60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
1790s
max time network
1800s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation file.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Drops file in Windows directory 1 IoCs

Processes:

file.exe

description ioc process

File created C:\Windows\rescache\_merged\3720402701\1568373884.pri file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	file.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 4196 file.exe

description	pid	process
Token: SeDebugPrivilege	4196	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4196 wrote to memory of 4336	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 4336	4196	file.exe	vbc.exe
PID 4336 wrote to memory of 4960	4336	vbc.exe	cvtres.exe
PID 4336 wrote to memory of 4960	4336	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 200	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 200	4196	file.exe	vbc.exe
PID 200 wrote to memory of 3980	200	vbc.exe	cvtres.exe
PID 200 wrote to memory of 3980	200	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 3632	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 3632	4196	file.exe	vbc.exe
PID 3632 wrote to memory of 3028	3632	vbc.exe	cvtres.exe
PID 3632 wrote to memory of 3028	3632	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 4332	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 4332	4196	file.exe	vbc.exe
PID 4332 wrote to memory of 1260	4332	vbc.exe	cvtres.exe
PID 4332 wrote to memory of 1260	4332	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 808	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 808	4196	file.exe	vbc.exe
PID 808 wrote to memory of 2708	808	vbc.exe	cvtres.exe
PID 808 wrote to memory of 2708	808	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 2336	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 2336	4196	file.exe	vbc.exe
PID 2336 wrote to memory of 2380	2336	vbc.exe	cvtres.exe
PID 2336 wrote to memory of 2380	2336	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 4716	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 4716	4196	file.exe	vbc.exe
PID 4716 wrote to memory of 4552	4716	vbc.exe	cvtres.exe
PID 4716 wrote to memory of 4552	4716	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 4160	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 4160	4196	file.exe	vbc.exe
PID 4160 wrote to memory of 4644	4160	vbc.exe	cvtres.exe
PID 4160 wrote to memory of 4644	4160	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 1040	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 1040	4196	file.exe	vbc.exe
PID 1040 wrote to memory of 4664	1040	vbc.exe	cvtres.exe
PID 1040 wrote to memory of 4664	1040	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 348	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 348	4196	file.exe	vbc.exe
PID 348 wrote to memory of 1264	348	vbc.exe	cvtres.exe
PID 348 wrote to memory of 1264	348	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 3500	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 3500	4196	file.exe	vbc.exe
PID 3500 wrote to memory of 2128	3500	vbc.exe	cvtres.exe
PID 3500 wrote to memory of 2128	3500	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 2040	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 2040	4196	file.exe	vbc.exe
PID 2040 wrote to memory of 3668	2040	vbc.exe	cvtres.exe
PID 2040 wrote to memory of 3668	2040	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 2012	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 2012	4196	file.exe	vbc.exe
PID 2012 wrote to memory of 4724	2012	vbc.exe	cvtres.exe
PID 2012 wrote to memory of 4724	2012	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 756	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 756	4196	file.exe	vbc.exe
PID 756 wrote to memory of 688	756	vbc.exe	cvtres.exe
PID 756 wrote to memory of 688	756	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 780	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 780	4196	file.exe	vbc.exe
PID 780 wrote to memory of 1992	780	vbc.exe	cvtres.exe
PID 780 wrote to memory of 1992	780	vbc.exe	cvtres.exe
PID 4196 wrote to memory of 192	4196	file.exe	vbc.exe
PID 4196 wrote to memory of 192	4196	file.exe	vbc.exe
PID 192 wrote to memory of 1948	192	vbc.exe	cvtres.exe
PID 192 wrote to memory of 1948	192	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ph18tsev.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCDDC0789752A477ABAFFB4A783178E3.TMP"
