revengerat | 07af92f0d7debf7f977de61ae735a80a8c504620c61060953c963545e72d1c8d

Analysis

max time kernel
41s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client2‮COD..exe
Size

467KB
MD5

69c5d667bdb0c221dbb50d3301ad1d67
SHA1

c9fb83fc1cc21052a51c1e38bdaaf8b2c3653293
SHA256

07af92f0d7debf7f977de61ae735a80a8c504620c61060953c963545e72d1c8d
SHA512

221de0fe425d9691feb2b065e9cb02a5fad2e15b92829900a77c3728bc03ce2c329792e15dbb73378cb838c09479998f243cc7fe68bfa5abe653733fb5243798
SSDEEP

3072:zV3sMJibhTsNElLD5CbwDMV9SYzAwZd7uy6W:zV30hTsNElLDzDy78w/am

Score

10^/10

revengerat guest discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

127.0.0.1:1604

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/files/0x00080000000234ff-305.dat	revengerat

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

Client2‮COD..exeaspnet_compiler.exe

description	pid	Process	procid_target
PID 5072 set thread context of 4752	5072	Client2‮COD..exe	85
PID 4752 set thread context of 3424	4752	aspnet_compiler.exe	87

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.exevbc.execvtres.exevbc.exevbc.execvtres.exeaspnet_compiler.execvtres.execvtres.execvtres.exevbc.exevbc.exevbc.exevbc.execvtres.exevbc.execvtres.exevbc.execvtres.execvtres.execvtres.exevbc.exevbc.execvtres.exevbc.exevbc.exevbc.execvtres.exevbc.execvtres.exevbc.execvtres.execvtres.exevbc.exevbc.execvtres.execvtres.exeaspnet_compiler.execvtres.execvtres.exevbc.execvtres.execvtres.exevbc.exevbc.execvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies registry class 2 IoCs

Processes:

aspnet_compiler.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client2‮COD..exeaspnet_compiler.exe

description	pid	Process
Token: SeDebugPrivilege	5072	Client2‮COD..exe
Token: SeDebugPrivilege	4752	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid	Process
1756	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client2‮COD..exeaspnet_compiler.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	Process	procid_target
PID 5072 wrote to memory of 4752	5072	Client2‮COD..exe	85
PID 5072 wrote to memory of 4752	5072	Client2‮COD..exe	85
PID 5072 wrote to memory of 4752	5072	Client2‮COD..exe	85
PID 5072 wrote to memory of 4752	5072	Client2‮COD..exe	85
PID 5072 wrote to memory of 4752	5072	Client2‮COD..exe	85
PID 5072 wrote to memory of 4752	5072	Client2‮COD..exe	85
PID 5072 wrote to memory of 4752	5072	Client2‮COD..exe	85
PID 5072 wrote to memory of 4752	5072	Client2‮COD..exe	85
PID 4752 wrote to memory of 3424	4752	aspnet_compiler.exe	87
PID 4752 wrote to memory of 3424	4752	aspnet_compiler.exe	87
PID 4752 wrote to memory of 3424	4752	aspnet_compiler.exe	87
PID 4752 wrote to memory of 3424	4752	aspnet_compiler.exe	87
PID 4752 wrote to memory of 3424	4752	aspnet_compiler.exe	87
PID 4752 wrote to memory of 3424	4752	aspnet_compiler.exe	87
PID 4752 wrote to memory of 3424	4752	aspnet_compiler.exe	87
PID 4752 wrote to memory of 3424	4752	aspnet_compiler.exe	87
PID 4752 wrote to memory of 2340	4752	aspnet_compiler.exe	96
PID 4752 wrote to memory of 2340	4752	aspnet_compiler.exe	96
PID 4752 wrote to memory of 2340	4752	aspnet_compiler.exe	96
PID 2340 wrote to memory of 3728	2340	vbc.exe	98
PID 2340 wrote to memory of 3728	2340	vbc.exe	98
PID 2340 wrote to memory of 3728	2340	vbc.exe	98
PID 4752 wrote to memory of 2792	4752	aspnet_compiler.exe	99
PID 4752 wrote to memory of 2792	4752	aspnet_compiler.exe	99
PID 4752 wrote to memory of 2792	4752	aspnet_compiler.exe	99
PID 2792 wrote to memory of 3284	2792	vbc.exe	101
PID 2792 wrote to memory of 3284	2792	vbc.exe	101
PID 2792 wrote to memory of 3284	2792	vbc.exe	101
PID 4752 wrote to memory of 1944	4752	aspnet_compiler.exe	102
PID 4752 wrote to memory of 1944	4752	aspnet_compiler.exe	102
PID 4752 wrote to memory of 1944	4752	aspnet_compiler.exe	102
PID 1944 wrote to memory of 3124	1944	vbc.exe	104
PID 1944 wrote to memory of 3124	1944	vbc.exe	104
PID 1944 wrote to memory of 3124	1944	vbc.exe	104
PID 4752 wrote to memory of 1160	4752	aspnet_compiler.exe	105
PID 4752 wrote to memory of 1160	4752	aspnet_compiler.exe	105
PID 4752 wrote to memory of 1160	4752	aspnet_compiler.exe	105
PID 1160 wrote to memory of 1824	1160	vbc.exe	107
PID 1160 wrote to memory of 1824	1160	vbc.exe	107
PID 1160 wrote to memory of 1824	1160	vbc.exe	107
PID 4752 wrote to memory of 3448	4752	aspnet_compiler.exe	108
PID 4752 wrote to memory of 3448	4752	aspnet_compiler.exe	108
PID 4752 wrote to memory of 3448	4752	aspnet_compiler.exe	108
PID 3448 wrote to memory of 3912	3448	vbc.exe	110
PID 3448 wrote to memory of 3912	3448	vbc.exe	110
PID 3448 wrote to memory of 3912	3448	vbc.exe	110
PID 4752 wrote to memory of 776	4752	aspnet_compiler.exe	111
PID 4752 wrote to memory of 776	4752	aspnet_compiler.exe	111
PID 4752 wrote to memory of 776	4752	aspnet_compiler.exe	111
PID 776 wrote to memory of 4264	776	vbc.exe	113
PID 776 wrote to memory of 4264	776	vbc.exe	113
PID 776 wrote to memory of 4264	776	vbc.exe	113
PID 4752 wrote to memory of 4600	4752	aspnet_compiler.exe	114
PID 4752 wrote to memory of 4600	4752	aspnet_compiler.exe	114
PID 4752 wrote to memory of 4600	4752	aspnet_compiler.exe	114
PID 4600 wrote to memory of 3500	4600	vbc.exe	116
PID 4600 wrote to memory of 3500	4600	vbc.exe	116
PID 4600 wrote to memory of 3500	4600	vbc.exe	116
PID 4752 wrote to memory of 4460	4752	aspnet_compiler.exe	117
PID 4752 wrote to memory of 4460	4752	aspnet_compiler.exe	117
PID 4752 wrote to memory of 4460	4752	aspnet_compiler.exe	117
PID 4460 wrote to memory of 4820	4460	vbc.exe	119
PID 4460 wrote to memory of 4820	4460	vbc.exe	119
PID 4460 wrote to memory of 4820	4460	vbc.exe	119

