revengerat | a621f7d758f70c986ebc40d2e9ad89187a4659f1e26ae33af6b19557c0074038

Analysis

max time kernel
147s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client‮4PM..exe
Size

467KB
MD5

b46e938e455f07908b277bacaf40c1b8
SHA1

10b0d817957340cf35df3b20a37a14ec12ccf34a
SHA256

a621f7d758f70c986ebc40d2e9ad89187a4659f1e26ae33af6b19557c0074038
SHA512

965da90a55b382b78e385e20f1714541ac64b2c9e62605cf0b14513d21a5e181b6def0e9df04f74cb55759b070a399c5593142476da15358cdf022d1b00eb8c7
SSDEEP

3072:md3MwOibhTsNElLD5CbwDa9SY4AwZB7uy6W:md3BhTsNElLDzD+7PwTam

Score

10^/10

revengerat guest discovery trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

127.0.0.1:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 2712	1848	Client‮4PM..exe	85
PID 2712 set thread context of 4908	2712	InstallUtil.exe	89

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	Client‮4PM..exe
Token: SeDebugPrivilege	2712	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2712	1848	Client‮4PM..exe	85
PID 1848 wrote to memory of 2712	1848	Client‮4PM..exe	85
PID 1848 wrote to memory of 2712	1848	Client‮4PM..exe	85
PID 1848 wrote to memory of 2712	1848	Client‮4PM..exe	85
PID 1848 wrote to memory of 2712	1848	Client‮4PM..exe	85
PID 1848 wrote to memory of 2712	1848	Client‮4PM..exe	85
PID 1848 wrote to memory of 2712	1848	Client‮4PM..exe	85
PID 1848 wrote to memory of 2712	1848	Client‮4PM..exe	85
PID 2712 wrote to memory of 4908	2712	InstallUtil.exe	89
PID 2712 wrote to memory of 4908	2712	InstallUtil.exe	89
PID 2712 wrote to memory of 4908	2712	InstallUtil.exe	89
PID 2712 wrote to memory of 4908	2712	InstallUtil.exe	89
PID 2712 wrote to memory of 4908	2712	InstallUtil.exe	89
PID 2712 wrote to memory of 4908	2712	InstallUtil.exe	89
PID 2712 wrote to memory of 4908	2712	InstallUtil.exe	89
PID 2712 wrote to memory of 4908	2712	InstallUtil.exe	89
PID 2712 wrote to memory of 1712	2712	InstallUtil.exe	99
PID 2712 wrote to memory of 1712	2712	InstallUtil.exe	99
PID 2712 wrote to memory of 1712	2712	InstallUtil.exe	99
PID 1712 wrote to memory of 1680	1712	vbc.exe	101
PID 1712 wrote to memory of 1680	1712	vbc.exe	101
PID 1712 wrote to memory of 1680	1712	vbc.exe	101
PID 2712 wrote to memory of 1656	2712	InstallUtil.exe	102
PID 2712 wrote to memory of 1656	2712	InstallUtil.exe	102
PID 2712 wrote to memory of 1656	2712	InstallUtil.exe	102
PID 1656 wrote to memory of 2388	1656	vbc.exe	104
PID 1656 wrote to memory of 2388	1656	vbc.exe	104
PID 1656 wrote to memory of 2388	1656	vbc.exe	104
PID 2712 wrote to memory of 2280	2712	InstallUtil.exe	105
PID 2712 wrote to memory of 2280	2712	InstallUtil.exe	105
PID 2712 wrote to memory of 2280	2712	InstallUtil.exe	105
PID 2280 wrote to memory of 3920	2280	vbc.exe	107
PID 2280 wrote to memory of 3920	2280	vbc.exe	107
PID 2280 wrote to memory of 3920	2280	vbc.exe	107
PID 2712 wrote to memory of 5020	2712	InstallUtil.exe	108
PID 2712 wrote to memory of 5020	2712	InstallUtil.exe	108
PID 2712 wrote to memory of 5020	2712	InstallUtil.exe	108
PID 5020 wrote to memory of 3364	5020	vbc.exe	110
PID 5020 wrote to memory of 3364	5020	vbc.exe	110
PID 5020 wrote to memory of 3364	5020	vbc.exe	110
PID 2712 wrote to memory of 4176	2712	InstallUtil.exe	111
PID 2712 wrote to memory of 4176	2712	InstallUtil.exe	111
PID 2712 wrote to memory of 4176	2712	InstallUtil.exe	111
PID 4176 wrote to memory of 4284	4176	vbc.exe	113
PID 4176 wrote to memory of 4284	4176	vbc.exe	113
PID 4176 wrote to memory of 4284	4176	vbc.exe	113
PID 2712 wrote to memory of 4372	2712	InstallUtil.exe	114
PID 2712 wrote to memory of 4372	2712	InstallUtil.exe	114
PID 2712 wrote to memory of 4372	2712	InstallUtil.exe	114
PID 4372 wrote to memory of 1520	4372	vbc.exe	116
PID 4372 wrote to memory of 1520	4372	vbc.exe	116
PID 4372 wrote to memory of 1520	4372	vbc.exe	116
PID 2712 wrote to memory of 4516	2712	InstallUtil.exe	117
PID 2712 wrote to memory of 4516	2712	InstallUtil.exe	117
PID 2712 wrote to memory of 4516	2712	InstallUtil.exe	117
PID 4516 wrote to memory of 732	4516	vbc.exe	119
PID 4516 wrote to memory of 732	4516	vbc.exe	119
PID 4516 wrote to memory of 732	4516	vbc.exe	119
PID 2712 wrote to memory of 4216	2712	InstallUtil.exe	120
PID 2712 wrote to memory of 4216	2712	InstallUtil.exe	120
PID 2712 wrote to memory of 4216	2712	InstallUtil.exe	120
PID 4216 wrote to memory of 640	4216	vbc.exe	122
PID 4216 wrote to memory of 640	4216	vbc.exe	122
PID 4216 wrote to memory of 640	4216	vbc.exe	122

