60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
134s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 1884 file.exe

description	pid	process
Token: SeDebugPrivilege	1884	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 1884 wrote to memory of 1056	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 1056	1884	file.exe	vbc.exe
PID 1056 wrote to memory of 2064	1056	vbc.exe	cvtres.exe
PID 1056 wrote to memory of 2064	1056	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 3376	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 3376	1884	file.exe	vbc.exe
PID 3376 wrote to memory of 3580	3376	vbc.exe	cvtres.exe
PID 3376 wrote to memory of 3580	3376	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 2496	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 2496	1884	file.exe	vbc.exe
PID 2496 wrote to memory of 2396	2496	vbc.exe	cvtres.exe
PID 2496 wrote to memory of 2396	2496	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 4868	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 4868	1884	file.exe	vbc.exe
PID 4868 wrote to memory of 544	4868	vbc.exe	cvtres.exe
PID 4868 wrote to memory of 544	4868	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 4092	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 4092	1884	file.exe	vbc.exe
PID 4092 wrote to memory of 3920	4092	vbc.exe	cvtres.exe
PID 4092 wrote to memory of 3920	4092	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 3416	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 3416	1884	file.exe	vbc.exe
PID 3416 wrote to memory of 4856	3416	vbc.exe	cvtres.exe
PID 3416 wrote to memory of 4856	3416	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 2788	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 2788	1884	file.exe	vbc.exe
PID 2788 wrote to memory of 2416	2788	vbc.exe	cvtres.exe
PID 2788 wrote to memory of 2416	2788	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 4488	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 4488	1884	file.exe	vbc.exe
PID 4488 wrote to memory of 4828	4488	vbc.exe	cvtres.exe
PID 4488 wrote to memory of 4828	4488	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 1196	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 1196	1884	file.exe	vbc.exe
PID 1196 wrote to memory of 1096	1196	vbc.exe	cvtres.exe
PID 1196 wrote to memory of 1096	1196	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 2780	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 2780	1884	file.exe	vbc.exe
PID 2780 wrote to memory of 5024	2780	vbc.exe	cvtres.exe
PID 2780 wrote to memory of 5024	2780	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 3660	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 3660	1884	file.exe	vbc.exe
PID 3660 wrote to memory of 1120	3660	vbc.exe	cvtres.exe
PID 3660 wrote to memory of 1120	3660	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 1160	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 1160	1884	file.exe	vbc.exe
PID 1160 wrote to memory of 4940	1160	vbc.exe	cvtres.exe
PID 1160 wrote to memory of 4940	1160	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 3576	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 3576	1884	file.exe	vbc.exe
PID 3576 wrote to memory of 4292	3576	vbc.exe	cvtres.exe
PID 3576 wrote to memory of 4292	3576	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 928	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 928	1884	file.exe	vbc.exe
PID 928 wrote to memory of 3452	928	vbc.exe	cvtres.exe
PID 928 wrote to memory of 3452	928	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 2344	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 2344	1884	file.exe	vbc.exe
PID 2344 wrote to memory of 2096	2344	vbc.exe	cvtres.exe
PID 2344 wrote to memory of 2096	2344	vbc.exe	cvtres.exe
PID 1884 wrote to memory of 3528	1884	file.exe	vbc.exe
PID 1884 wrote to memory of 3528	1884	file.exe	vbc.exe
PID 3528 wrote to memory of 1556	3528	vbc.exe	cvtres.exe
PID 3528 wrote to memory of 1556	3528	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\db0brjoa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6060957A1A624A7D982329EBA644463C.TMP"
    3⤵
    PID:2064
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\euukoaf5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7945B69C100D4BCB9ADD67C41B1EEDD3.TMP"
    3⤵
    PID:3580
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_vir--ux.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1C5E08DFFE4D95B71EC080739CC6D8.TMP"
    3⤵
    PID:2396
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pdoxuxaq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc513A6E674DE14FA8A9995BF0A2A43FF6.TMP"
    3⤵
    PID:544
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvhmpg-j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1ECF45086F940B5A0DF62D566E6F689.TMP"
    3⤵
    PID:3920
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4qmoqzli.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE8C2548A4744FB288BB2035B2B375E6.TMP"
    3⤵
    PID:4856
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i-vu1cb9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEE2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68FF71831414E51A75E368E8AC1E8B.TMP"
    3⤵
    PID:2416
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fksv6gnc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA50E663670841C9BAF783CA49A0C3CF.TMP"
    3⤵
    PID:4828
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nryuyh6c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC8FE6EBEE004F3699B71BB782AD6E3.TMP"
    3⤵
    PID:1096
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sm1hzikx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE47013D59954958BE96231BECB9417.TMP"
    3⤵
    PID:5024
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d_ogulrz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60DB42D255054E3F9BB72C8A27F592B.TMP"
    3⤵
    PID:1120
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ctas9q3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBA2AE5A704F489A9CCF6399601D7668.TMP"
    3⤵
    PID:4940
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h2l7tncz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES172.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AB1AD94CAB34CE4AFBCDE543D15EFC.TMP"
    3⤵
    PID:4292
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ndcpbd6t.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc219DCE8E6ED747A9BC7DF63D225B909F.TMP"
    3⤵
    PID:3452
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stktpyu0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90F571BCFB8246C29D3A69A15395D5EB.TMP"
    3⤵
    PID:2096
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kxurher9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B57660E5ED74A669925EC3C52755BF.TMP"
    3⤵
    PID:1556
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ehlpxplq.cmdline"
  2⤵
  PID:2284
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES422.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B3C7C537EE4DAB9E2312FE7FC8A21.TMP"
    3⤵
    PID:456
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z90mmx4f.cmdline"
  2⤵
  PID:1680
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3CC6B6E64EA46178C7065C5C0A6C590.TMP"
    3⤵
    PID:3152
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lmzjqqsd.cmdline"
  2⤵
  PID:2668
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC8DF9C1B814894A749BAB4D65CA9EF.TMP"
    3⤵
    PID:4984
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lwe6c3u2.cmdline"
  2⤵
  PID:4920
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES654.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24740BC77D8A49FEBF2AA56EE7167CA9.TMP"
    3⤵
    PID:3952
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pchlgrme.cmdline"
  2⤵
  PID:1992
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B027866137A4032B7C9FED31C6CA11.TMP"
    3⤵
    PID:3360
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9zljohjx.cmdline"
  2⤵
  PID:3512
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8425DDD5B7744BCE93EEFD1FB2D7BDC8.TMP"
    3⤵
    PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qmoqzli.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qmoqzli.cmdline

