275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe"	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe

description	pid	Process
Token: SeDebugPrivilege	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	Process	procid_target
PID 2916 wrote to memory of 2660	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	30
PID 2916 wrote to memory of 2660	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	30
PID 2916 wrote to memory of 2660	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	30
PID 2660 wrote to memory of 2560	2660	vbc.exe	32
PID 2660 wrote to memory of 2560	2660	vbc.exe	32
PID 2660 wrote to memory of 2560	2660	vbc.exe	32
PID 2916 wrote to memory of 2628	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	33
PID 2916 wrote to memory of 2628	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	33
PID 2916 wrote to memory of 2628	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	33
PID 2628 wrote to memory of 236	2628	vbc.exe	35
PID 2628 wrote to memory of 236	2628	vbc.exe	35
PID 2628 wrote to memory of 236	2628	vbc.exe	35
PID 2916 wrote to memory of 1528	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	36
PID 2916 wrote to memory of 1528	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	36
PID 2916 wrote to memory of 1528	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	36
PID 1528 wrote to memory of 2904	1528	vbc.exe	38
PID 1528 wrote to memory of 2904	1528	vbc.exe	38
PID 1528 wrote to memory of 2904	1528	vbc.exe	38
PID 2916 wrote to memory of 1516	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	39
PID 2916 wrote to memory of 1516	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	39
PID 2916 wrote to memory of 1516	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	39
PID 1516 wrote to memory of 1468	1516	vbc.exe	41
PID 1516 wrote to memory of 1468	1516	vbc.exe	41
PID 1516 wrote to memory of 1468	1516	vbc.exe	41
PID 2916 wrote to memory of 2860	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	42
PID 2916 wrote to memory of 2860	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	42
PID 2916 wrote to memory of 2860	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	42
PID 2860 wrote to memory of 2428	2860	vbc.exe	44
PID 2860 wrote to memory of 2428	2860	vbc.exe	44
PID 2860 wrote to memory of 2428	2860	vbc.exe	44
PID 2916 wrote to memory of 2000	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	45
PID 2916 wrote to memory of 2000	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	45
PID 2916 wrote to memory of 2000	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	45
PID 2000 wrote to memory of 1532	2000	vbc.exe	47
PID 2000 wrote to memory of 1532	2000	vbc.exe	47
PID 2000 wrote to memory of 1532	2000	vbc.exe	47
PID 2916 wrote to memory of 2024	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	48
PID 2916 wrote to memory of 2024	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	48
PID 2916 wrote to memory of 2024	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	48
PID 2024 wrote to memory of 1920	2024	vbc.exe	50
PID 2024 wrote to memory of 1920	2024	vbc.exe	50
PID 2024 wrote to memory of 1920	2024	vbc.exe	50
PID 2916 wrote to memory of 628	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	51
PID 2916 wrote to memory of 628	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	51
PID 2916 wrote to memory of 628	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	51
PID 628 wrote to memory of 2076	628	vbc.exe	53
PID 628 wrote to memory of 2076	628	vbc.exe	53
PID 628 wrote to memory of 2076	628	vbc.exe	53
PID 2916 wrote to memory of 324	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	54
PID 2916 wrote to memory of 324	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	54
PID 2916 wrote to memory of 324	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	54
PID 324 wrote to memory of 2112	324	vbc.exe	56
PID 324 wrote to memory of 2112	324	vbc.exe	56
PID 324 wrote to memory of 2112	324	vbc.exe	56
PID 2916 wrote to memory of 908	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	57
PID 2916 wrote to memory of 908	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	57
PID 2916 wrote to memory of 908	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	57
PID 908 wrote to memory of 2284	908	vbc.exe	59
PID 908 wrote to memory of 2284	908	vbc.exe	59
PID 908 wrote to memory of 2284	908	vbc.exe	59
PID 2916 wrote to memory of 1536	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	60
PID 2916 wrote to memory of 1536	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	60
PID 2916 wrote to memory of 1536	2916	275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe	60
PID 1536 wrote to memory of 1712	1536	vbc.exe	62