C:\Users\Admin\AppData\Local\Temp\Client‮4PM..exe
"C:\Users\Admin\AppData\Local\Temp\Client‮4PM..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvwof-l6.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F7FFEE87BA744AAA8F3F4DA51E55471.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vpfvlngg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5DF58B322184B31A0ED7E3A7FE6528.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ykqnhwwz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22FB5584D4C0405691B7AF4CF125985B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vjgcszcz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D91.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C630149BFEC47338E8A8521F2EA64BB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3364
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k-yatuac.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60C3DC36CCD5414FB9A0C5ECD3E4AE9E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\swlg9nih.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CDDD6A989A645CD8C4772B2203EC3F4.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2tvjhnls.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3ED9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB1C118319ED490DAA2D9638E2722E25.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eqz8iiq-.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38FD81F660D04300A0516FE78C3B7B43.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xmz_czyh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4352
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17A77FDEDB2C460E9F45E7A5B2B76D7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khatn5dq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FE2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62C003527D6243C5B47232AB7EABA46B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zn6aixmq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4040.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B5C314F9E1B4DC6A5E86EC7F6F2881D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q7zl4wtv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67C52B5978884136977840177245AE7C.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4w9z54or.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES410B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2258071274B6414D868AE93C0E03418.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyfs6-ag.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:404
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4169.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC4CEE296964328974BFBD538EC1551.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nswsb8cx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7156A114AC534CF482C2454778733141.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\76milxzo.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4253.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AD9B9C13EC649C6BA39BA37BDC212FE.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sgzvdlub.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES434D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB97D6AB822F24274986DEB28E0CD6582.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w21bcrbj.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4820
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE56A9D9490634ACD806412D358FC4340.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0_ovl_cs.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4409.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16F2DAED175F426DB836ADB011326862.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1888
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9bwv6n54.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1400
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4476.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCFDD696A87AF45A4983FAE302F7A8020.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ebbk36i1.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0E576A6AD7144AA83548293664AAF94.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jk14qqsd.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4541.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc915AE37CC23450B92C1F43BC7BA2EA.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tvjhnls.0.vb

Filesize
380B

MD5
a33c6db9184860cb332d653b72fe4af7

SHA1
86e44ef6b2afacf0c72a5ad182f422571b628e0d

SHA256
520e4f953e8e94bf5c2dded5f3f53732ea7c5e3bf872ef9713911a8864dd74ce

SHA512
fdfbb2ed7b8eaaf90dadcbdaee3543d753cad6f7eb14e557ad49d89761cbcf6a3ad1ceca390e0610730f36b17d086d8336dc3d3560adb86f2a53af50f35be307

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tvjhnls.cmdline

Filesize
264B

MD5
8385f85f3b0c71d721385955112be2d1

SHA1
e8f1de49edb7e9713a1135175adbb9930cb3a11e

SHA256
703417470dee24a11498305c3094dd1e1bd31f90b7dddbd3899622083b1f05b9

SHA512
5e2069eb2d74fe108eebf0778e0e1b90cf4f19c75a2e8915c1fa1cf9337c8bf13aa851b40795b09f29e68c1e743a648893df092ab486bf276c8b06fcc6e414c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4w9z54or.0.vb