C:\Users\Admin\AppData\Local\Temp\Client2‮COD..exe
"C:\Users\Admin\AppData\Local\Temp\Client2‮COD..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qb9wslhw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3A004183E24E4D81E7AD12F91129E5.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxljalct.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44EE6849B1C498F98A7CE998362FD8C.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nr0x6_-6.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc485B2A413A284152AAFC93B3298618C0.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\exam_9eg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE4D7C33EE043888AB60BCD0F71EEF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1824
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vr_wxfrt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC01.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc922F202BF06A47D18F1EBF30DF47C8D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3912
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-bick33b.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC17859C08FFB4C2FB4F79EBC96F8D4C8.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vqiylnvg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38F1437347A64E94B148D6CD17FFA10.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxblxkhj.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc744CDE08B4404288A12E593D7FDADC2.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9cailq6e.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4224
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EAB19D4CC564850BF69369CA921C73D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zj9j_mrx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9E6884F2434923BB743ED8D927895.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dpuxomgn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE91.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc647E126F28424A0C8C691661C0BD3716.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mpavzjea.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1212
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA495BA8988B9442590A580B2B53B25FF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aduvkuti.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA285A0BFD0A47AE84CD2CC49888C48B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvnfnw9c.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1580010DAB09412D8D4DF9349FF4B63B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\osqctkzt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3556
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1028.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF65048FCF7FD47D580E92444142642E7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6rio7zij.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1085.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6DCC982F1F848D499A0B4C0A0DB7D56.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3560
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8rdeurn_.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1151.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc301941F14F124721BAEB62D04BA1F6F0.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5tyuzu9q.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED2FADDCDD84493BC131C2053FF478D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u7tnomyi.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3CE551212D442E8493B5A2ABE795DB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgjly_1k.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES125A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0F4EA74D6E34403BF36527368122EBF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w2x9txb-.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5024
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A1C1D034AE54BB5A76183631DEEEB8.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4260
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i-k1mkrk.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1345.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc601354BD4F144B33A086C87EC6F9CF9F.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\-bick33b.0.vb

Filesize
381B

MD5
5b2f316f4f4a0af63081a38b89261cd3

SHA1
3ba7fdfe10bfd4e315488ea1b1783a83ce677d5d

SHA256
dca28be4bae272091c53381339f870ac055c532a11044e284faf87e0eaf560dd

SHA512
72887210f3d46db3eac67ed459c8570f6f1b1c2eae0028097d8c4a78435ece9f9ca5ba0e1a568c19fd78f2ebe77fe15543cf9bb0fcfd2daa1983da9800655797

