revengerat | a621f7d758f70c986ebc40d2e9ad89187a4659f1e26ae33af6b19557c0074038

Analysis

max time kernel
61s
max time network
54s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client‮4PM..exe
Size

467KB
MD5

b46e938e455f07908b277bacaf40c1b8
SHA1

10b0d817957340cf35df3b20a37a14ec12ccf34a
SHA256

a621f7d758f70c986ebc40d2e9ad89187a4659f1e26ae33af6b19557c0074038
SHA512

965da90a55b382b78e385e20f1714541ac64b2c9e62605cf0b14513d21a5e181b6def0e9df04f74cb55759b070a399c5593142476da15358cdf022d1b00eb8c7
SSDEEP

3072:md3MwOibhTsNElLD5CbwDa9SY4AwZB7uy6W:md3BhTsNElLDzD+7PwTam

Score

10^/10

revengerat guest discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

127.0.0.1:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001300000001a466-355.dat	revengerat

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Update	InstallUtil.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2468	2872	Client‮4PM..exe	31
PID 2468 set thread context of 2640	2468	InstallUtil.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
444	ehshell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	Client‮4PM..exe
Token: SeDebugPrivilege	2468	InstallUtil.exe
Token: SeDebugPrivilege	444	ehshell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2872 wrote to memory of 2468	2872	Client‮4PM..exe	31
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2640	2468	InstallUtil.exe	32
PID 2468 wrote to memory of 2840	2468	InstallUtil.exe	34
PID 2468 wrote to memory of 2840	2468	InstallUtil.exe	34
PID 2468 wrote to memory of 2840	2468	InstallUtil.exe	34
PID 2468 wrote to memory of 2840	2468	InstallUtil.exe	34
PID 2840 wrote to memory of 2668	2840	vbc.exe	36
PID 2840 wrote to memory of 2668	2840	vbc.exe	36
PID 2840 wrote to memory of 2668	2840	vbc.exe	36
PID 2840 wrote to memory of 2668	2840	vbc.exe	36
PID 2468 wrote to memory of 3068	2468	InstallUtil.exe	37
PID 2468 wrote to memory of 3068	2468	InstallUtil.exe	37
PID 2468 wrote to memory of 3068	2468	InstallUtil.exe	37
PID 2468 wrote to memory of 3068	2468	InstallUtil.exe	37
PID 3068 wrote to memory of 1732	3068	vbc.exe	39
PID 3068 wrote to memory of 1732	3068	vbc.exe	39
PID 3068 wrote to memory of 1732	3068	vbc.exe	39
PID 3068 wrote to memory of 1732	3068	vbc.exe	39
PID 2468 wrote to memory of 2884	2468	InstallUtil.exe	40
PID 2468 wrote to memory of 2884	2468	InstallUtil.exe	40
PID 2468 wrote to memory of 2884	2468	InstallUtil.exe	40
PID 2468 wrote to memory of 2884	2468	InstallUtil.exe	40
PID 2884 wrote to memory of 2900	2884	vbc.exe	42
PID 2884 wrote to memory of 2900	2884	vbc.exe	42
PID 2884 wrote to memory of 2900	2884	vbc.exe	42
PID 2884 wrote to memory of 2900	2884	vbc.exe	42
PID 2468 wrote to memory of 2744	2468	InstallUtil.exe	43
PID 2468 wrote to memory of 2744	2468	InstallUtil.exe	43
PID 2468 wrote to memory of 2744	2468	InstallUtil.exe	43
PID 2468 wrote to memory of 2744	2468	InstallUtil.exe	43
PID 2744 wrote to memory of 2000	2744	vbc.exe	45
PID 2744 wrote to memory of 2000	2744	vbc.exe	45
PID 2744 wrote to memory of 2000	2744	vbc.exe	45
PID 2744 wrote to memory of 2000	2744	vbc.exe	45
PID 2468 wrote to memory of 1336	2468	InstallUtil.exe	46
PID 2468 wrote to memory of 1336	2468	InstallUtil.exe	46
PID 2468 wrote to memory of 1336	2468	InstallUtil.exe	46
PID 2468 wrote to memory of 1336	2468	InstallUtil.exe	46
PID 1336 wrote to memory of 2128	1336	vbc.exe	48
PID 1336 wrote to memory of 2128	1336	vbc.exe	48
PID 1336 wrote to memory of 2128	1336	vbc.exe	48
PID 1336 wrote to memory of 2128	1336	vbc.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Client‮4PM..exe
"C:\Users\Admin\AppData\Local\Temp\Client‮4PM..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nmlz0ms3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C3C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zpyg3g2j.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CC9.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hs_vnejh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D26.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pnxjl9gs.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D94.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j4yw7t1w.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DF1.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2128
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkbjyzxt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E3F.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\08ulckry.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E8D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ktrwigpm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sbfnspwi.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F29.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ovd6vsky.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F77.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bjlnutpz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FB6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aulzrdvh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5014.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5013.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\23fklszk.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:576
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5062.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5061.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pd2u3orh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50AF.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:560
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_zxiarxz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES510E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc510D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\efq3zx6g.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES515C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc515B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nr0h_a0m.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51B8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxu0tjso.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51F7.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cv-c8hyo.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5246.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5245.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\legiomtz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5284.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5283.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nynz3gfr.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:596
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52C2.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvp8yzb9.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5311.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5310.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfmxouts.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES534F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc534E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1308
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2u2bhih2.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:760
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53AC.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2508
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\system32\Update
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:964
  - - C:\Windows\eHome\ehshell.exe
      "C:\Windows\eHome\ehshell.exe" "C:\Windows\System32\Update"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\08ulckry.0.vb