    3⤵
    PID:4960
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mqxqqx7z.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EEC24FDD5042F29AC5ED369A128782.TMP"
    3⤵
    PID:3980
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cglxvsqo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AC5F622268245169AEF62ECBCAE4E8.TMP"
    3⤵
    PID:3028
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e9cxs_il.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB055363A3A7342B4BDD42B26AE24B56F.TMP"
    3⤵
    PID:1260
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l1_wtjud.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBFB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF792C273520543A68FD247ED35331A32.TMP"
    3⤵
    PID:2708
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xcv_avny.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CFC5A3A752844ADADDA9F969EE74B7C.TMP"
    3⤵
    PID:2380
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\enxpwkr9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA541DA142E9489CBE61914A3550C1.TMP"
    3⤵
    PID:4552
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_owefdf7.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF442C1D2398477C99B624DEFB9C14E2.TMP"
    3⤵
    PID:4644
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2mrhckjh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD33.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA5D8921895747FBBB8C8E2ABA8C1E4.TMP"
    3⤵
    PID:4664
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-8tgfw0w.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD81.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE37EDD739924A408DE80BCA9B5EC9B.TMP"
    3⤵
    PID:1264
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\erz1mxbq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3F898841982457590E318BDAFDADFF5.TMP"
    3⤵
    PID:2128
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\njf-gut_.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE2D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc735A78B77C2A4156A017BC16DD2768A9.TMP"
    3⤵
    PID:3668
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6ndpl5vx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc121CC444F1C54CA1BF51F8096DE653D.TMP"
    3⤵
    PID:4724
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lsv3xxch.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCED9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F73E5805F864D3CA519C4C0FE85FC8.TMP"
    3⤵
    PID:688
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zo_occ5j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1360C552A4724D8BBE72E5DCFD93B812.TMP"
    3⤵
    PID:1992
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hbp_fea0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:192
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97CD3E8FD4F047DFACBD29661F9B8A5.TMP"
    3⤵
    PID:1948
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\be6pml_f.cmdline"
  2⤵
  PID:4452
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AC1C8971ECE44D09A22FA18B4D2E2C7.TMP"
    3⤵
    PID:1524
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\drrrpg8n.cmdline"
  2⤵
  PID:2236
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD050.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16C023ACBFC4C689D6BCE8453754963.TMP"
    3⤵
    PID:1808
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qmj8orio.cmdline"
  2⤵
  PID:856
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD08E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40E0541C55C744998246F46ADA233B84.TMP"
    3⤵
    PID:2228
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\titu8kj-.cmdline"
  2⤵
  PID:512
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8780943529BF436BB6F036C5601CE96.TMP"
    3⤵
    PID:2964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xn72d4yr.cmdline"
  2⤵
  PID:2336
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD12B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC98FE3E535EF450A96B63BC1E22A0A7.TMP"
    3⤵
    PID:3968
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\up2lp3hp.cmdline"
  2⤵
  PID:2464
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD179.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc751F451924794DAF973FEB4125DE451.TMP"
    3⤵
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
d5997b8f3f9665fe1cd7defb29cff584