Download Submit
C:\Users\Admin\AppData\Local\Temp\-bick33b.cmdline

Filesize
270B

MD5
4c79782e65dda759fe18fba5fc621c81

SHA1
744821260fcb96e5796ff37ca0817d4c9f2e2028

SHA256
9b4a2a4214326faa01882188b3666265fbf083ee52b8e4d8d63989521c3e4ffe

SHA512
df52d56ce53d0919a75ad39b9ba7dc3b70f25b31213c76c34d40e1177d4c7b22122371301fff18a06a4d90f4ff581bb323c83da75c962622f28144f9676e8bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cailq6e.0.vb

Filesize
380B

MD5
2a244d05652197e57584a595bfe8271d

SHA1
558a3af788882940f9c7ecae899beaa216ad0977

SHA256
b153e249c30001e8b4a432480feab1878a826f9431f6c7aaff93bd23349295dd

SHA512
9312d7a73776efba6c50403201a056bf789b942c947a4dedfdd53e589920dc9c4978e1835d92f276593d4acd6eb54731661e42e8eba8add3bcadcd721a1ea6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cailq6e.cmdline

Filesize
268B

MD5
524de58a34c734083ca7d824695541ff

SHA1
9207fccaaf4ce25006312b24b23a6e7297a367f4

SHA256
b438db11848d3ff0ce54bc4e03bb926ec0e04e2ad4334e5823060413022421c5

SHA512
ef3072724c76c54f7880b15a0acb4967485942f959c77442a54360ee0332ac7d1fc3a0e91d8933dc147a3057256c09c5c9a6ef5eb6c5550584af36452b01a4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2C.tmp

Filesize
5KB

MD5
3a7ee27734b1fdda5a3bf85cabbd613f

SHA1
e9952d894020b702023012320096d895a0225ec5

SHA256
15e0e9ba1601c750e013c50fe318567ef1d35ad097b956e8d0408799605eaad4

SHA512
958d9387a65b3f4512f8e038755b1cb56b411491edc5429e776a028e9fb9a1271fdf75e4d5d7dec8dcc3d632b45c5ed5d7c84f3b877036e56efc2b722ecd98d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB9.tmp

Filesize
5KB

MD5
86d3985260a4b4b7663de48eaf26c4cb

SHA1
1a6668c0137d4bfdc6524ba78beed9810383a540

SHA256
2086b28483cd24f081bf0981100b535181b2e11ae1e63c2fd5cc9bee5d303621

SHA512
3fcf48953155522521c039a4500017804a11c85aa2b8e109274afab47ec6bac3b035f69865b902c70fb50ac346721b8de7ec90279ff69a2a31a1476361391911

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB26.tmp

Filesize
5KB

MD5
78d7e965f5777a04183226e8a0f6b193

SHA1
aec3512ccce141c9cdfad4b924f5ec7a852400aa

SHA256
67394ac4b5c7a0af9798398f0a33ee91f181772a0a118f3df79c1aa18e565b04

SHA512
a557809cc09592cbd28af9b8d1b4c1cb326e32280b427bcf4162a95678b34578a81bb0b213451604d9d41eaa3ee6d96f9f9529d068b2c1dc609c2e3e543fd825

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA3.tmp

Filesize
5KB

MD5
e9061a3a2cc2c6073974d14518023386

SHA1
03b511ec3a22dfb4a715c0039ab073ba89d3f262

SHA256
cdb111c91774b8d6d0f234cf8a22ffa536af641ab1e376a02069f49c27fc2e12

SHA512
08742034f5693c35a84b8924ba53fff82e0ca7ef72a269e0ffeaf42f8e138e0f12380791e32fb172e400f90e0390381576f2fc5005327b8fed9f10e99aa2213b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC01.tmp

Filesize
5KB

MD5
1970aa143e01781c84be107a932c6526

SHA1
695017b0328d326b4f792406935c2e6e699b4ca9

SHA256
42ca4687d221af3e50218b43318d49c529c41d54456a4a12be4303e30082063c

SHA512
aff61eecad297aeb2b434e0c1b0f8684ae85a1f7f0012b797f5527fd0e2a74a0e7b82d9c1579967920968d6a2b04ef27a9dd3b7c6cf480f6768b7761539dd349

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC6F.tmp

Filesize
5KB

MD5
d3737b4a47ca0a3e34f3359e95090b39

SHA1
bfde62a196729cf55e9f6ea6a58d6c2280f7fb1f

SHA256
3a00b5380a3d6bdfba1cccb9550a66d076beaeaa994c22267a20d8f5a9568104

SHA512
79a7e5f86f22dc32591a199b4f528380358e85645ccae86b22ea0a50fa46998dc86849f4703c991a924a1d85d0c2eb1164465515d19314e9e3d4865bbedf8edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCDC.tmp