Filesize
380B

MD5
a33c6db9184860cb332d653b72fe4af7

SHA1
86e44ef6b2afacf0c72a5ad182f422571b628e0d

SHA256
520e4f953e8e94bf5c2dded5f3f53732ea7c5e3bf872ef9713911a8864dd74ce

SHA512
fdfbb2ed7b8eaaf90dadcbdaee3543d753cad6f7eb14e557ad49d89761cbcf6a3ad1ceca390e0610730f36b17d086d8336dc3d3560adb86f2a53af50f35be307

Download Submit
C:\Users\Admin\AppData\Local\Temp\08ulckry.cmdline

Filesize
264B

MD5
48e624fa5ada1ef762bd659bf24899ee

SHA1
85ab8faed7fe512248c05242926e71d47b2e9d57

SHA256
89a47199747c8dea111e1cf78d4c04360cc807b978903ec81606ed1819cf7a84

SHA512
eba5aa6a422fd515534d2019a9bc7e3ac9479a2530adef49a63f2349eb655634c4a5d770285b23a42db1197245ca49feefb5ac2af66beceb0bd5b540d4d4692a

Download Submit
C:\Users\Admin\AppData\Local\Temp\23fklszk.0.vb

Filesize
382B

MD5
6fd9e83970848fc1f28d4aac011f381d

SHA1
39b06eb94ee0b57d003f64b9b0b19037093b4d27

SHA256
cc74d1ac202072948dc48214cc810ae4931f5ff8c85a66b83f67ffcccb1c74bc

SHA512
ec62fe1879f2426bccff27b366980702456e88ee6f78d8a42832733196a66f775f60d81f2ead5e0fa9676fbed2c25b555e86f64dfb2e2aff1808a9c5e832385f

Download Submit
C:\Users\Admin\AppData\Local\Temp\23fklszk.cmdline

Filesize
268B

MD5
920aa54aeeee00fb3a3119bf8b10c971

SHA1
bb409245833ec301f90a4dfdd3e27cb8360a7257

SHA256
a122fd4f8bb7c16e641cc82acbd4a13b181851abe908ec96da827143b7713d93

SHA512
5d4d39ab8a32f8203ce178a97c3835112aa65a9ed9880615ffc0071e2b417bb4ff3f2b229fcb875d24be4328970b6dd9d3a5af23714443436f7b6b071f644f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C3D.tmp

Filesize
5KB

MD5
8059e84299032bbf5bd785adf977bad3

SHA1
e47d0cbaafb8f1bcddca3e96011775527a7a3972

SHA256
43da8aff9dbff2018fbcc502c5ce1ae8d4ab4337fbfec369411d39fb7d085b1b

SHA512
1dca49eb93f3c592fc9d66fefca999efb215c01bf28cd8c9b3f43b1403b2eeedae35f7ddb085f0724781347cd525375145f066da852425b1b43f0b014cb3d6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CCA.tmp

Filesize
5KB

MD5
c879e28eedc4a7bff866c746808014e5

SHA1
42702655e0bd2e52b85dfd48a7faab101b4562c8

SHA256
aeb3e0f5c0b21843f3ea12dbfc326c6a2f00679c74fe42425335f31be20a1a48

SHA512
40601fe92da659db39fdccb7c6bdf853401c792a095a0b0e6c4f6d7509338e8c6ed557090e36a1cd6ef6105e2bffd9826ae7229f35f1c04c712551fda1c482d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp

Filesize
5KB

MD5
0af0834771924408ff1c6a560cb353a9

SHA1
bd3d18a9d6d6dd52b8da66c43497a87bb26407c2

SHA256
8ab43b9939f29ffb1cc1a65ebf93dc9bba4be7be3bf819033367f99f6023302a

SHA512
a6820ac0728ae66b46a155bef9327bad4a2610c4a81503761e3750d141e3b33662913875257171aa1b335c4a9491a1655700970b01e537fe4740009780b6f277

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D95.tmp

Filesize
5KB

MD5
6168d08b2a2515437b27b6d897ccbe34

SHA1
537234b035aa3149c3f1598c3a8fd19e7daeabb6

SHA256
a9667f01ed504886abf5b1777b868f3404b6b9b78cbd266e90c0dd31b190dd5d

SHA512
b0522543edfe7b486a2dc0d60032347b73f1891c1917321d8659491582046e9e2f1906565aa0b71dcee83e2cfa9065b3e44b4283f46d5a7b46ce4ba710321131

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DF2.tmp

Filesize
5KB

MD5
6f0b150fafd87060851e0896e679de3a

SHA1
ffa5c4e2b2ee18a17f42a7aa3bfae400825b76d3

SHA256
9e2843e1f0d82dc962bd596684caf438fcfe639eb078902ff996975910f5c7e0

SHA512
111bb54bdc624b78f9e822652b755370c1b5726649051e8f93b9a00ca6daf1b4137bb77360d01936b58ff014edb0b20d2c90445f96eaaead082f1eaa2b15a4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E40.tmp

Filesize
5KB

MD5
e78863564121d1bf9d5afb8949f7bf0c

SHA1
ce42f5260aba8a67d5f09f698b22b8240b522b19

SHA256
04eda1fb34990586d02789752dd38aa87aa4760e4fd223042a19ba0b8dc169db

SHA512
ca13ffa5c5bcc99b8a7f1afef97df7544808be470a3b4520072f0a2151d6dbc9b35b352f89452066b9daf005d5cb109c3ba49b9900e3b9ea34a4b0a37c967e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E8E.tmp

Filesize
5KB

MD5
df75c09a63d8a42436535a780d8701c2

SHA1
c47750e6997b58d64a0fb342baf5d052c9237f6d

SHA256
f6ac5111f16ccbe12af705d62c938eac0915caf2e014e42d5505626eb372238a

SHA512
9bd33a5a13c6ede295a34934dcef009c0f4266f25e5750f1a4134bf4943960da1bc06eee829c94d7fa26f90c7fb689e00bec056c8a1791a2446ede829133f20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp

Filesize
5KB

MD5
025ace698a4fd4295351bbb502344ef8

SHA1
a081d07d35b746731dd559cfe4e2710045689185

SHA256
2aeb1694df94786a50c3639245bb07082f622235132c1d95f1a4be0efe986985

SHA512
256e307321f778e86f30e8fe3365c8a82833e07a0aabcfc0f68e63abda668611b11185c81f5e5fe073593843b527fe0e5be215214ceaab455f20d042b678a3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F2A.tmp

Filesize
5KB

MD5
e334ffbfc74c820529f8f2df0c754c13

SHA1
76478590bc1f7b845d4fd6a224be8e9ddb2ce6a5

SHA256
b14cd564602eba87ff08e405f5f833aa178362779ec6ae3989993332f737b22f

SHA512
0e29ee706d46725fc487aac8e5beac6f31f52fba7348be7a48c275f586ed633d335643dcc9e61d3e3b1e8334414640fe4802b851b65ddb54be28e649f28dfb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp

Filesize
5KB

MD5
eacb898e1157159f3efaf3ceab7dfe59

SHA1
81a4b1c60bdd0f115c1c15aba3b4ca5c42b1d7db

SHA256
0329f9563691a111446b9edb452290b69166a258e7ea850f473f3bab226ab50b

SHA512
028191e05c818abe8a3684d9132313c8517d1e802d6cd0ee45f14243670b5cdd61157ac52dee8b3c647329a0f80f8b6a6bd750d65bfaa399fc2b5ca909ad9b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FB7.tmp

Filesize
5KB

MD5
a0ee9e8c944540e0451d455b49fecf32

SHA1
011e2a82897edb4f7f28fa1104904dadf9e3f3a9

SHA256
de7ed87adad547e397349abc5fbd35a2da8fb36d96840c5beab1292587aa06ee

SHA512
d33b4f16eb55e9bd9031d81cb943eaeab07de267018771991d4ae982160ea23863a62839ed7466cb5f68d45336db5e856627ec6dfe610c345572aa0b81523baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5014.tmp