SHA1
7b281c8982b042d77e7a53ce282eab7f8417adc7

SHA256
ba40f96904ef649d30f9477d2e1b770b312832ba81e6345946645c15dd4ceabc

SHA512
88f66652b43ccdb551c9e876eab1e7f0bdbf2b8c19bb9b871402e94d1e826424b917495dd3b79c228724f49d1495cd3cea49fafb7a14f23e5e1eb6a29b68871c

Download Submit
C:\Users\Admin\AppData\Local\Temp\-8tgfw0w.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\-8tgfw0w.cmdline

Filesize
274B

MD5
b93c743b17c87259adc03b61fe1ac6f3

SHA1
4ca3c7df4451140997e2f4ce88dcbdd6b399d70b

SHA256
2b8d2091c5129c96e8dc7a04fb4e420385a2e1ce6dc4d4b39e06a3a099ca3f97

SHA512
1ee522d71bc7e7b8605bd198f01248262baa0644399d549b9be2b49b67389e2098d6bfc5b20e4dd203a1b77a100107ccccea19dd8fa76ffc1927aac9a75939d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mrhckjh.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mrhckjh.cmdline

Filesize
268B

MD5
dc9198bd6f557090c9732bd45e359f07

SHA1
e876e7138451a1a48aeb875f29d0c9c31412578e

SHA256
5d04fa972a7a873b4d333e4949115c22df8da0f4739e83d0ae994fd3f41e02ae

SHA512
b802947b9a654e6b95c5a8c5c17dd495eb0ba2198d16cd3b77077c0823b1a19f794135ef62ad12dc36158e33c05ee9420a1e02e3df60f89cd7d8c59274f89889

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ndpl5vx.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ndpl5vx.cmdline

Filesize
268B

MD5
846527c166743ba159177a6402f8a116

SHA1
9729fc390e8cda287e9710438de75014b96ed14b

SHA256
5b03880a8997c11fb9c9b959fa22b710b759eabcfbcac5185c936c6fc9db4399

SHA512
e33ce6d18b5fbf4cf2adaaa275d6b7c6c9ed8c4375e4e9b743694510a8f561996fb9e16d60bf54d27732acace6830400cfbdead43c78c60843a08f2258e23eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC8CE.tmp

Filesize
5KB

MD5
41e0c245be11db6b4b5b339b36830f6e

SHA1
b0c44b6ddd359a7b79cb52d2fe8bcfe3c353e474

SHA256
51df38c873ebc42734425ca929e4ffb46b9f2e73f02a93c075e9ce3cb66338ff

SHA512
568e06cd9a0b496abc3c2297542e7178256106a20e57c546b8aa0032ce4abd6ce1c89ce7a1158a9080f1e7e5485a382bef196285c91bdd925d27f0dbf90a0eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAE1.tmp

Filesize
5KB

MD5
07b572671a9d201993b98d0d8bd84d1f

SHA1
5dd944cf9058a8ec90cae1e6818b22e905668731

SHA256
0e43da8516974434d1a2566f0def370242b00fa7f981deab830a54520f6ee7e8

SHA512
57d9701b0acfc79cd45b4e169434f6ede278855f52245c3f48e8b0daa2506671b66743761a3ccb1f8ef3c0369de488494c62c2ab95baff4cc40325fd6745fb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB2F.tmp

Filesize
5KB

MD5
b4a15e243d3fbc75223c45f10e3c6556

SHA1
53017e6e51c9b9b69367c61422b9d728b1f5f756

SHA256
64a0bb5aebb9d4d4eff076870324bbf6afc05bc47381facd5ad0843eee63f2ba

SHA512
f5ed818715574528678eea9a59865f77efbb887a82fee4e9be7a3ff179571a3907dfb29a469e58a70e9074ff46b034a3fd6558141acb07ee1d3697747779e28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB8D.tmp

Filesize
5KB

MD5
88ee94c5ffec6ebbb4edef4bf76a095e

SHA1
067c37390cab46ea0474ae2e9dec6f5671b81fc2

SHA256
3c5e12d457b12c39356c0c40c9916e37f73a73591edc958d96f0b552c232a6ce

SHA512
aadba800d02adc417cc3ab9d90268684560f3c3d10b4cdd18207b7dbfeba9ccae3eee3ffde39f75d83a4a586580898b0e5ec3d81591ea0928790fe3b29a216b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBFB.tmp

Filesize
5KB

MD5
9b4fbc9f9982e5bd93ac6a40e8b408e7

SHA1
3bafd4d5433e541471b98516d92126199cab784e

SHA256
1fb0782a7e3ce517f9ac5894a63c3f6e3714af35455dbb40d31f669d74628623

SHA512
4dff6546ff4b187cf6ca8bbfae73bf6595fb8dd02c954024b3a6510baaf49e1e03ba42507b036c10b88996727f7b2efd72d1d00c817b4f67ce2a052e2ed38018

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp

Filesize
5KB

MD5
7b5789ca382bbc82e9b11cc1abae8578

SHA1
c90cb4dca22c08aa2748acbeba804fa939b9511c

SHA256
5002deb0e35e05b430469be0adc1daa819351af336b78e73b0558973dc000f81

SHA512
4e00159c4fd2c56a9f4c1819b5795c262de91ad4cb3cbbdde5fa9e40d105da31c67856b95d802f78b3ee9b5754c61ef37df5d87f803fac094cdb2c19a8a34b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC87.tmp