Filesize
382B

MD5
6fd9e83970848fc1f28d4aac011f381d

SHA1
39b06eb94ee0b57d003f64b9b0b19037093b4d27

SHA256
cc74d1ac202072948dc48214cc810ae4931f5ff8c85a66b83f67ffcccb1c74bc

SHA512
ec62fe1879f2426bccff27b366980702456e88ee6f78d8a42832733196a66f775f60d81f2ead5e0fa9676fbed2c25b555e86f64dfb2e2aff1808a9c5e832385f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4w9z54or.cmdline

Filesize
268B

MD5
08b270b409ee88023e4ff7fd8fbafb6a

SHA1
da41b95719911852371ff4bed5080bdf1ebdab37

SHA256
652fb11cc052637be0c355da288dde794149ea90c8406669fc623c60846c2772

SHA512
17ace6c78c610975d53a523e5e203efa0c26f0935eadd70d48240ab3da255a82d87a9c60c75c18c25ca1b5deb5874d032eabe996ac003237ab08dc75e1d02148

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C49.tmp

Filesize
5KB

MD5
1571889777dc69a65c8b342485236667

SHA1
3f72b9cd46f97d51a622447e3d12f68fb1b1f0e1

SHA256
c1fb36f9f6bf9d426e3a571b18693550935fc8d90078c85359a2edb1069a1dc4

SHA512
0ae4bbb09f869e574ceb512995e361068e62853a7f0b5750c9aa17228df68099fbe801aa7adb8dbb425c8e555f317d5aa0997d0e5e81efee73f1f86f014d1b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3CD5.tmp

Filesize
5KB

MD5
5c148912c571bbb93bd6919a6efbecf1

SHA1
4190a1fdd235bed66fc9f49119cb564dd05e6e98

SHA256
6cbc36025bd94b2daeb7f2c0f09c55a11fec5e2e7c8b0d6c872f8b918ae26832

SHA512
a7c46bd771655fa68e81a256bf192e9914e43c0d027d98f37d4c789dbc6034aa6cb76f71051b20a3e5b3d399acc65e4eaec6d506483340368abb0b8a19eea7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D43.tmp

Filesize
5KB

MD5
e64c4608ffe7cb19b43a2d36e6d37b71

SHA1
9cfbcc7637f4a502ed8e7a8cb23810c082321e82

SHA256
19e94517657657520ae0510a3291a6e8171ba21b524a2c5d50e23b6490ffc447

SHA512
e0660b805d409dc4b07b4269e2aa516f318020b34678dbbda6803de3b13691ccd674e19eb25f049a54146989580c8fc22950ffa10c95c698c9ccba1754001352

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D91.tmp

Filesize
5KB

MD5
5d3cf5de7eaaa0c9819d51d4822a0445

SHA1
5333a4e6348ab5dcdf980534232094bfd29277ed

SHA256
c23a89ab70546670748f1f9038c23c13b83833f0618de6ea48c4ed32509c0094

SHA512
3f80fa59946c640cc1e253362c72f8b5f94f102ed45ac332f84f6db7e93f95c751bde40472432067d049d90f5205055628c935f74fad5dafa57785335bd4e53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E0E.tmp

Filesize
5KB

MD5
fec0ff8894d08ed394174d974c21e8ca

SHA1
9daf7de1121c6bfd555abff295f686ac8fc960f1

SHA256
4e857842a88854f73789a2d93bd8c3b1feed9c12b1dbc673db1be37b1aca906d

SHA512
79fee4ad05e080676d58ec0915529f09e88b4bc97107f061c20034db9cea44c9d6e2f7a566e2be533dc4a3cff1567abdc36660465f3fbbbb60111c545918b4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E6B.tmp

Filesize
5KB

MD5
5a8dd51f254ea2c0c99f76e5dc2f893b

SHA1
572a510e83b75674fa5c9a012ed41b5d5feda05d

SHA256
65a7273cf2daed3c7a83d526805cbc6b39c2e9fcbdedf0760328e4ba6577567c

SHA512
94c47ce26a50b6aae20a81dcdf842e2d9f09e159d5f0710084f0791db8a546606363f379166898cbe74573e4eb931360d7bf0a806112cdc4292dcdf70f4188c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3ED9.tmp

Filesize
5KB

MD5
ff3c8b4b363edb9252c372dc11479539

SHA1
bce63234dadec447d929d0aa2fce349c5971a356

SHA256
d940a582a8acb2a4bb877b72cdeb9552c3388a478aa202e13ad268117b189127

SHA512
70f79e010a628cfd9933b5e3da3f1bfcccd617032d73742de9f7fef04921cabc55d793e78806aa998611863c6983c31782d755cd82da6dd6e8ebe39169d6973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3F37.tmp