Filesize
5KB

MD5
01e3268d463150a0b38186b54278c2ea

SHA1
f23de2b452c231be1cc59aab125d9e60da6f03cf

SHA256
0f923158be94c5cc25df74fe53c0b3100d63f61ddf89a42dba21913407bc783c

SHA512
8dda8f9d173913461921488dac9e6db2c00ad8f9331b211f35495a26155a08c219a3281beec3036ad387e5efce17de3efba2cdac6213846ff7552ca7e6a89810

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtnxDpnFw.txt

Filesize
51B

MD5
07b2237f7bb341e8cae90ffc0ac0370c

SHA1
fa07a74b663a0b7fcbcf3ac6a462bc84bfcd1131

SHA256
8496309076b4b8d039df6a3e6012189574aaacb7f602c01c2fdbfb86e5b110ea

SHA512
7a79258d4ea6e259f095979c438e69ec2f717f361bc0aad53e12c3bc70f48d76611a3d445f27113344fe9537235d7ab9d07c16309978c626476d527b5d385281

Download Submit
C:\Users\Admin\AppData\Local\Temp\aulzrdvh.0.vb

Filesize
385B

MD5
f9e7be7c7d8c430d5fc72b7a7b841c78

SHA1
d61ef900dfce2698bec43a1f296a8ae96be1b172

SHA256
5f91dfdade60e27738b84107000dc2079567a4f15c7db8fee6b8477c557f940d

SHA512
1aa4ae20ae58fd88dd1dcd59688842a1eba16347be67b5fbd60e251bc9336fb27947468f25a288d0670a9f26dcec3696749aca8d00364c1e89af822dfbc3e0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\aulzrdvh.cmdline

Filesize
274B

MD5
0e168fab1cf195924b6b8e1eb27ab2d6

SHA1
dfdb65dddff9aab24e73fc0d2395cddb0700bc30

SHA256
3652ad7bb5bb5e866bd2bcb62fed1eab2959695345899b78701f699c3efbbbaa

SHA512
7352085934b72d65e5097e472c64c96ffa790589580f5b39d06d04932b0bb48aefaeaa6e3d3afa808d5527a2c3420d19ce5a12ab7293a6da3787d2fe50a6f1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjlnutpz.0.vb

Filesize
382B

MD5
7171affefa8bcd909fdf36af3be618dc

SHA1
132c1f2d58800e6d960a6b52ec9f43518d282dcc

SHA256
c48fff4ea75799168465b23c2d6a63aea27dbe8fd90e978f69d16e3242e52221

SHA512
f01fc73cf83e69838cbc9eb695d9ebcd43a154e8437d68145f89ab8808b27ddeefb262078462bc072460e8ad63d97b96d561faf3964b41a07021e0d205f33535

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjlnutpz.cmdline

Filesize
268B

MD5
0ede46632d24c3c7fde3324077bbd687

SHA1
660868561e2c9795d3d13929de43159c94809bc5

SHA256
7e2758c8d042fb8ac5f8e69a248b531a5696a530f8ad16fc60a32b1375f6e34c

SHA512
cb5fdac984d39465696e26260dd9b79ff039ec2088d75c7b2a46756ddeaccf334bd8806fc93dcc557af9f49c6438ba106fc9a124014a4952bb15f2c86ab18020

Download Submit
C:\Users\Admin\AppData\Local\Temp\hs_vnejh.0.vb

Filesize
376B

MD5
3b0666d7c0129f22fa6ce323ca566ff0

SHA1
43cbdbce770c2bad56417a678cdcf7eb3804ba53

SHA256
4aa89a7e1e25251013942edd8dced1279108ddada20b74add2d17f1da66a748f

SHA512
798f2f6ea370046f4c39b268d2cf2a27e294051fc42cce5b437a48c86b90659042aa9747307742598e98e066eb04ebafa064fb1a731052ea6b05c9a8b3b055cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hs_vnejh.cmdline

Filesize
256B

MD5
1ce916035aa3914ea3619adf03cf378d

SHA1
5763f8bc0bbbc6c6baa06be58507471cfc1300d1

SHA256
c9f0ef044b9f42d8163b15632661080891d4a01c9a0ebfbd12fea9ae7940dd0e

SHA512
8b69428554a0db28b2207ce68dfe7841fca0824d0a97b9c2b2e54f852b7ea902c29b5c7e1f2f6fad02b3d647d09868d03f5a221de896d543b93da9c01fb04c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\j4yw7t1w.0.vb