Filesize
5KB

MD5
48bcf627dde25f0296b86d4e1555c9d3

SHA1
bf730d79b899298cb4b656a9d859fc0928917cab

SHA256
1f55941fd9ccced3e7ba32a57839f312a90998c4660271482382c292ea203fea

SHA512
3e46fe6623f195fd7229419a6a59589e0e7a43f8f29e1508ff0fc9ad4e7f5e222436e66956343a7c7b12bd9bd20921bcba27e63b38548bafbaf8436ddef784c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD59.tmp

Filesize
5KB

MD5
584fe404be142dd20e688bfa4d03e0d7

SHA1
41ca8b7a6aea1740030c81ed527d56b7860ab5cb

SHA256
b70c33c28a011fdf438aac3e48eec4493655c2104534664ad96301a64d409960

SHA512
f66a64d8144d4cd16702582568ac00c4af18d75a9acc8ecc6382057967cd780fa31ca29fcb0cb11dd4e0199b274c0c814b322bb5d6b90665156f8f248441b98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC6.tmp

Filesize
5KB

MD5
a00045a9a46a18f3e7bc1fc7dd171b36

SHA1
36dad7d956963e28e2151b5496713d6187dace29

SHA256
5c3f1d521d2dafddb19e89f3fbbb82d2460f26a8bb6cf84820dd8b5a3162b1bf

SHA512
81549ef67b96a51e5cf3ace1b7c372f1944a56317017b7298d1569b1cb60cc1aa13ded0153bec50a5251b78b08d5ce1ee787b2f443e9e7ccaa1ae7eb2dfa6288

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE24.tmp

Filesize
5KB

MD5
7748fe4096f0c494ccefc045520f4a20

SHA1
46fab726ff0eecbe0a946dbae4ea6b9668a93788

SHA256
528502c96ffb379141daef8784dfa002b49005229768d01cc18cd5b56c02cf3a

SHA512
eceada2af01be552c8062db5fcdb7e264a9fe402550ad4a641f02705ac128f079e4bc6453fe88ac799427814f441f0dcbcde86f709d446bd145ab0304b7e5c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE91.tmp

Filesize
5KB

MD5
8d0109950f6e4d92339847ad223c7208

SHA1
3b71f634e8313bc9638e2a7f687cc32cf2bf381a

SHA256
4711ac130858c157fc14a810e64238761eb2f9f746df54880e1d4073bca16f88

SHA512
b455e7ee2c8ef1a78763b46f877b1070c43dcccd991522095b8469241488dfa9aec843a203170215441fe9f9ab5114a49ef45c0baaedc318bef0268766e25f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEEF.tmp

Filesize
5KB

MD5
2174ff51659719c967c2e2cb5f3d411e

SHA1
dbe3096c3952aed51bc9b0ab507834636a578424

SHA256
9034593bf756fc288f9c2d1a6e9bd839ff566febc0f780b525ae845eb139e62e

SHA512
75ce389326dd85ddd78816fb099e4d4706ee225e32e047e06128d694f247f52ea452d5751f9c367c54822f77fe1a7cab60cf4e25a563ce5a8f0eb0b1db61bef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXZMONF.txt

Filesize
52B

MD5
35470b93cb2286fa8532e10129b0e45d

SHA1
14c28cfe341ce7999ab395d57f06c5842b12c4fc

SHA256
43bec771d514dcd2f6e7829856888dccd736bafbb4fc472ee9e8e1a43ba1b742

SHA512
9c22db4fb31ef9a94d6e84793dfafe0631d15b5148a15ffbbf9ae96907c790ccd9b6d2ceea2ee7e0728b7b8dae853dc418b624bc32dc051ae5874e978b4f830c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aduvkuti.0.vb

Filesize
380B

MD5
e840f0359e35b6d80919f8a295e5b4ef

SHA1
df9c7e408264b27e801f04ab65354bb1ad604489

SHA256
36fbdaad52038332a7e9d5f242f0295d6650dab5d0f2a22e3440e703e9145b8f

SHA512
5f1d5ad1dea611ec98905b937f2fcbc3d9038217de05cda82b71d6245f2c3964e0f4c7e79a88d574e80987d467d2088c5960e9f04b544e4649515b730ab01801

Download Submit
C:\Users\Admin\AppData\Local\Temp\aduvkuti.cmdline

Filesize
268B

MD5
73b384e38295ce53c810c9799ad2891d

SHA1
6a35f5cbfdf1d1ce67c2a0144ee05c9e3eb2d4ea

SHA256
d7c137bc148e9a2bc87fc165fbdc4ea5a2e4c39f1b663b118dbc86e92aae996a

SHA512
d25e7a97c1cd2e7ad4c59192f8593d44d7a6b043f581898d0dcce034e1612bcba22a78518dbc8b405147f5158515896db0b564597163fcff8393b2387347a5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpuxomgn.0.vb