Filesize
5KB

MD5
465788fdbb96cb08a812c9978969a40a

SHA1
3878d505a0417a8221a982d53696248b49a070cf

SHA256
26b833140d9f512387a0ddaaa10f08436bcb2cf3db89d69fb42685d354e887aa

SHA512
1334c8117c311ebfcb6578b262bc059c8d8a292c2a0269445d083e458e102ea122f582ccc1da8fc4f918582d8e3276eae38c7878d07f0ed70dd101425e9f45b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCD5.tmp

Filesize
5KB

MD5
524d1fc1a9ac6c915eb93302e4cc4218

SHA1
d01850ef9947a7c78586a53751dabf62f1fd8f7d

SHA256
4852ec303890889e1e83fa27ee318d5205559ca9d6361c1589c1d60d3c33e626

SHA512
4f72381316011d5b537e356915e145f1521119198a29f63301114ad7321905b8143b83e72f03b8522c1b630909c708cfc1f1803f609e6bafbecc20d9a771c077

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD33.tmp

Filesize
5KB

MD5
7569d263effe107d712fd9ae3f583f43

SHA1
c9934ee6126283456aec437eb8213a5390302f35

SHA256
d454519eba39003cf7c522ba39ec607ce581c89703572d477d6adbe51a6ee6f2

SHA512
a4feb1a4a53060d29efb4f491ee49fea34584e8d4e9f3ec4fbc94a999f90437e0f283f4408a908188c208fbda1897c3285e5fbfe1a623235943452bbfddd854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD81.tmp

Filesize
5KB

MD5
60f4fd97cdaf912f241f796057fb7e6f

SHA1
60010994d55f9225190f20f3081b99d64e4f7499

SHA256
baf1280dfbad6a38091b3ab0dbb38654817f30700adb73fb2302604a42400891

SHA512
5e455e993d025899e99b0388c40d220bb3110a3e7bd258463b3dfb1bb705b39d19b602e81d37dd374470a5439f22e3cd6edab10d9e9eac111e665121b97491ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCDCF.tmp

Filesize
5KB

MD5
c3c9930234d1bbe3675fb8c309967a25

SHA1
44767bef1ef402ac8b4a796e0ddf34c4f7f9075e

SHA256
60c2b87400eb5217a053134a8bb2a0db6ba8b1f6fa9e35bc09149b8844aed36f

SHA512
162747f2859b3346cfdf8117458a7a64d49b3d646d275abb2a599f179609829b17ebdf3ba14dcd8adf56df6ce7451c383c91ed27da2d98420f73b3d46df45977

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE2D.tmp

Filesize
5KB

MD5
d5343ea0ba97c1c72c15c893b655f42e

SHA1
d871a056496b650a3d9a84720cb9462a5f96b702

SHA256
caab5398b5e877d8478235f94157f3d96862ea38414baa3badda320742878e4f

SHA512
84ade2a2c268a05b0bb293a07b64b007de4bd73c076174cbf57eaa9a8323f46653727072084b60d153b611db9f047b33ad6aa289fa310a054f9f9bfd127ea753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_owefdf7.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\_owefdf7.cmdline

Filesize
270B

MD5
69ff26ce1bdc24477b2aa45916c1f151

SHA1
c52f84c54199c45789c0103ebe8ee28229b01923

SHA256
8e2a6dc43433de7aa1dfae7f9b4f6e5c67d05ee30dc194e8839c2e53d475719b

SHA512
f724c982a9247c148aeb1d4fc0c8dccbe898cf439552fdfa5f7ba563801362a4083ac95be889864e104a3dc0230f90282b7ad84e6716872976aa1bde40aa99d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cglxvsqo.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cglxvsqo.cmdline

Filesize
256B

MD5
9dc9a8fecc50d0c15d8613ff83a226a7

SHA1
408547b25302deb6252c8cb57c17c8df956c47a1

SHA256
0be921b375f343fa4dd35e604be266ba059fed7d7382598786978d3aa626e17d

SHA512
c8da81836b7b78123311d6fbdb99eccc9ba184b4a902115a657196a3d51e1b31517cc0d6ab5d1c926b4b2dbda1288b1d1a50a0fceefacba33e45b341020d2967