Filesize
5KB

MD5
5cbd3c7a267edfbaccde3c0950039513

SHA1
1e35c2e6f0ddccf22ed1dc8f2fdef92012c656c3

SHA256
ddabc8f917abe95625111b4c5747b78e790a15af41051a472c2c1454344d1ecb

SHA512
2bf18a0529d1de11150e6665ea91463228c16350db1e4df6adc8af1082951b4f9ced5fe9614a29574cc232949750a5377abdbb963b9d2dd1fa5c5ca31a59eeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3F94.tmp

Filesize
5KB

MD5
0ba3b3824c38a1b1e8e9fb8bf9e936fb

SHA1
53f3a9dfcda5677c829f24b60689abfe397c9c74

SHA256
05719644e8b515ebc72d90848350e1cbeeca54dba354d0f0c499ad7a99e9064f

SHA512
01008b3adbca42c978918ce0e2b2b7349e34cef9f2897e45e830131d5760b98ea78b80d2e0e7f03d1cccbc997bfe0fe309bc415ebfbf63e391743cfa912a06bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3FE2.tmp

Filesize
5KB

MD5
0cea04c0286650d121907e6fb9e57ae0

SHA1
a086e8d100c7fd17b7f5f7e9f6920c4a2ce5ad18

SHA256
503454b80f6f51e657471178b0a58b29e9c872dc35528baea5523eb5ebed85bf

SHA512
45c682d6419797b1eacc978ce73d887798dc7d0b8df9da3083026b4c4fd7fa8f96d1c687e55f987c9df602c8bf24d33dd8002c410d3e312fd47fe721146f8865

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4040.tmp

Filesize
5KB

MD5
efff8a1b840e59f69ebd0e5ce699c2a9

SHA1
52821f1e06a07fd3540a4dba772cc220e5377c9a

SHA256
4eff7f72bab06a736bc37a2a1b94ce5a1eeb8253959c51db0408d70829e8d053

SHA512
e96afbde7f565ca5ab68cc5ddced34a539293735ccd981976623e01856c8d547ad9e01ada22567af000babaca4413cd0fad4e3e9312aca5013b9d3d3de91cedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES40AE.tmp

Filesize
5KB

MD5
f49df34635809c7dec494de720042620

SHA1
70de1aa535a470e489b86b7da416c41c33cef493

SHA256
103801ae8833df2bb514f502b5a24fd9b43bf1dfe7c324802b46dd9ad703add5

SHA512
2ba23691c4a3d965e6c8f6eeb574db38afe4a2e00a0e179012f40bc5b575592d830d99224b95a612d0594664cdd61a9d5c6f1fded0b0832b8802901e3017bb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtnxDpnFw.txt

Filesize
51B

MD5
07b2237f7bb341e8cae90ffc0ac0370c

SHA1
fa07a74b663a0b7fcbcf3ac6a462bc84bfcd1131

SHA256
8496309076b4b8d039df6a3e6012189574aaacb7f602c01c2fdbfb86e5b110ea

SHA512
7a79258d4ea6e259f095979c438e69ec2f717f361bc0aad53e12c3bc70f48d76611a3d445f27113344fe9537235d7ab9d07c16309978c626476d527b5d385281

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqz8iiq-.0.vb

Filesize
383B

MD5
9bf0e6eaabb37e89d40588ba71a44f49

SHA1
2a9e225dfcef04de2107c29e0c93aaa8212577af

SHA256
c97e9d16adc498617d082d6ac4eeb33c86be4205b7133e1d48e0064a4261a992

SHA512
3bda228d0736d594b0f76f0313ca2b93a4b1fd61f9e62256a20235bba5f6db5832052f7fa53e1d9825a4dc5827b271186ec014daa7f53adbefd5004fa71616c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqz8iiq-.cmdline

Filesize
270B

MD5
085dfe312790b38828d47f9b54c6fbe3

SHA1
389f725cb958db52755a552bbf6f6c65925e350e

SHA256
215783e73ec1fe003b2df28f0aacf23ec77a99c5ad4a88889a62fdac2e8e115e

SHA512
7bd1deb7c22efa196dea3264d8d39f2d8b49be076eee4d1c0570057aad65ee74f4aa33cbdc5d8564c516cae1b47edb8daa570bfa98228280967e957133c96913

Download Submit
C:\Users\Admin\AppData\Local\Temp\k-yatuac.0.vb

Filesize
380B

MD5
7522bf81c07ac4f2082352053ac1b7b5

SHA1
3adcbf731180af3deff8cfd724693f3c93e49cb9

SHA256
4b0bc775f165a8a2a91f31c696521c1272d6c711aea4489e976483b7f346587e

SHA512
00d09da157be7135864bf2d34cfa640b7cedbf2fd04514178b8a0816859dc4bc3d631dce7937ddee6a98ad72df3d3be7141fd0de722462b599429c19dbe5bf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\k-yatuac.cmdline