Filesize
380B

MD5
7522bf81c07ac4f2082352053ac1b7b5

SHA1
3adcbf731180af3deff8cfd724693f3c93e49cb9

SHA256
4b0bc775f165a8a2a91f31c696521c1272d6c711aea4489e976483b7f346587e

SHA512
00d09da157be7135864bf2d34cfa640b7cedbf2fd04514178b8a0816859dc4bc3d631dce7937ddee6a98ad72df3d3be7141fd0de722462b599429c19dbe5bf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\j4yw7t1w.cmdline

Filesize
264B

MD5
9fb1f12803d0f4c34f2127d04843de35

SHA1
5121597f7d8240fb8126b6e4e20bee10f6ad4069

SHA256
9a609c77e92471c95f337542711f9fd6161fe204303d93fe1dc8bbacf419df41

SHA512
eecbd0f89897832246a9afe8b8ca6d88cb585af26dc7e8aa6419b06b248554b81bf4ea109ac5df45dbbf0a98d0bdb18ce3d7680b906b44b24aecd4c95af0bfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkbjyzxt.0.vb

Filesize
383B

MD5
14451bc1b0177a8f030df0896c89bba5

SHA1
8524efacbde6598231e402b9c23e32891ef3b321

SHA256
614a90dc114429c3040975c5fcf2d061d3b609c72f45d4a3ba3f86c7eb13d059

SHA512
ca1f797874f68aa4595ebe640831a16957328504cd06aaaba7217005fce710b0778c4a8b0bbea0088a41daede19da3e5dba463a5b8bcbaff23c08de09760a85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkbjyzxt.cmdline

Filesize
270B

MD5
120754bab1e9287452d089d8cdfe8d92

SHA1
e6f8fb2a2848237c87d7c3d16ba561613ac95ce6

SHA256
a8fd4399e3566301153992d1a977ddb273505194c2f7384863ff6f489ea7e474

SHA512
25a5662a6428cb939c151f9ae326cacd0dd80b293a2a1a88c8d53024fa305419533ff9556d104de50dcfc4f13cc957e0265c0d658668cd344e0633eff0427cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktrwigpm.0.vb

Filesize
383B

MD5
9bf0e6eaabb37e89d40588ba71a44f49

SHA1
2a9e225dfcef04de2107c29e0c93aaa8212577af

SHA256
c97e9d16adc498617d082d6ac4eeb33c86be4205b7133e1d48e0064a4261a992

SHA512
3bda228d0736d594b0f76f0313ca2b93a4b1fd61f9e62256a20235bba5f6db5832052f7fa53e1d9825a4dc5827b271186ec014daa7f53adbefd5004fa71616c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktrwigpm.cmdline

Filesize
270B

MD5
ece51e53798d7015e4510a041895872b

SHA1
1c85cd99df28bbdb0f7f6c21766852ebc2455e12

SHA256
e79919080a6e2d6aa38ed6cf51fca6925f1b54fedfd4af6f6849a2ef55e003b1

SHA512
43ea5282616181faf90e0395a3747fd01fe36daebfe9faf4587f1352d369f1549700ee054818e9f8117542d84ee21acac5d13621aa77a9bacab7274133ba6189

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmlz0ms3.0.vb

Filesize
376B

MD5
7b832bbd2730095cf7bfc0a06785bf90

SHA1
66f555c436029c88ba1db95261fe850cd515676d

SHA256
e38ed292407348b9a51b8de3cf5d2d0fe2fd558cca71239877788eb751038091

SHA512
1d70021dbb7899a75847040dc6e1e6fa5c6c435c33faa8c962fae5f45a92e473a9dfce4b3d25077810330a368c7aa067a949940e8a3aec4dd64d6aed5b7893c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmlz0ms3.cmdline

Filesize
256B

MD5
e67d670cbcfc5ee28c1ece24ee6bd97a

SHA1
e54501410fb747be70977b2d6494ff1cc3791165

SHA256
64d0a9b586da347da02e3dbdaa7f74b5696b3b63ddadc1a8e8b6e9838206ee77

SHA512
1af9286b3a13f5ee2fecafa05eaf58c193b085f732c1be5bdd124cdf60349902252c8d86eb9dec248804cf3cae8afa815b02ffa13cd90167cbe0da4a19a36334