Filesize
380B

MD5
92bdf67bdb07dddd284e2d8e6dda207f

SHA1
4f9d735f8bb54ac1f85e0970bc4f4a3783b6d4af

SHA256
defbbc17a3ee033f1bd7a35dad9f109a61e05aa7485faef6527f221d5d359cfb

SHA512
1b772f73b89a9247dd2bd1116216bce440ca1b320458606e68fd03f32eab19aa605854aec84f2bc152d62e1ffe00e69e156fc82c767fdc0831a755cc790f2f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpuxomgn.cmdline

Filesize
268B

MD5
c3d41bbce8994de7725a94c87b9dd190

SHA1
139e510859ae199d104b500374dbd859c1b0ebb9

SHA256
70b9c8aeae311977aa78fa60daa5d7acdf473cfceb58dd0d1e6628f5593b6ee2

SHA512
28f4760cb13f46d517880acb71b7aecc044150acd6bc6f80e17fb79c062ce945d2b55b0136a224aff2f6ec87ee2e73c6c5096bdb06b154654a1205ced27a7ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\exam_9eg.0.vb

Filesize
360B

MD5
264ad9bad93ebad5316429e52fed0320

SHA1
39cf36000f5a1725168fac26ae96c43031c20856

SHA256
640c24a6a14c21e8200d0e2a464f71ee4796247bfba9fe8da24ca9a4e1a92aa7

SHA512
7bd9bb5e9b2aef54c21633d9a812ce486844e00e52c95dca26e7b91b821ef6c30b9a3c5d8f4689f3e45021822da2d7ec332fda48facc4637b6e0a39a7b3f68de

Download Submit
C:\Users\Admin\AppData\Local\Temp\exam_9eg.cmdline

Filesize
227B

MD5
89a1a41866d4ca36d85f705834ff9fde

SHA1
a5be9af7275ff1ce98735d0393723146f78f5cec

SHA256
d1c0c7ab7da2b0bb763eb9e252c1a9129e0b90c8cd6569a974b3ac4ab86a12cd

SHA512
9e2e575a193e7a1ce33818a2a1aa03d590bbf4c7597e3514beea3a1d0e05db545d7dc61adf3a48208bac9e99ed91914d15543dfa07dcfb0cb1307d1c2853108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpavzjea.0.vb

Filesize
383B

MD5
76dfd7e50de5eb32f77d55ed6f86a278

SHA1
f0d20ec8a29a05fb25f3835715a1b431184ec46d

SHA256
c762e034d36d07bc362b9a110177ea0d0c2e65b46211adc564d7483a423aea54

SHA512
6fe0a9ddf4426232550865f896b54cd2045e2e30cb870d96d1cbefdbc34cd1a9204fdd53a31b5e6dba74f8b1341af16dded071fb13241ee568c253d984f35ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpavzjea.cmdline

Filesize
274B

MD5
05918fa132a91a703c6478f69089b909

SHA1
3a96d6e7375cf979cf94cb412fc048fe17c66722

SHA256
742f91865112152989cc5be3a798786d9e9fbad0a81505c6c7303d5815f475e4

SHA512
8e99df99346f087b6527fb8607dd4631781178c5d30ec3d14e0d2572fcb6c84b5078ea0b1bd4cbcedac5557b343055decdac73d3c3835221e8998c2cf47cffff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nr0x6_-6.0.vb

Filesize
374B

MD5
8f886e2a47566e8325d79f8444a707b9

SHA1
85e16b30e887c8b494f5995515a4255caf805074

SHA256
36a0d6f88d0af315c4fb780cf247ec3cf859bf0707db943a9778a82b9e238dba

SHA512
28871cc1a4150c67adae6c0c026584c58b656fdcd5b1b97b4df6d652ec11f4f38b11a6044ccebe93b4df39022dd77c8d166733b3f49739d6f2b0af5c78044381

Download Submit
C:\Users\Admin\AppData\Local\Temp\nr0x6_-6.cmdline

Filesize
256B

MD5
6368d9c6b7cc5e09eb2c93556c1d5a14

SHA1
8f67583cb64ea1221e43c7482dd2eddb57abfd73

SHA256
abe44ca6a6e4edc4df882127999973ef752ec280eaba8b40630af24938a172b5

SHA512
66ae5639f59f11c94010fc74398b405bbd311429e093809558f5a166d0e0e520a1e0d78a69477e4729ac6d189714f14da1ebc2019c33cf6eda9fab4b7a8a3f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb9wslhw.0.vb

Filesize
374B

MD5
6b492c363a7a4ba2e32e319ccf2b06be

SHA1
97a751ff2710dee7de74da5e445f953ef62df843

SHA256
98e0e0bed89719ed1f05303669d037d65d65bcd5434aacaf7da295f6bfeaf687

SHA512
bb8f776df758f925b52a8d2de088761f94c5a115d62d0a153aa966181a0224fec142ce543110f33c2550b4e486030f6f43cad9ceff0238fe3dd71e2b50223fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb9wslhw.cmdline