Filesize
264B

MD5
b04adfb43d8e3aa31b6fa709f69d003d

SHA1
4b1079291fc55bfb3d8108c53fc08efebeba0a86

SHA256
a5ef061004ebd378030faf4c20e5159a4fd7328ca0b4a377a8fe5b2aa3a8ac27

SHA512
f889914e8364bb404002eb8f94bec042e2de7d677f143e748177ae52dd18ef810daa47c3f2a2ec74ab9eee53ec2dfcba5d98099f8d4f37ac6409945b6a219cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\khatn5dq.0.vb

Filesize
385B

MD5
5bf6e03fbb026626883078a439a47335

SHA1
24eb0e7ced313e42563c17d85ab45648f7ce8746

SHA256
2099236fd1d1333080ad2372e62b8efcbb83cf0ff0456d227da56a1ed172dab3

SHA512
71428e1be1a7280f69a4655fae8359f8e8f78da16ad0db5ef78a67037a9164852f6e052c85ede071158856587b67118e133c9113ecc53a33049c01bdebfbae10

Download Submit
C:\Users\Admin\AppData\Local\Temp\khatn5dq.cmdline

Filesize
274B

MD5
673b1efd919ab5bbcba8832e699b2253

SHA1
dc9fcab88d39529d597ab32fe96d6e4529b0ff82

SHA256
12177dbd0097f667efa214cf6d0961bc85982ec1eb53fd147ac8ba5258682da8

SHA512
39202d28ef1535fc28d033b6afc0c33ef926c8dcc9f2e13a7b17d9463404c6aaabb6eb95497091fa3a4b9dfe2d5883a802f586f0233f430d8406492e58c7e0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7zl4wtv.0.vb

Filesize
385B

MD5
f9e7be7c7d8c430d5fc72b7a7b841c78

SHA1
d61ef900dfce2698bec43a1f296a8ae96be1b172

SHA256
5f91dfdade60e27738b84107000dc2079567a4f15c7db8fee6b8477c557f940d

SHA512
1aa4ae20ae58fd88dd1dcd59688842a1eba16347be67b5fbd60e251bc9336fb27947468f25a288d0670a9f26dcec3696749aca8d00364c1e89af822dfbc3e0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7zl4wtv.cmdline

Filesize
274B

MD5
f3379a09fd72bdb1a0915bf05dfcf2d6

SHA1
7c39b37e69d3d7cd128192e47f6f3d5c147d2b6f

SHA256
0475d06740fec5c6e74dcc8293f3a11661f0ca27ecc6478e307e88d13ea3c3a2

SHA512
df54707a067c39e516cb12fac07bf2deb325691701b4f985f3a8da8f7f1bd90d2621ee99085dea2fa14be12e6282e2e90701e522108ee3ac600b5e427131431f

Download Submit
C:\Users\Admin\AppData\Local\Temp\swlg9nih.0.vb

Filesize
383B

MD5
14451bc1b0177a8f030df0896c89bba5

SHA1
8524efacbde6598231e402b9c23e32891ef3b321

SHA256
614a90dc114429c3040975c5fcf2d061d3b609c72f45d4a3ba3f86c7eb13d059

SHA512
ca1f797874f68aa4595ebe640831a16957328504cd06aaaba7217005fce710b0778c4a8b0bbea0088a41daede19da3e5dba463a5b8bcbaff23c08de09760a85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\swlg9nih.cmdline

Filesize
270B

MD5
f0c3771b12872ce6c63bb7b142962890

SHA1
ec6a1cca5c8da572e999cc02b7e4564bd0807d2f

SHA256
5231d5cc8515b98a8dcd5ee33cbafc05f3e2f0cce8ff9eeefc7d3da85b29fe30

SHA512
5b393103fe8d2b50f4c27752f2ff6b1531dae91495820edb015145b5905d2221a6429370902bd4cef0f960ca825ba3a2dd784cccd1a659154f980311d9dc40b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc17A77FDEDB2C460E9F45E7A5B2B76D7.TMP

Filesize
5KB

MD5
a91f0722ab45b9e5828633e225830f4f

SHA1
3af054767b68a37a0765d6d2f56876bf27a38700

SHA256
1fc50074d79f13adaab62d1759fe7e7deb5f36a41e288fc4b19c7599a698aad7

SHA512
03043419ac9482658a0b6b8cc95bfeb412350b6ddb1a3623675712b544815c51cf7103b4c517a49ffdbdc9a6f4d2cb2100d621ba2b4f73010c06c40ac593335e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc22FB5584D4C0405691B7AF4CF125985B.TMP