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovd6vsky.0.vb

Filesize
385B

MD5
5bf6e03fbb026626883078a439a47335

SHA1
24eb0e7ced313e42563c17d85ab45648f7ce8746

SHA256
2099236fd1d1333080ad2372e62b8efcbb83cf0ff0456d227da56a1ed172dab3

SHA512
71428e1be1a7280f69a4655fae8359f8e8f78da16ad0db5ef78a67037a9164852f6e052c85ede071158856587b67118e133c9113ecc53a33049c01bdebfbae10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovd6vsky.cmdline

Filesize
274B

MD5
01ecde98ab146825d6d40ce75bb617c1

SHA1
9606e8893de84701fc4dc72bb29eac7db837bd5f

SHA256
ad9c5101baed72e1f20eaec886916fd48de77dd805e6549c62927b14d9aa3f16

SHA512
ce891fae777f4e6022f3306f68117b2e646664214674b2b4a3679c5c69df1990e970c34c95d6297af7955e1ecef1f0c6ff61f7ddf030ca787502fbc0dcfb0c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnxjl9gs.0.vb

Filesize
362B

MD5
bc82a8413c5e13facdaccbaf96fb5247

SHA1
f812dda948fbabccdf2796be004e0d014f893106

SHA256
ccb14ba577601774f05c4ccb915846cc6a02d2b03c20c4c9519cc93515d3406d

SHA512
036f84925a549f75bfd381c560c2a1c5a88f074061c18b386a89002c469019cdb2da8cf87014c6b8aad190351ed5cee24ac53b1d1d8ab8c5c5ae9542fae52892

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnxjl9gs.cmdline

Filesize
227B

MD5
ed531f3cb71db4821a6a48641586f57e

SHA1
9e90f2a28eb59aa056a442997c99269273ac66c1

SHA256
338e7bccb98a2b63239ea709d85ca9da13fcfbdd36b4774997db53ece63c26d2

SHA512
6bbf2fa6e0a07aa6ead18b66b03d9a7c43eb94a45b35f6f9c6d90e02baad62c694cb91a712148168b09841923b2603b56d62969a471de2dc5fb6e5093f524684

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbfnspwi.0.vb

Filesize
382B

MD5
79a5c2fbf4b099f91c43d57a91f59329

SHA1
ea029a24eb584a784f8c9dc3d4693738d724b659

SHA256
db8e3184d13226581c7a8e5416adbedf18bbabcb5dd4a22063afa84c4bf0c7f3

SHA512
2338df3b9b34d3a6e2b4455232115d026cfd65ef656c3d32192bb45a755c1398073b6d7bd972cd221d25ef23dbb9c2046498da6009e339589db392d3c3349828

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbfnspwi.cmdline

Filesize
268B

MD5
a88b9a9a956e5eedbf5901bb68ead76f

SHA1
a354c519f8b57b9a82fb0d57fe88a4853c8aa938

SHA256
11364256c446b65331722a80aab5058eaf95040c52e58fe99fb010d431a65fca

SHA512
96824a5f8f4c002d2c2906969c08fdc4378ccb4511bb3be0b64f1c506a8d40c7cf33bba8d0b66b339aea434092f6ed4bbc4e2efd4dc68f6bce754446d9d7ae7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C3C.tmp

Filesize
5KB

MD5
2c048bfcad2b15ae9dfbfe1f09718e76

SHA1
a333a06662904de19809e88f9993343ac2ad8737

SHA256
3f3b33497dc7d25deb9274c451702a0024fa05c9f9f79e6e2aa0feaae9024a9b

SHA512
12e32426d95c473f609874ac79bcd413dacae2de4b89090de5d325d660fbc5543c30ca2b86e33dadc6c166e8289114907c34aefba9ac03ee2e1dfe0763bd15c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4CC9.tmp

Filesize
5KB

MD5
4d36120bb4e9cea70f176877b87b04ae

SHA1
a2f8e38a60a83badc8b76c5ee926ea89c26d717f

SHA256
1e68f8592ed764f4726f89e836a08b9f32c3f905a37344f89a50eb5e8ef13c89

SHA512
6d79c3bd43cb8ccb288c96fce239de48ff9d13c82406fa0cc1f9223a4a23074f020ac4989f5a5ca3e9b499fcd31caf83d7ccb70fcd730cd0069d4157c468eac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D26.tmp

Filesize
5KB

MD5
557dcd1e015c56a9a8305405f8fc1663

SHA1
517ca3aa405dd8774c16feb1e39bcd6affd9dce2

SHA256
d4f16e7694f1702b4233c8c685c23615cd56385e585653099880e12227a909a6

SHA512
876578f0f9928d93387bdddcf322d1bea349a86f9dd64257ecafce6193f41dfa05b00087b559bc57ce1ca88761d4c7382e1c9337e9f880baf74c0a2cb7025385