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9cxs_il.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9cxs_il.cmdline

Filesize
227B

MD5
7728bbfdd4020d9cb0c82bb9ca26fe84

SHA1
63a67066baf50a2286de377c02c44c1060d536f2

SHA256
18ea68aded1c0ecd15a43bf033cd5898744084ad293231b2bad0382af654b3af

SHA512
c6567c8f2a50655757170d92e90bd91ffd072c4397f7324a4ba593a5dd65a5b490e0cf1622c668e5b22da142d80708a89a71756a6e21dc1cf7bc9766d15d977f

Download Submit
C:\Users\Admin\AppData\Local\Temp\enxpwkr9.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\enxpwkr9.cmdline

Filesize
264B

MD5
34579fa4007f079a0304452312a66df4

SHA1
d8ceab54a3f01fbeab4de3225034dca6cb726c27

SHA256
c408a2c0c1d847fb7812195e0ea2217e2a8b674ba4d7d1dd37282567cd10ea67

SHA512
3fc5812c7e062b69317760861a6e1da8cfc004be0557033a001b51b838a0df7ebf880f53a6bed4989cfc202b3b55b496e6d8efdbf793e8d958ec3ec952c41d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\erz1mxbq.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\erz1mxbq.cmdline

Filesize
268B

MD5
459012d932380c5a31229c76e933ac43

SHA1
8b8f2c562f3b6e077ed6dab6b15084a3cf474ba1

SHA256
fdfcf421f2418c5d15f77264458fdfb3873a6ba9a2e6b7176205e674a4a3a6b3

SHA512
60ee59798c24b6f1b68ded527b3537e12a86d4bba78537f2140f23a669bc3228cd33183f73a1ef74959834452d755c33794f93d6771596fe44653ff0287617c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1_wtjud.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1_wtjud.cmdline

Filesize
264B

MD5
c3dabc7bdc6c0ebdb28ee325cfedc2b3

SHA1
6785872a7f6473bfb24ef3455daeea2ee2b13ec9

SHA256
f048f908df431ba856e1009dd5c6d9fcb521d9a253c291ff3d2f50489e31d432

SHA512
77ecf99f474de536ac92a3c51289bd86e941dd561036be23893143a5cb306d72d55c3e2a8dcb06cc4c9f23992d0a1e1aff6c0f508cf6edb09f6643c3b573ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqxqqx7z.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqxqqx7z.cmdline

Filesize
227B

MD5
ab4c38d9114ce1968d6b2ee2130e0965

SHA1
bfd40b26d29f86a965266a2295a4cb2e7630d532

SHA256
5cfa10aa5e5e7bc93177056de1bfba11da3928baa0ccfe86bfc1047429bd8795

SHA512
ea81f16647e4381b17fc7d6a68c880f293c5aa84aef02a9ce6577d15b785fd790c5e71506dfffa22fad2b4e7ad0eb95fb4fd8f3ae9e5d9f7eb560c2ff4047d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\njf-gut_.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\njf-gut_.cmdline

Filesize
274B

MD5
0cdcf896a0ea2be4e8964601cf181da3

SHA1
0a5e9277673a9bfe3af32c7d0a9c2577b648ee26

SHA256
c45d6db4f4be5af7bc851aabc84d44f29ce9e469dfd8bf65424712b5344c20d1

SHA512
5bddf76160e453dc0f68bb804d239b0580477c0d0ac6010af3d1b03f0f446cc566d5326482b8343e388c167fa8cc9185e0698c64c7f844e95c65cb2d26c42711

Download Submit
C:\Users\Admin\AppData\Local\Temp\ph18tsev.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ph18tsev.cmdline

Filesize
256B

MD5
4f52658e1f0df13d58de9116487a1adb

SHA1
d5d2714c9c7d41b0b9f134b04c543dd5f7f392d0

SHA256
241127abe06d336f91af9d9ebb68a231e613c215645af67f006f618aae68d4ce

SHA512
14d8303a746d96faebe4535bea498bbf6f0a4e583213ddfde7dfc09f59dde09a8a546ba4a45515074895814ae1a073fdb47da4468f72d60028f0d88be1742251