Filesize
5KB

MD5
909d662a8fcd9e80d1e60c505db71822

SHA1
42b073add59fd22eb93eaf3753ee3d30a4446fd3

SHA256
2f9c845234e7bf549b2a33934d7aead93129ba27adb27bc1db070792cb84e187

SHA512
bfe67e9ede94e7dcbbbf6338975e4e3a8bb1764b11c35bd0c0b4cf1b56412068e087efefe4cfcb001ef798b51606a6686ecf316c4bc2a578f26ceca2e7c285d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2B5C314F9E1B4DC6A5E86EC7F6F2881D.TMP

Filesize
5KB

MD5
f750b6f3cb62e9a3d2f84bdba16f39d8

SHA1
cdbd4acc467ca0c97a9a54f0ac21432ac7820940

SHA256
7331751d1804f75d150ad441625549cf8cc4ea481c7d2a4b5fcd0a7c3403f462

SHA512
12c9f20747f61c4d3fe7d32684ad7517b0a7bde88a5d3c15ffa4164a9009631fdd4fecb6fa58e6c603610454e10df67f1585c3c40aab85a04a113f181ca3f40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C630149BFEC47338E8A8521F2EA64BB.TMP

Filesize
5KB

MD5
cd1ae72bf20af7c31c0b07b69e41f5fb

SHA1
cdfeab65b48c8c805aa1ea8230740453599f5560

SHA256
7f34897f643c737707824f2f5c7c6e5567db8e88a2b94deafefcc10415275a3f

SHA512
c96e3b5f0dec02663c8fd35aa167d7b3a35d57b370d5358cafe113cf644668a8b43becf19f47cd7676012c2626c2681d29a6954b7998652e726964ff1e57a850

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc38FD81F660D04300A0516FE78C3B7B43.TMP

Filesize
5KB

MD5
0942df3c7540701b321f6c5c75b6c4d2

SHA1
3b66e51e63c08439afac75d5dcca0d49faa3b435

SHA256
5b01dbc9fe937650cf0dabac5635ba8844a8f8b04acdf0485394d4f7ba8bb633

SHA512
54cbc5bdd16e33f54df6110d507340f40c44b7d1d996484179774669a9e906a3a02862efca8328a4b4d0b76486c74ebc75ed049f9729868955256fb14a03d26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60C3DC36CCD5414FB9A0C5ECD3E4AE9E.TMP

Filesize
5KB

MD5
d49ba6e8643aa184412dbba2e2cd8def

SHA1
c3da4a649714834249eaff1195f88bc548608b3e

SHA256
9985f857bb9a1bb21050b3f9ac84cc6e7af91c6af1637c715680f321ec60fc7f

SHA512
8a1acf46fa1d9c02cb3f1b5a034f9f88ac02b417d335258882679fee49fc75e472dd0fb4c556118782283f7a828a4d83188561bebed7b9b21e905010ce869eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc62C003527D6243C5B47232AB7EABA46B.TMP

Filesize
5KB

MD5
ac4b7fc9d67ec492a561d7e2d73fa892

SHA1
c08ac010bb1d9c598474f7a0c48d9139ccdf096e

SHA256
93bb2e02da4355faf0ffed360c062b0a79cf1d5399653e6682c1134db3f8ad84

SHA512
2977dab2b92e6b116925391a8a53f2b9e0b4ab0543c991dde448d72e638567adaddaae0d0fd03b7833d252c7e2950e7d86b3b69ee4bc9d974420ea0d590830c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc67C52B5978884136977840177245AE7C.TMP

Filesize
5KB

MD5
6a14a5363cc3c6ae183a76446244c77c

SHA1
358b788725f6b08cce8adec1ceb093cebed463f4

SHA256
4b01b7fce539fccf52abb0ba80d21ab1fdcffa3a1a973879f6ed7307cdbadd4d

SHA512
3fd412314ef50b7e0d3f434c9ad21205be0dd12849a1963f26f1fa79c632a0623b76a178cd014c549816fb0f904c18b96d4a779ea6969dcc683e22660530840f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8CDDD6A989A645CD8C4772B2203EC3F4.TMP

Filesize
5KB

MD5
e01fc27651c19696a8556cd832337b1c

SHA1
4a1320329e450efdc0dcc1f9dd8648371ce710e8

SHA256
e60e121e2c142cd50ea7a796c21f6f7ce17dad85feda54c8286b776b4df92bad

SHA512
6b47115134de4254ad75be18e1e7d3cc836039f16227be152a4529c599b8b96d6f7a35291662a48a20b6d2dc285736e3c9243f4ceac15085eeeb660fd0175c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8F7FFEE87BA744AAA8F3F4DA51E55471.TMP