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D94.tmp

Filesize
5KB

MD5
7ad743ea2c4dbdacebfe1a7e89cf1ffb

SHA1
b2289ea2a43153cc918fe8ce6b9db71b69ced978

SHA256
4a149d8cc88addccf31ed728024bb36d4e471803f63a907b6dd5076518ba6707

SHA512
430c7b2bd9ad1382b157a653f196fac0fe08d24bbc9e4f14a3b5a82ea8966d8b6ae3a8a9f12bb412fe0c58a68a9bcbe86e79db2d307fa86dcdbcbdbe3b5cb051

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4DF1.tmp

Filesize
5KB

MD5
5396d8d3a081243deed26009037d878f

SHA1
f6d9c55858d2ab02b7deee3be109d4e4f3cf3f0f

SHA256
216e52ae6d07e59371413120153d3a2240b5faa52a42157349d98bde5bdf7a95

SHA512
a8ff201e34994c74668dfde61d50fd3d56d97bfb8e6dedb20f7ddab29db09614d9e31f945b13634134535183fa0d1cbacec77414d003c3aab111885a58f375f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4E3F.tmp

Filesize
5KB

MD5
1e72a07c26a26301dfb0e903b71e54c9

SHA1
057b03375e894b1d89ec955aee0e55102ae88bd7

SHA256
83536b206f0a17045e75f0d1a7a68d92f238578061b256e220cf5bdfa36c224d

SHA512
3aea18a756b9d4049ca51e9d9948d77c9d74d9e5acbe44f6de92b1462dea723433462a28d08ec854c859b17a8357fd428fd950ddf6e4998f5b3ef5528eef3694

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4E8D.tmp

Filesize
5KB

MD5
a7f5b2cdac52feedc51cc3788d316fb5

SHA1
b90bf87b0eaba4a767811df56e3a1c0e62cdb4ad

SHA256
ecc3da8275cd39a9b2d34639f220b7465b8316012c2c07d8b737e8503a5e660f

SHA512
e96a9b90b4dd49b07eacfda8b9dc4b74d3cf359506e1b6d74b73545a0e35b63f488defc02ebf836d890dede9013af2380d10e4e5f55c83bcd037ef86cfd65fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp

Filesize
5KB

MD5
b43340fdbd8b996382b477c3008e47ca

SHA1
4ec2d9bed0107d0e90e099c98edce14230d09a45

SHA256
d71e966c774f46e6379672fa634c7d385ad340c9b6865eb269df8470b9862cbe

SHA512
03ed64c5450a479a47c407025495acc6182b17693942bea8247ca5f3e74f9107d9451adbf60fada29fdec1f63bd2347f7380784b96aec867701c18ed0dbe9aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4F29.tmp

Filesize
5KB

MD5
07a308ff56e14befe157f7849361de8e

SHA1
b3bd0ca1fd9ed6b698a64567ab5032238a555db5

SHA256
d1c274846bd1f9ab85c21112c96ff4881185da19c07e0cd216029de354271ceb

SHA512
8db75b7d4521c0e0f68eb2958e437c72d68a9db1e879ada608b2cb29ec6854a75791bc28322110b0d6e1f73d24c2a1fdb376f0a545359b7feb30662eab20e9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4F77.tmp

Filesize
5KB

MD5
f0b7ea2f6b913d8328317e110520a82d

SHA1
ba6a15f46cd835a8369e2f04b31c68f85d847e91

SHA256
60623d15ce58a3dd9148822bfdfff17ffa8edf4c8dfc6b6d3e8e55c17cb74501

SHA512
58850de16d023ef234911d10f961cee9f698891c1e1449a4742c8fd6a13cb04c6bd1ab3021c05db3991424328cb808ff93192231abf1789698776710f7e39385

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4FB6.tmp

Filesize
5KB

MD5
99f94120dbd7a15cb323f774ca0e32b9

SHA1
6f9e9a3a4fe703c87396e1f7d465f9abacdda317

SHA256
ccbf0efdabaf4a1cfabd71cb6f805d10316a034fa2f479ea1c362d6f65fedead

SHA512
dc2864e8ceb4ef3e72cb0d38c888fb244740bc9abd11b8045fd84b5ad6b331dd9e675a492d96f2d239a4c89645fa755cc1e22001468c4f1c3e03a2b2df6de2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5013.tmp