Filesize
270B

MD5
1e29ccef1526a3bc9a55732acd140c8c

SHA1
63683f92e9ee05cc1b1321768a164e018b8c8500

SHA256
00cf999a2cc46660196a799761555da479d2f7d85ed0a19c4000ddb3ac6f531b

SHA512
c4500a867dd4b347a51c920e2fdbaf567d5ee51eaf8a216e7f1b3c8226dd6c1da3a8a6167ab2b2528e4dc880ee1edf319902c72669b575af21e5f2bfa19cb114

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ctas9q3.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ctas9q3.cmdline

Filesize
274B

MD5
0fed1ea62dabe3c2506ca92e2b003fe5

SHA1
cf0c87b7fdc26d8ba911ec0004f2d8258a8fc2b4

SHA256
8c4509ef85446742660fbc12bd08feef19d01a3816a9c36170dc5ac003084272

SHA512
3e37c0cc112426ab09e56d04b1fff0381a4d0a4d328406395473fc3107b9ae6419826cc1cb26a286c65b9c64a6e44c5b4f4449b60df6aaee2001325fc287b64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A.tmp

Filesize
5KB

MD5
5b44775aff350c44c776b8463f1417cf

SHA1
cd76173a660fc2605a7a9fdf48493d59cd96423d

SHA256
5cbf972fe611a19f338c2261294d963429eb5a80e020244ef02b483d795ab1ac

SHA512
da4dd4d5c1ccb589c76752861eb7a7b87e35a7f21d998a45ebe98ce4ad1c6b1c5c2ced19a040c5d52772b74787647ed560c1a4e683c488288208ec55c25eb9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88.tmp

Filesize
5KB

MD5
13be644722fa0d3bed3975d8f57cc691

SHA1
b54497dd6373c2970e150de7790911453b097f42

SHA256
194c3a371c6ca17f1ebf0d7a42e0066004d5dd5f7b387450bfddd1cfb7745552

SHA512
0911365368fc501e7082ec49b2e99726d971226a8a15e28223f6d17ffa73f829ca36722f0864fadaab800248d85fa42406ac4e33d8e25b155e434084ecdd2827

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF5.tmp

Filesize
5KB

MD5
6b54232765516083b797f2228a040423

SHA1
2b065428ce8f0a5e7fb70e3fde4751d805bc43fa

SHA256
d8048b226fce3945cdf1eaf4bdcf83a10e5c67c6185b13ee8e972359f33fccda

SHA512
385574f116383f8414fe7424c173b7b94505dec42f8409c7e7e2b566cc8f3224928ac3df819e10d30694b6b289cafe04c33a180f4353b1e8fcda27e10ae4f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB96.tmp