Filesize
5KB

MD5
4ab29e0d0a458396fd6d95d913e07196

SHA1
4a0dd233f52426551bdf0701aa52be96b4d7e703

SHA256
bf237f17537247e4d04668480852d56acc5de5ab23d54011e333dceef18fdb9a

SHA512
85a0c230457297ac7ee1212445becf0872b9a53c18a76ca375f74802015844424679ed61a1cd49fa1fc9fdd92cd5fbf1c901cafc07b96cb9da61c174116b7105

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC5DF58B322184B31A0ED7E3A7FE6528.TMP

Filesize
5KB

MD5
7ced819014ca3118c55292fdedf805de

SHA1
47b21aeab0868fb86404cd60489a23d6b8a6a44a

SHA256
0351e99ae9942ff7de421d2dfe40ce60cca746db0d3a75d590422711e1756dde

SHA512
28a2ee21f22309ad07f86a4223d895c1da27819cf7436957a7b98169058477bca00386fc2caea8a500339e82d03aa91c923a732a3ee817f6f18e673114a9624a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB1C118319ED490DAA2D9638E2722E25.TMP

Filesize
5KB

MD5
f68d0cd3deaadd4ec231a9852bfb420c

SHA1
a3ee2f8f562c93290e5204836493f35b01c51c2b

SHA256
f36489d51800727bedc964bce2740e9278e26915efd63ad230667d2c0079df35

SHA512
4bf124ed1d76c03ba3a06896261e017f1d6bac4d4a74ffe14e19c8ecfc5467a5a6082ca391b372a4ba74fe1612a6135ac78295da81625a2271d5e9be91ff59c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjgcszcz.0.vb

Filesize
362B

MD5
bc82a8413c5e13facdaccbaf96fb5247

SHA1
f812dda948fbabccdf2796be004e0d014f893106

SHA256
ccb14ba577601774f05c4ccb915846cc6a02d2b03c20c4c9519cc93515d3406d

SHA512
036f84925a549f75bfd381c560c2a1c5a88f074061c18b386a89002c469019cdb2da8cf87014c6b8aad190351ed5cee24ac53b1d1d8ab8c5c5ae9542fae52892

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjgcszcz.cmdline

Filesize
227B

MD5
89031e38c4a00d4fcaf95414b9acff2a

SHA1
d0ecbe94ba83cd58a53044c5fcfcc701612b60cc

SHA256
9bfbd533cbd5c2fe718e9679229fc1b4543709e73933e151c29ad0faaf18c023

SHA512
1051e46e93796461054151a3d2d5b80c578fef83087ec29473158bf28e4f254efcad1cd726c96b2f94f64eee0c42b94cbb8fd8dbb6d52df3468a730dda0bc3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpfvlngg.0.vb

Filesize
362B

MD5
ba0b6cafd153dba7cd70cac852ee4050

SHA1
337fbc1b8d68d643fcc3465715270421a070ff31

SHA256
e15e7be9c341d00a0117e6c16a272895ef5002f592ebed39e2b1abff62d77f7c

SHA512
0e846ed4efd1ee8ec9a0eb5fbb52403dcee75e2b9d4760160b761de703aa3bf5620e04f59e75bbc3a9c1606d278a1a2fcdb5240698029873e5f7fe47175926ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpfvlngg.cmdline

Filesize
227B

MD5
fe909f51e723e084163ba712a95f91c0

SHA1
790395cfb0e7d106ff9c7825c44bffab011578a7

SHA256
8c13eed50304a3465ead75337a1c90eef9ef1fae843c0f06222fc1d961afb78f

SHA512
2ece528f0ff5f9446871501ce9b73045b2fb2759e82bf6321c4f114ec752bd4fb6fc7a2c6d372eac6914465d4746df84d46057f80c76bfd6f8fe45682a2520b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmz_czyh.0.vb

Filesize
382B

MD5
79a5c2fbf4b099f91c43d57a91f59329

SHA1
ea029a24eb584a784f8c9dc3d4693738d724b659

SHA256
db8e3184d13226581c7a8e5416adbedf18bbabcb5dd4a22063afa84c4bf0c7f3

SHA512
2338df3b9b34d3a6e2b4455232115d026cfd65ef656c3d32192bb45a755c1398073b6d7bd972cd221d25ef23dbb9c2046498da6009e339589db392d3c3349828

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmz_czyh.cmdline

Filesize
268B

MD5
cc6015b83ad462e160aacff91ed83690

SHA1
4ca0cb4a138905881bdb3b1e00fdcd7d91cb71d6

SHA256
149935fcf3d754377d451f2d015198e1d0347a5597db4740013e5e42eacbee0a

SHA512
bef1ad412a4c3f3257d8462d2c8f9cbdbffa70bdc9a968121ddf2214ac9dd43d67174ceebb83a78d9425eb05ec8644e1aa0a457f8ecd01248e2ad5f0159d8971