Filesize
5KB

MD5
e97808c1e332a04bdca36536637e742a

SHA1
7fe7631e306f6d5200e8cf5cc843cae48e86b4a0

SHA256
04a153309b734869bb5fefdc255aa8f68677efeab8801752217c168596553a5a

SHA512
fc7173d0af2ca252f367d7db823bacae4ac3d94d574c8a08b932343d35503a8577e1afe1ea3601d96ea6e6d0ebd65300d0971e256a92c7c37de568c2fadcb51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpyg3g2j.0.vb

Filesize
362B

MD5
ba0b6cafd153dba7cd70cac852ee4050

SHA1
337fbc1b8d68d643fcc3465715270421a070ff31

SHA256
e15e7be9c341d00a0117e6c16a272895ef5002f592ebed39e2b1abff62d77f7c

SHA512
0e846ed4efd1ee8ec9a0eb5fbb52403dcee75e2b9d4760160b761de703aa3bf5620e04f59e75bbc3a9c1606d278a1a2fcdb5240698029873e5f7fe47175926ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpyg3g2j.cmdline

Filesize
227B

MD5
7145a7cd67a309e83befe9ef2522ccbb

SHA1
d099aed3961a06f8d676a95b94408ae5b39e6a43

SHA256
3b96667f1e51266614779365922c955a56e563f4efa1cf6db49e953aaea38d6c

SHA512
8eabc0976f215b7f34ddec81700b678948f0b36f70a822835959b5f1943e10f49625007dd343792b4c52d4849fc7e4956e593ba9cde5e5eebae56446979d67f0

Download Submit
C:\Windows\SysWOW64\Update

Filesize
467KB

MD5
b46e938e455f07908b277bacaf40c1b8

SHA1
10b0d817957340cf35df3b20a37a14ec12ccf34a

SHA256
a621f7d758f70c986ebc40d2e9ad89187a4659f1e26ae33af6b19557c0074038

SHA512
965da90a55b382b78e385e20f1714541ac64b2c9e62605cf0b14513d21a5e181b6def0e9df04f74cb55759b070a399c5593142476da15358cdf022d1b00eb8c7

Download Submit
memory/444-365-0x000000001CF10000-0x000000001CFC8000-memory.dmp

Filesize
736KB

Download
memory/444-368-0x000000001AEB0000-0x000000001AEBA000-memory.dmp

Filesize
40KB

Download
memory/444-362-0x000000001E340000-0x000000001E948000-memory.dmp

Filesize
6.0MB

Download
memory/444-363-0x000000001E950000-0x000000001EAD4000-memory.dmp

Filesize
1.5MB

Download
memory/444-364-0x000000001BAA0000-0x000000001BB3E000-memory.dmp

Filesize
632KB

Download
memory/444-367-0x000000001D060000-0x000000001D097000-memory.dmp

Filesize
220KB

Download
memory/444-369-0x000000001AEB0000-0x000000001AEBA000-memory.dmp

Filesize
40KB

Download
memory/2468-19-0x0000000000090000-0x000000000010C000-memory.dmp

Filesize
496KB

Download
memory/2468-25-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-24-0x0000000074D41000-0x0000000074D42000-memory.dmp

Filesize
4KB

Download
memory/2468-26-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-27-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-48-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-5-0x0000000000090000-0x000000000010C000-memory.dmp

Filesize
496KB

Download
memory/2468-360-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-9-0x0000000000090000-0x000000000010C000-memory.dmp

Filesize
496KB

Download
memory/2468-3-0x0000000000090000-0x000000000010C000-memory.dmp

Filesize
496KB

Download
memory/2468-10-0x0000000000090000-0x000000000010C000-memory.dmp

Filesize
496KB

Download
memory/2468-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2468-14-0x0000000000090000-0x000000000010C000-memory.dmp

Filesize
496KB

Download
memory/2468-357-0x0000000071450000-0x000000007185B000-memory.dmp

Filesize
4.0MB

Download
memory/2468-15-0x0000000000090000-0x000000000010C000-memory.dmp

Filesize
496KB

Download
memory/2468-22-0x0000000000090000-0x000000000010C000-memory.dmp

Filesize
496KB

Download
memory/2468-351-0x00000000707D0000-0x0000000071034000-memory.dmp

Filesize
8.4MB

Download
memory/2468-350-0x0000000071040000-0x000000007144F000-memory.dmp

Filesize
4.1MB

Download
memory/2468-349-0x0000000071450000-0x000000007185B000-memory.dmp

Filesize
4.0MB

Download
memory/2640-38-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-47-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-30-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-41-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-46-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-43-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-44-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-45-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-23-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-0-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

Filesize
4KB

Download
memory/2872-7-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-1-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download