086b3f7442d161d8d8

SHA512
f355f2d37b89b11fe1322dea00a90be4c353090a514c5fd01b722a3819e66ee057f7d0be2f6f880bca2ca228be791ad80e2bf8aed4db6127a7076eded50644ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\huxsvxks.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\huxsvxks.cmdline

Filesize
268B

MD5
12156e7942d042764d7d7e47e62f23e9

SHA1
090e1872747e118aad6444c82686b347909f4c24

SHA256
15628b0595a93886192c63cd297da87187e9780ce378461bb661414a0d125889

SHA512
41ee521aa5175635c964ee378ca51a16573433a7257fb03261afa431d8a0c719bab6b2dedbc4b1fe216b1885b97f725f4521a8433fdd93ac14768c8150b91bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jn9p2ma_.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\jn9p2ma_.cmdline

Filesize
274B

MD5
d168586131888c8b7e1d26afff1f7153

SHA1
b412a1a68a9f0c2801bf051125b0ffb245fa67f5

SHA256
1303c32a8e5737b917841e7e0c7b959dd2b2b97b174022ef3fbbe5585faf4c3c

SHA512
4edccccd74b0c70ab484567fedfe9e3ce41e698d49090990eb3e179abff0bcaa28d6d98c9466ce4700774faab1716b669cc455fd2c39267d2aa333bdfaba9c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ociedmxf.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ociedmxf.cmdline

Filesize
264B

MD5
33995450adb87b6965a97719c5599e89

SHA1
793b85d3e6f2cacccfb60a604dd6705a8c2ab99c

SHA256
3ab5801fc7ab74d283f5881788622669d2e675c7c4441fbc9704ce2d71632084

SHA512
ff5bad675202cb8ab495c645ac4e80e897ce673059403e181b4bfa5ee046dd7cb4f5cc98593d49cef9a9e9b4da73a46c8d3d472c586bc36b8e74f50212841c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiwyexie.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiwyexie.cmdline

Filesize
268B

MD5
65ad2d2946bb2cffee45bd97340e1d21

SHA1
2b8977407837956bf8c689f708c5fdae73ee1d81

SHA256
52055a66f406971b62922bd7374e3b4876b0c8ae593c9dafcf1e94a2f1f87116

SHA512
692993a3f9cb6f2364c44c902a801ffefc24b65033ca70c54c21a1d7235cbd85cca8d66fa1cd481d51644ee066ed8d19e6be63994320a442cc9b5c687db90077

Download Submit
C:\Users\Admin\AppData\Local\Temp\us0rqafv.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\us0rqafv.cmdline

Filesize
256B

MD5
fb58b03b30d1ec33716a7128b5e41b1d

SHA1
507da8a8b97f99c6e098c06c871a3868f85eee8e

SHA256
2be1cc077c14db0c9f07edef50a0780d5ca403d0282056546835a466ff4039d2

SHA512
73bce0f0240b80897674990924c4a04bffafcbaacb5cd9f1304365e7bc6b53c4edbe3e1a938b95dba52a2292fd70bac7c2b3f8aa205c082d80a4552d160d21fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29ECB160E12142F0B745DCFBECAD6553.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4174F4FBF61A4835B6435F645572C.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44AEA07633C742E4B31DE443FFEBFD0.TMP

Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc62D7E5B2E2A4D23A07890461F99184.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc660CFA2360D04D97927C1AB98A5F369F.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E85418E91094F3AA7B31A88FB44FF.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc73A76C1D88FA449DBB74D07BCFB8E670.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc75FFDD347B0E407B8C6066BA29426653.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc794856869E7416FB4C9B66BB2F710B2.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7CB0B27EFC4645339942ADB35C631C4.TMP

Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9FB8E22012D6410E89614369B57840.TMP

Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA692DD85C8444D669C8BBA6CBEE578B.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2460153AE9A492C9EBA1D4B75C34CB8.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
memory/2320-10-0x000000001D200000-0x000000001D29C000-memory.dmp

Filesize
624KB

Download
memory/2320-7-0x00007FFDC94F0000-0x00007FFDC9E91000-memory.dmp

Filesize
9.6MB

Download
memory/2320-6-0x00007FFDC97A5000-0x00007FFDC97A6000-memory.dmp

Filesize
4KB

Download
memory/2320-5-0x000000001C0E0000-0x000000001C142000-memory.dmp

Filesize
392KB

Download
memory/2320-4-0x00007FFDC94F0000-0x00007FFDC9E91000-memory.dmp

Filesize
9.6MB

Download
memory/2320-0-0x00007FFDC97A5000-0x00007FFDC97A6000-memory.dmp

Filesize
4KB

Download
memory/2320-3-0x000000001BF70000-0x000000001C016000-memory.dmp

Filesize
664KB

Download
memory/2320-2-0x00007FFDC94F0000-0x00007FFDC9E91000-memory.dmp

Filesize
9.6MB

Download
memory/2320-1-0x000000001BAA0000-0x000000001BF6E000-memory.dmp

Filesize
4.8MB

Download
memory/3848-42-0x00007FFDC94F0000-0x00007FFDC9E91000-memory.dmp

Filesize
9.6MB

Download
memory/3848-295-0x00007FFDC94F0000-0x00007FFDC9E91000-memory.dmp

Filesize
9.6MB

Download
memory/4388-26-0x00007FFDC94F0000-0x00007FFDC9E91000-memory.dmp

Filesize
9.6MB

Download
memory/4388-17-0x00007FFDC94F0000-0x00007FFDC9E91000-memory.dmp

Filesize
9.6MB

Download