Filesize
256B

MD5
51097ac02274f4b4aeba5c2d715580af

SHA1
39b0914d1212fc9611cd9b89f1b6c0039229d053

SHA256
d5e279d274b247bd21a7e7eba313105e5a8c590fbbbc55833b70d034c27e7e9c

SHA512
19e4e264075bf58278df035fa322584b52043a84f04ac6b474bdac7db971fe83b3ad7239b78a51fea893b4a61eed4e0f9dbd2e43d52f277f654a00b13d0505b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxblxkhj.0.vb

Filesize
381B

MD5
5857f4309bdf0b3b8a03de646c3dcaef

SHA1
3be3cc911bcd18d50667e739bbeb6e9d0b0b0607

SHA256
9e4cae3277a3a27b292d8a0e1caef56dc3eda4584b989f0facaf7ba406c5430e

SHA512
899939b29ae108b163b89160c6c7c7ee38288e78480dc16e43fedc9e75e9ddfedc2a54cf32b44406d781149badf7d070613fbf50e19bed4da8d36e12be66cb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxblxkhj.cmdline

Filesize
270B

MD5
398a4f3c08fd8996e72caeae3a8269a9

SHA1
a73e9f83c3da82ec60f9f46af56d1d69bfc4d142

SHA256
bdf3e51191beb7587aa6cc1a16c904dd534501e4a1ac358b4899620761af6c16

SHA512
5cd1f9cbcdd6f4637a138ffcffdfd16a8aa72eb506d53b37a265c42b2b234542132b6551a48a777ddbe6de53a62903e3d47698a710657b696960877c43be7483

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2EAB19D4CC564850BF69369CA921C73D.TMP

Filesize
5KB

MD5
d4041e02f5993476dede1ba91d500e82

SHA1
d22241768113872914fc091cfaaf78312872730f

SHA256
6f8748afeaba4e021eda72006fca5fed162f9c604a953d1a65be0c83269f72e5

SHA512
1647ce585000712c0c5a2e71eb98b26c7583092cef08e54a730fce6f8b9e222a9eb37a040456f75a710a28643efebebe42983ac1727e218de733235e61762fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc38F1437347A64E94B148D6CD17FFA10.TMP

Filesize
5KB

MD5
d0a193e2e57e3571812f99babc0c3b8c

SHA1
784e8bb48964a1bc4abf170f79315e38721c2e61

SHA256
22a591de86adc064830dd385be3b1f58c01430107581b1368d5ad6c1c46c149b

SHA512
a9546d6840782a35b9348d105b40110676215eec7ce8c8ac7b25e297677ed5b29d2591b82749fb20e0c916a131b8d1b0063dea851200474831262ca0910ab4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44EE6849B1C498F98A7CE998362FD8C.TMP

Filesize
4KB

MD5
8ef6bcd52d4887eb0d5665bb2f033469

SHA1
3a546fc1696220221c03da8b603304b9e474d673

SHA256
baacadd5ed46bd31bca0b60eb26edbcc5c5821d25cfb25e52ef72b28b29278d0

SHA512
3d6b9462e45a9c1799e343fb604bac1c82bfcf513987b89711b8591c7c2252f3da341143fcb8c9f632dc131c240425ba8d20de6c9a5f01057c079b4266083d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc485B2A413A284152AAFC93B3298618C0.TMP

Filesize
5KB

MD5
d2516f17f3523dad847ffb8ac3338e4a

SHA1
e2f7d7fb0e3c7204bceaa053158e82f4a8a49575

SHA256
4753b1795944c1f15bc9a800ef1dce980c0d064717fa81441cd89e28e7ea5e99

SHA512
846bb2a2de877b665ef75f9a94aa8dd864be29fc97b68c60c9dc888492b861b176f1217f449a7130b4f866b76f7bd45bbf5d16b71ca9b0a082416495923efedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc647E126F28424A0C8C691661C0BD3716.TMP

Filesize
5KB

MD5
0ca9c62df642921f090cef99ab101268

SHA1
5d19ade3a5e3f57a9a59d0ff7f0cabee94dd2b40

SHA256
4559144690046a01cf183df3d86d2c24cb6d1305a7578f26252eb24cfdf98fca

SHA512
c206816e2eb99e75c2c7a8fb1c506158d27bae1d1560e9d627fee4c52c50076142f219be6c3ca9e523f07de692cf03483795ad3a98ee0cdbbef8b36c968287f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc744CDE08B4404288A12E593D7FDADC2.TMP