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc121CC444F1C54CA1BF51F8096DE653D.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1AC5F622268245169AEF62ECBCAE4E8.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CFC5A3A752844ADADDA9F969EE74B7C.TMP

Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc735A78B77C2A4156A017BC16DD2768A9.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9EEC24FDD5042F29AC5ED369A128782.TMP

Filesize
5KB

MD5
19fc49755dbde37764cd7f4ea2d3f2e8

SHA1
d0b0760fb3c0d95e29b713a8b1e778be6d4f141b

SHA256
d2508db1037895b67cd6f3e2d183b22c42336acc3246ad9e0fe687fd0f3f8e9f

SHA512
1e261c9a0cebc104429e4162a30bad937f64c75f126b54be9576d9e5d74beadffd34cb116199c6a4ece8d3883256dbb1594ca2340d747a5e1aa2890053476772

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB055363A3A7342B4BDD42B26AE24B56F.TMP

Filesize
5KB

MD5
78f7c3ea70e4aaa3507fef7b8d6ff49c

SHA1
49b5d27ea604cccc3d5c5413fb98c221814971b7

SHA256
42cccf82c9e1ceae42e71d0b2c367ff9a3445ba23318250738cec66245123744

SHA512
a9aa39c5bd0c10ff5b7fd37dd3beaad10312db89b5b15b9ef2825a501200e7b3c717c8a6a125463cfe951c8ecc29ef5d587289198619bbeb6910afc20c6e8883

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3F898841982457590E318BDAFDADFF5.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA541DA142E9489CBE61914A3550C1.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCA5D8921895747FBBB8C8E2ABA8C1E4.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCDDC0789752A477ABAFFB4A783178E3.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE37EDD739924A408DE80BCA9B5EC9B.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEF442C1D2398477C99B624DEFB9C14E2.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF792C273520543A68FD247ED35331A32.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcv_avny.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcv_avny.cmdline

Filesize
270B

MD5
779aa5fd504bc97c7fd6d5824173c9e4

SHA1
877891b30d9f03d5e9f984d3a54c382767249000

SHA256
526d3efa336bef25ad6db1f0e60f2087ae7f5d6932cdfbba156431be5f55fb12

SHA512
40cfc9c993f82b3370080818ede351aa30d084160b68a9c3319f116b78a6f10b47deabfbdf87e528be6837b9b8856002bacd10ef3e1a31b49bd23dcae0d48946

Download Submit
memory/4196-0-0x00007FFF9B0A5000-0x00007FFF9B0A6000-memory.dmp

Filesize
4KB

Download
memory/4196-5-0x00007FFF9ADF0000-0x00007FFF9B790000-memory.dmp

Filesize
9.6MB

Download
memory/4196-6-0x00007FFF9B0A5000-0x00007FFF9B0A6000-memory.dmp

Filesize
4KB

Download
memory/4196-4-0x000000001C660000-0x000000001C6C2000-memory.dmp

Filesize
392KB

Download
memory/4196-7-0x00007FFF9ADF0000-0x00007FFF9B790000-memory.dmp

Filesize
9.6MB

Download
memory/4196-10-0x000000001D8B0000-0x000000001D94C000-memory.dmp

Filesize
624KB

Download
memory/4196-3-0x000000001C540000-0x000000001C5E6000-memory.dmp

Filesize
664KB

Download
memory/4196-1-0x00007FFF9ADF0000-0x00007FFF9B790000-memory.dmp

Filesize
9.6MB

Download
memory/4196-2-0x000000001C070000-0x000000001C53E000-memory.dmp

Filesize
4.8MB

Download
memory/4336-17-0x00007FFF9ADF0000-0x00007FFF9B790000-memory.dmp

Filesize
9.6MB

Download
memory/4336-26-0x00007FFF9ADF0000-0x00007FFF9B790000-memory.dmp

Filesize
9.6MB

Download