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvwof-l6.0.vb

Filesize
376B

MD5
7b832bbd2730095cf7bfc0a06785bf90

SHA1
66f555c436029c88ba1db95261fe850cd515676d

SHA256
e38ed292407348b9a51b8de3cf5d2d0fe2fd558cca71239877788eb751038091

SHA512
1d70021dbb7899a75847040dc6e1e6fa5c6c435c33faa8c962fae5f45a92e473a9dfce4b3d25077810330a368c7aa067a949940e8a3aec4dd64d6aed5b7893c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvwof-l6.cmdline

Filesize
256B

MD5
a60901217db75740d888e7a0e8d37a35

SHA1
742c67fc0b6ffd225512b0d803736459e19c0ac0

SHA256
df14b4233fbd72b71ee6601f40857c5bd47bcd200a0339e41171b1730ffb19a4

SHA512
ba620a3493c643a951f423a9c2708e6808a9d996512e18b5374563fb350dfb3d6473add7d51047fd43eeb42572e4efc58477ee1f50719c4496373d6409c9cbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykqnhwwz.0.vb

Filesize
376B

MD5
3b0666d7c0129f22fa6ce323ca566ff0

SHA1
43cbdbce770c2bad56417a678cdcf7eb3804ba53

SHA256
4aa89a7e1e25251013942edd8dced1279108ddada20b74add2d17f1da66a748f

SHA512
798f2f6ea370046f4c39b268d2cf2a27e294051fc42cce5b437a48c86b90659042aa9747307742598e98e066eb04ebafa064fb1a731052ea6b05c9a8b3b055cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykqnhwwz.cmdline

Filesize
256B

MD5
e5b885ecf42b20e1cd693bc15ebfd18f

SHA1
c2520e16aa2cc9e7dd23448f1c7ac73e0a59f8a9

SHA256
0a4fed9a3310ceb0149abcb9adca117583cb4f88f717c57c6ed7dcb2a91c511f

SHA512
e4e8e76677a59e793ae156362aa1e44a22f39ce2d6e6245fc2a5a8ba3742c82f5299314fd317d929dcdbf44c833567925665ae07dc8a0c8efddf32fe8bf5461a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zn6aixmq.0.vb

Filesize
382B

MD5
7171affefa8bcd909fdf36af3be618dc

SHA1
132c1f2d58800e6d960a6b52ec9f43518d282dcc

SHA256
c48fff4ea75799168465b23c2d6a63aea27dbe8fd90e978f69d16e3242e52221

SHA512
f01fc73cf83e69838cbc9eb695d9ebcd43a154e8437d68145f89ab8808b27ddeefb262078462bc072460e8ad63d97b96d561faf3964b41a07021e0d205f33535

Download Submit
C:\Users\Admin\AppData\Local\Temp\zn6aixmq.cmdline

Filesize
268B

MD5
848f06754c30ca86250d30cc6a9123a7

SHA1
91b6803a928500137a6088ebae35fe3726fd01c4

SHA256
d0d61f896782b69d9c3bead82d478b3e5c0906ef8e97c7329e0d793a0bca7d93

SHA512
700fed65d127155aa0f95572d88a1bb9c69462b76aa7ba3d04d4ae826a57b5f078d43f71d6440f5a5067568558c38e0ac78527bc00ce720fb8a09b735a9638fc

Download Submit
memory/1848-4-0x00007FF81C060000-0x00007FF81CA01000-memory.dmp

Filesize
9.6MB

Download
memory/1848-1-0x00007FF81C060000-0x00007FF81CA01000-memory.dmp

Filesize
9.6MB

Download
memory/1848-0-0x00007FF81C315000-0x00007FF81C316000-memory.dmp

Filesize
4KB

Download
memory/1848-5-0x000000001CF90000-0x000000001CFF2000-memory.dmp

Filesize
392KB

Download
memory/1848-8-0x00007FF81C060000-0x00007FF81CA01000-memory.dmp

Filesize
9.6MB

Download
memory/1848-2-0x000000001C360000-0x000000001C82E000-memory.dmp

Filesize
4.8MB

Download
memory/1848-3-0x000000001C830000-0x000000001C8D6000-memory.dmp

Filesize
664KB

Download
memory/2712-19-0x0000000074AF2000-0x0000000074AF3000-memory.dmp

Filesize
4KB

Download
memory/2712-10-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/2712-11-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/2712-9-0x0000000074AF2000-0x0000000074AF3000-memory.dmp

Filesize
4KB

Download
memory/2712-250-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/2712-7-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2712-304-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/2712-20-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-18-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4908-14-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-15-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/4908-16-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download