Filesize
5KB

MD5
4b510fa64913c2173c928d3d55fae3f7

SHA1
c865811ff9dabaeec0d5844de4640bf6fac75537

SHA256
ca0922858f815caf5b6a65965282af0979a647a5063bcfb43c38bb0b85ae2519

SHA512
2acfc8de60b6de5d89247339baacc78145faf593c7c98933a663fb1fed3f89cd87929bad5f9ae8a74fe904a047a3c4584d3f54677dbe295688a8bf451887602c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc922F202BF06A47D18F1EBF30DF47C8D.TMP

Filesize
5KB

MD5
0a84fedced37807a3b7b7d5c2c518265

SHA1
8ba83e1e6d9d7353e73f67208ef4e3ac95ba00fd

SHA256
8880e32edb7776154a0f49a01cf69f7b9567862446b1e787c8d496e7cd604722

SHA512
a00faf7c15ecf0c0a105200e0ff5eb648def293592184821b98913b8ceb128a42ce31adf220e93d976a537e9606cdb3e7ef96682673bc2f491a915a0b26162ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA495BA8988B9442590A580B2B53B25FF.TMP

Filesize
5KB

MD5
131afd72e6a17e2f70252b4d3d63ef3e

SHA1
fb65e80e86f0fe7ad7cf05936eb57f9c279f25b0

SHA256
34f507dcb0bae2d4a54ee44d54a31cd9eca016575b288491188c53d85f031247

SHA512
2510761122d40852fe8623b75cccaf299766da88ecb89e935ef0fea610ce14e6e1e1550d38dda2ebd690cf7b8eaa6b677eb8c996f1e80cf37e8e0aa6d92ab362

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA9E6884F2434923BB743ED8D927895.TMP

Filesize
5KB

MD5
9557c924d05f5098fa81019ad2f69312

SHA1
c7716aa0b2e409657e850ba08eab015b042702cf

SHA256
0048a369fa200044a923c7b045efc9378e899cef482059f08ee89d4e741ecfd2

SHA512
4fe356a9508fd6b79c836b1ce97bf74ff4e8b2a825e246c40ea26a7169e59a592862dc0fc679946c22a7e4e899af364195b5d21f9671fc07bff8751efa0449bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC17859C08FFB4C2FB4F79EBC96F8D4C8.TMP

Filesize
5KB

MD5
0f40decfcae101e4000638c7f8e25bce

SHA1
71d38310df6b6644e3d1b888e0837b5a5758c883

SHA256
09a16a48514cc4e6f7d44a06877001d88a87cc53b83f371f071c31c5c3781c5a

SHA512
246563e4652f989b943c11226babcd4989092c9eaa1804a141332228dedc7d2354d55465b077917cc4430e0a38a2fc1293255d53afd73ac7e5e9bc6c24308fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3A004183E24E4D81E7AD12F91129E5.TMP

Filesize
5KB

MD5
74907490f0fac46b2d60b3e96a5068cc

SHA1
d789b611b013544a64b21fca1849577c7d99423f

SHA256
c4e6a1df473b948fe807f8c047bfae133400fdacd8b2e0db905916ff9710d232

SHA512
552c909c1c38ed18173953310a94af3378b8f0e0c0ec487630c010c1a9d0e92f3366b7487ee151c29ef6b2f7b7d3019c4d1c03b86dca82063cbf98b1f77c1a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFE4D7C33EE043888AB60BCD0F71EEF.TMP

Filesize
4KB

MD5
a67b3bb9772524e59bbd5fcb7dd3cf52

SHA1
a89c0db32f362f046eb2ab0c1fc4a9e708475beb

SHA256
f059745fb62b8945d4d914e31a99949727b8990f8e1b9c00d7d7cbe04f7f22a0

SHA512
eadd03700272bfd0f35d119d58c65a22ab6d67d7186d10d540f8c6459371d05839f73c0b9543ef1e016d02e1bf3e5fcf2fd45223533772ae657468a16f1815b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqiylnvg.0.vb

Filesize
378B

MD5
077afefeddce9150957ad092bbeebf10

SHA1
d315ee7103122a0900c9344f3c8a1a2b8c52b8d4

SHA256
6b954727d65c896845595645e6fa9090895922b717a811c6cab1d6449d2e9dca

SHA512
63f5d55531951e6f8ffaa226478dfa63f41c44f8e8b0f48ef1e62fbbffb51c219c9fd5c35a9dc9fbdb2ddb643e765dae1d56748c6741c3a5aab9ead967d22197

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqiylnvg.cmdline

Filesize
264B

MD5
29b22ef01b268a6b2fee847346faec21

SHA1
0f695fbed6f8a1475a32c1e4d5685e1b064f7491

SHA256
f74f40604b681c92b78b84eec46927904995266fcc1aa5990ea1bc1b038efdeb

SHA512
14a5caa4c743caa09d8ffeed1ae5d217f9d1435c49a26b83638d81067c2dee895a8c8a09fb4e575081ce0324ba1c4ae864a9838f9da4c76069af5f340493ae71