Filesize
5KB

MD5
9d57907347a88ddc6bc96a69560490e4

SHA1
de776cd8ed5bc12b86a912fece7d707bc1e7885e

SHA256
8fe7401049bf653c478b4d4ddf337446dc1b41efdf4c20f70ceaaa05ed480026

SHA512
ad3d222fefa8d5decb9691f89be8fc621d571b1c2d6b5d2f93ed89ac743e520ed41b58ea9f164d79faa77a3406c66569bdc795c5970f60ec7e58d09b36191a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC61.tmp

Filesize
5KB

MD5
25ee7941974c21e38e3ff082ef42c67d

SHA1
4b1aa9ab7855028c060238d3c2f9a3ddb2c8f5e2

SHA256
649f36b33c46161b386db81d3870635df5c58de0221ba694f612a04847630adc

SHA512
20934455ff915e9b9e4b6d430b1f41359eade489fe979802fa439bdf518749f9d8b6b83946b11daa9966a6ca6ccfa05325780ee0e5d5f6020f46db1c0146def4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD1D.tmp

Filesize
5KB

MD5
7e4ab3486d28d2dcfcbd9b511e4776d2

SHA1
f9721ba4a7dd0ad874b9b44f893923f94a59ab23

SHA256
f22f16c8278fdf4aedda390f839ca2ec10e926bc3e7825a14a36ef228386f867

SHA512
22e9d1c0d2418c4e4722c70422506f58c856202907e2c761452ab151b874df839dcf58c07ca411984e5c851386107a58f7d284d61511c2a4dd9fb94e5c4d2947

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD8A.tmp

Filesize
5KB

MD5
0b5f5c5d769efbd8e8953c48c5f5e5ac

SHA1
be4c8ced9b3b50ded13a0a92edd18a4af90e0612

SHA256
6a0682e35f6573b6c7a84850ab0cfd98110a14eef43652c97995f93e031352fc

SHA512
e4b5250fe2b4113f7ebfe14313709618e1b7e6466e921bff4fb0c053e83e8d7700167c94a7cf0276b43549b15caf6e17136b02a1ba34062f220865aece362f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE07.tmp

Filesize
5KB

MD5
c1dcc07584ca653406aedaecc53d107a

SHA1
fd0db5c86c42853e5bae4947aada5f18ea7f2521

SHA256
3d06777bdc01cf238eeee189983069daf7bc37b028c41bbc2f895460992a62be

SHA512
bfc0e6431d3af8db112a0a9b9fa91e058b565b466b8b7e5cd231ea29b4e65205027176d1b52c773c1b02800d08e65ad23dad1e94d3e3f7512bcb3247defde339

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE74.tmp

Filesize
5KB

MD5
7c975e98e46ee29f9308b85a7b4e54bf

SHA1
b128e51dade0a0de7e1a19d17497631925828bc9

SHA256
f4c129c47aba5b21043e5a86c3b62d4e35e9606b806d1f534a520272023adc54

SHA512
4ebb4c4b028f280939c9180513858df4556bbe9529028497353015cfde4d8e35407e53970fb97d1eb4ab50b8c928e7b2467c4396da04f27b44f49f511fd5603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFEE2.tmp

Filesize
5KB

MD5
ebaee8763e594094c988b68dd1fc0d31

SHA1
71e97a5e06c7d73e9b564b7284aa52ebad906b76

SHA256
bc6e8c6d60a66075ba4a979719333c8f3ef9355bbfa7b7588bffb7c791760abb

SHA512
b429133b3d126646a21d83fd16964797050e86f95357f49d9116e3aeb8370540aec77c5997d5735dcd81e1b8192780265313c8f7814495f982e175282789246f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF5F.tmp

Filesize
5KB

MD5
94b2b3dab8c27c5a622e6ac264824447

SHA1
77ba75b64b395e9974a1fd6a3024a3b7b69848c9

SHA256
b6e8d6ac7fd086248ffbfdf0ab8e089aec17a781eacfb96bd4f513b04dad8bb3

SHA512
938cb551833202afcbadebbebb746052ae7deccbbb5ae09b929445726dc5cdd409ba3f3e361b84175ba02bd46d3baeca6b0644b5ba4077d1167ae532353c90d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp

Filesize
5KB

MD5
05eb8fd01a53b7894969af7f0f9c8a4d

SHA1
290e0a3c04ef738b84ce46e9bbb51b6838ca19df

SHA256
6869f97304b5cd4b9f6c32be01b2988dd74eb903442c2fac6a562770d1331ee7

SHA512
f17e4327ba5b1e5a764f0d42f1222e6b0df6979d678c00b9f39e93e13fb5fe7c2053706f8b40c70f7d044ce9bf7d75c4818d6545bbf1f24c566ff55efbbf7de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vir--ux.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vir--ux.cmdline

Filesize
256B

MD5
64b57826fb0d1023ee4a06eca0cfc723

SHA1
fc87ebf8ecef379e68a4cebd8b0479450f4024a8

SHA256
af2abfac6fec169eb01323296085c33056ef5d1ab50a2020941707c705b33c68

SHA512
1477ab879d7a789dc1f9114a0e23245c4fe70df1b3cd584d004f104b9a9bff764e6e9764926a2001a6d8422960ae6b10a59cb303c17e67149f8d6a8dfc82bd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d_ogulrz.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\d_ogulrz.cmdline

Filesize
268B

MD5
4b9b61a8001a49bf60a346afbe90896c

SHA1
99a1adfc5474f0bdf04f82dc4b4971cfd856cf18

SHA256
77c5595c2d5ccc3fc89e2a9abdec6802b05a42dd3076b10b9839790f3d0453f2

SHA512
2dbfa53bfac3dcee64a530b6b4fe4d8a0522bde823f3cd4d57e0b97ed051b3d83daecfb55edfba950b5b31ace8240f273b05fe6196cb36f5515335f95f0578ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\db0brjoa.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\db0brjoa.cmdline

Filesize
256B

MD5
92334f44c57dfe435ce3f8a05f890aad

SHA1
1e3e03fa822fcb64a0517264f781cac4418cf399

SHA256
638076854c16d3ffc43089a88a31304e7f5c9f057746069192b35e2b01c28eaa

SHA512
1d5c0b021cd3ee20ba9d4b9d5fa458f61854d2f3b66810da68287f4438b710b1aa6ddc84bf43c9d265904cc04ff3cd9226fb7e2612fff2a4950fae557d411058

Download Submit
C:\Users\Admin\AppData\Local\Temp\euukoaf5.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\euukoaf5.cmdline

Filesize
227B

MD5
eb73697c1e24ca1bc357c6b0ea124a0e

SHA1
0ffeacf82578329df709cfd8e60b0e6f10147c62

SHA256
b8110ea9230d3232bd3f6c0d9ca9b84c133dd955566428869fceb1cca52f411a

SHA512
132295297bd554845a515df60349954b1a9f92c3ad16365eddc154e5858cfb4583b5d265602f882dadeb1173f387e289897a853a07f638bfab6450999e5d85fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fksv6gnc.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\fksv6gnc.cmdline

Filesize
270B

MD5
bcf1b1fa71559ce44501424e64bf3b73

SHA1
459c4db129a4ae37340d22d8dc6ea434597dbd67

SHA256
95ba8b45026158d4e9738b6fe6ee35176fa8759c649513c75d42aedb1663f864

SHA512
50978b363b6846ef39173f19b1dc975895abc3947c092a5f1f42c25a4d9b341a70f2a445e12a0a8d2d39e4225b784ee09bfd04cb89f51140b4e6d3bada6c2a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2l7tncz.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2l7tncz.cmdline

Filesize
268B

MD5
5239800625085b404b0bd70c1106188d

SHA1
2e93b4fa9583e550b0662f6b3bb06dd0dbb56f4e

SHA256
bfe55c4b44d9abfb3392467831363957f5b332a05ec55183fa865b236964955e

SHA512
450864fc7043adee7827da5aef4c6fdeacbbabb198cbe88278f97c912e39991f81c68925e01eaa37c7dd4822c36b6a438540b215cf9e9d13f3a40deb5e5574fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\i-vu1cb9.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\i-vu1cb9.cmdline

Filesize
264B

MD5
a749cb6aec368bfceb2ec288684d1564

SHA1
cd240eefcc5f7b496389a2f0f8d378c1de0bae64

SHA256
cf04bd8d803926d494ad612b417b03965d859b26f1b556df2d8f9367e811a555

SHA512
d83fd81a39b1ba9da71a9f77d7327dbbeedefcc16d3f281f1ef70003b38f36b1684131aab286370a17b90a217a7a8cdab9e4fba63d0ba00b11992005d0a2ee3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nryuyh6c.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\nryuyh6c.cmdline