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr_wxfrt.0.vb

Filesize
378B

MD5
21ef8db177ba02837ae375d561a68c28

SHA1
6379b8e64d029ece1ec5ba356c68d47992ef5aaf

SHA256
b8ba549a4880e379fe12bec6714405ef8b86454194bdf73c3f4d35bce67f8d29

SHA512
a013308d3f5565f3f57c109832ee2e928ad4d97035b9171dce55145939f5105f6b4d783df0ec96cd25aabb09203248d05635a188db05af4d4862f23fa92bde17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr_wxfrt.cmdline

Filesize
264B

MD5
f6c733b1e5e9c0479b1b287c424dc226

SHA1
2c22102bcf46c7af8e9f5ca1b487f911272db059

SHA256
9987c558a68201fa81ca30f4e07b8ca3efddbaaa99067cfd34f1666fbf9a4d35

SHA512
d98d63a41b7eea6e71ea9af398717c7df99c64d2542b1550860f928903e5b0d9eea829f008561b91b20e1aa8ed16fe61d7a9c7f9aeef2995e993d6a181a7cc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxljalct.0.vb

Filesize
360B

MD5
93e2f7bdf4f7ae02e5797bedf204c26b

SHA1
31b53fceeadf7e43159e0a078e10f5feb7fcd51a

SHA256
d9da242d89a0ea4bb9db55d35d6eaa043ef2fb9d24de39df9a9ad7d0f6e9bf8f

SHA512
b8b066343d9f765f7a12588d2794db8f133508b5fc37e822aa4bca55eba6bc03e936238296219e960b09cdebcaa249a96298b420f100238cc862f8408988a4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxljalct.cmdline

Filesize
227B

MD5
a51f5483189cc299b4b79c0bd0fbe937

SHA1
e12097d231ec9a8e2a617fe9dbfbe1477675c274

SHA256
ddd17acd23175877b0904be076f7d7a2a71995278a06d413131ac8afeffd0a53

SHA512
cb79575c399fa39a79c6e98c7f5196d4385ddb5baf1ea9dca80a68887b40c27cc50c4b1c031f21f1be59b4763db3647db309a4580cbaf9c8f44d8d2c8b32e7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zj9j_mrx.0.vb

Filesize
383B

MD5
067b16fe0e228217b4f61b0c9990178f

SHA1
076aa918892a9d5bd3af3f2ad5c4dd2323f37a2a

SHA256
783282855c569cc53888aa66db5824ca6eb58f63651dae27de48c80cebf54d87

SHA512
2467d1fc3feb02a393c9bf58224121646d651a54d4e7eaab8754a7d4ccdf437ebf9775a30bd630514e9afb38472afef5bbd7bf00e580a7b923a5af1fc44639de

Download Submit
C:\Users\Admin\AppData\Local\Temp\zj9j_mrx.cmdline

Filesize
274B

MD5
a3c1220cb845afcd736767f41067bb68

SHA1
00c88398e31e8de61a5362345180d0eef2afa4a2

SHA256
eff41bb6eda86b329119af2c96d122e80ca5f860c513ce56b3171105a49c086e

SHA512
85a3645995cac4afaea61e377a0b9bfe4c30f7830c0b9ed285fdac3d18029efb2d2008a183c1e1c397203c33b62e4a794c7ddba69251e5cba0878a145ad73993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Update

Filesize
467KB

MD5
69c5d667bdb0c221dbb50d3301ad1d67

SHA1
c9fb83fc1cc21052a51c1e38bdaaf8b2c3653293

SHA256
07af92f0d7debf7f977de61ae735a80a8c504620c61060953c963545e72d1c8d

SHA512
221de0fe425d9691feb2b065e9cb02a5fad2e15b92829900a77c3728bc03ce2c329792e15dbb73378cb838c09479998f243cc7fe68bfa5abe653733fb5243798

Download Submit
memory/3424-16-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/3424-15-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/3424-14-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/3424-18-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4752-20-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4752-250-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4752-8-0x0000000075572000-0x0000000075573000-memory.dmp

Filesize
4KB

Download
memory/4752-307-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4752-13-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4752-7-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4752-304-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4752-10-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4752-19-0x0000000075572000-0x0000000075573000-memory.dmp

Filesize
4KB

Download
memory/5072-4-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/5072-1-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/5072-2-0x000000001BC20000-0x000000001C0EE000-memory.dmp

Filesize
4.8MB

Download
memory/5072-3-0x000000001B600000-0x000000001B6A6000-memory.dmp

Filesize
664KB

Download
memory/5072-5-0x000000001C7C0000-0x000000001C822000-memory.dmp

Filesize
392KB

Download
memory/5072-0-0x00007FF8D5255000-0x00007FF8D5256000-memory.dmp

Filesize
4KB

Download
memory/5072-9-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download