Filesize
268B

MD5
12834ae4ae55112da499892e1cb1cf7c

SHA1
4eefc0d852e4ad7be5ee927ac60fac58b8ddb9c4

SHA256
07ea0419d4bcbf48d63ea23bf2e91d779ebaf8fb523a1af08a59d4efd7bae212

SHA512
9f6ce0fb9f502820201687751e9717c610066bcdc1704148ff234f8b51877d8a7a905bb0bac22060d9d6ffb6b9546a783f73475d6a3ad91d350d943e935b7308

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdoxuxaq.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdoxuxaq.cmdline

Filesize
227B

MD5
917c728ac4ac49468f5ac066bdedc0fa

SHA1
441836f9b50971393334fbff9cb5e88f0acc1489

SHA256
ff82b612bccfd9ac6254683db72cc8070aca375722df583837b6f3e77d244e99

SHA512
bfae4c49d6544644f3db21915c45cedf6fc2825f77592f6a59e258f495546014d173891a949c0d21e730ca96b699d43a7fa1c2a4438f212683d782a62977f5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvhmpg-j.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvhmpg-j.cmdline

Filesize
264B

MD5
f736e18f1d63fd034978d3f839ddb44a

SHA1
c922fbe852534e821ed22b1e273935fa86d41b3d

SHA256
242ec776a65b20389fd90c0282c1c0f92f8941910b7d2120980da88dad353626

SHA512
4f9aae4b8626f6947bf7724701b4cf6c8d31183b153c24e9e92841e3bf32188ce84e9516a1c727f03abde03fa86da22e1d8b166f5504729a2e4db5e585381b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sm1hzikx.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\sm1hzikx.cmdline

Filesize
274B

MD5
5c09d565e024f28d3b65958d98a4e9b9

SHA1
bb166bcdd807c60efa9c06d577f97df2a60f1797

SHA256
67c6ed58b703d48acf11a9f81a48b1126f09c0df2dd14859b3b5752f2e168858

SHA512
df36f5f23e89b6113d17f76f8f16b9ecc372b6e77a4998a0d2c7bf75dea8f0e2fe6bfc66fc15696d9d9d48af0b19fabef1b9fb7e4265490cd2cd0e3c0d18273b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc513A6E674DE14FA8A9995BF0A2A43FF6.TMP

Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6060957A1A624A7D982329EBA644463C.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60DB42D255054E3F9BB72C8A27F592B.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc68FF71831414E51A75E368E8AC1E8B.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7945B69C100D4BCB9ADD67C41B1EEDD3.TMP

Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8AB1AD94CAB34CE4AFBCDE543D15EFC.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBBA2AE5A704F489A9CCF6399601D7668.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC8FE6EBEE004F3699B71BB782AD6E3.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBE8C2548A4744FB288BB2035B2B375E6.TMP

Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC1ECF45086F940B5A0DF62D566E6F689.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE47013D59954958BE96231BECB9417.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF1C5E08DFFE4D95B71EC080739CC6D8.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFA50E663670841C9BAF783CA49A0C3CF.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
memory/1056-26-0x00007FF8F63F0000-0x00007FF8F6D91000-memory.dmp

Filesize
9.6MB

Download
memory/1056-17-0x00007FF8F63F0000-0x00007FF8F6D91000-memory.dmp

Filesize
9.6MB

Download
memory/1884-5-0x000000001C440000-0x000000001C4A2000-memory.dmp

Filesize
392KB

Download
memory/1884-7-0x00007FF8F63F0000-0x00007FF8F6D91000-memory.dmp

Filesize
9.6MB

Download
memory/1884-6-0x00007FF8F66A5000-0x00007FF8F66A6000-memory.dmp

Filesize
4KB

Download
memory/1884-10-0x000000001D570000-0x000000001D60C000-memory.dmp

Filesize
624KB

Download
memory/1884-4-0x00007FF8F63F0000-0x00007FF8F6D91000-memory.dmp

Filesize
9.6MB

Download
memory/1884-0-0x00007FF8F66A5000-0x00007FF8F66A6000-memory.dmp

Filesize
4KB

Download
memory/1884-3-0x000000001C2D0000-0x000000001C376000-memory.dmp

Filesize
664KB

Download
memory/1884-2-0x000000001BD50000-0x000000001C21E000-memory.dmp

Filesize
4.8MB

Download
memory/1884-1-0x00007FF8F63F0000-0x00007FF8F6D91000-memory.dmp

Filesize
9.6MB

Download
memory/3376-42-0x00007FF8F63F0000-0x00007FF8F6D91000-memory.dmp

Filesize
9.6MB

Download
memory/3376-295-0x00007FF8F63F0000-0x00007FF8F6D91000-memory.dmp

Filesize
9.6MB

Download