C:\Users\Admin\AppData\Local\Temp\275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe
"C:\Users\Admin\AppData\Local\Temp\275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k1-gsq8t.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc65E4.tmp"
    3⤵
    PID:2560
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\quahe-g1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6662.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6661.tmp"
    3⤵
    PID:236
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-1ver0oj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc669F.tmp"
    3⤵
    PID:2904
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vljsci9m.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66DE.tmp"
    3⤵
    PID:1468
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-b8kzei1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES671D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc671C.tmp"
    3⤵
    PID:2428
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fno4xoq5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES675C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc675B.tmp"
    3⤵
    PID:1532
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjxyamis.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES678A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6789.tmp"
    3⤵
    PID:1920
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ettzz706.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67C8.tmp"
    3⤵
    PID:2076
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4i0ah3dm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6807.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6806.tmp"
    3⤵
    PID:2112
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\geodnwkw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6836.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6835.tmp"
    3⤵
    PID:2284
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rwdjigby.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6874.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6873.tmp"
    3⤵
    PID:1712
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skq33e8u.cmdline"
  2⤵
  PID:2060
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68B2.tmp"
    3⤵
    PID:2956
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p5zwuvej.cmdline"
  2⤵
  PID:2912
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68F0.tmp"
    3⤵
    PID:560
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ee_ozhpr.cmdline"
  2⤵
  PID:1716
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6930.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc692F.tmp"
    3⤵
    PID:3032
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oi3ed218.cmdline"
  2⤵
  PID:1564
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES696E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc696D.tmp"
    3⤵
    PID:2764
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftpsj-2x.cmdline"
  2⤵
  PID:1740
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69AB.tmp"
    3⤵
    PID:2564
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6imr3xay.cmdline"
  2⤵
  PID:2788
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A09.tmp"
    3⤵
    PID:2572
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hfylaycy.cmdline"
  2⤵
  PID:2896
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A47.tmp"
    3⤵
    PID:2192
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c4rtp5xv.cmdline"
  2⤵
  PID:236
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A76.tmp"
    3⤵
    PID:1108
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9sbapxbk.cmdline"
  2⤵
  PID:764
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AB5.tmp"
    3⤵
    PID:2512
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxvvntgb.cmdline"
  2⤵
  PID:2360
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AE4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AE3.tmp"
    3⤵
    PID:700
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yiy4ccqt.cmdline"
  2⤵
  PID:1516
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B22.tmp"
    3⤵
    PID:2872
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hcfcjuir.cmdline"
  2⤵
  PID:2228
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B60.tmp"
    3⤵
    PID:2860
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-g2uevqf.cmdline"
  2⤵
  PID:776
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B9F.tmp"
    3⤵
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
ce45fbf7c5fe46598627f56ab4b6c99c

SHA1
e0f344ec6aaaed70ecb1f40e74876316233c06b6

SHA256
68792990a84b5c3448ff99c952444ee0d02c1877cc3245e5ae7aa4023c2f2440

SHA512
f6929b1af23f4f960340cd0bc8158a861fa752f7acaeec47c2dc3829bce2367f5afc901f1ae358a1ccda02d8acb529487d36eedfeac1c793bfd49d6b4aad407a

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
e69bd49fffc2d6799ce66c2ae6db27bd

SHA1
6975a39f2ebfdab8ed2697d1708bc5d3e5353c0c

SHA256
33437d4fc42ab9380d430969c2d194e6737217ec838223392eb9690f0a79637a

SHA512
b9a931802f9adfefa61d15381873556afc8a605dacfe2703505394c24f1d6214183029c6d28c67b6cfdc79fac7961afe26e4cccdddd9c4d0461deee7a090f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\-1ver0oj.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\-1ver0oj.cmdline

Filesize
256B

MD5
551f633d2a6dccd0a9f9e0f2a4ea15a7

SHA1
59e5ebcaae7557ea54180b3accaa5d00e2f5d9f3

SHA256
01a4da01c6facfa97c872bc2ff31a3c79bb11ed8886daa4c95373fa742d6da03

SHA512
9a826adfbf8d647c7757ca550d410401fa9625918962d36c1c3168a74004b98b3319978d8e66ea1e64c3cefcb06a14ab04b4e52c969f4634f33999e2c2846e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\-b8kzei1.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\-b8kzei1.cmdline

Filesize
264B

MD5
6d48d17a12dd9a6ec53b597b70a9fd01

SHA1
c9f87a2beae5eebbf386ffabf223fcd1689b711c

SHA256
2603f4edf1f1475966d8cb4ebc419dc7e0c3ea59e896542ff49729e65127618b

SHA512
0cfc0f58948c0c16a6a053db4c84c4dbb96d132394239cab57b29479139522771e79287954c4400f454a055a6d50f9e091d088fc423d960929268a7658b0eea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4i0ah3dm.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\4i0ah3dm.cmdline

Filesize
268B

MD5
5e9542e6ac3882e83237be96631dbb74

SHA1
044fd6511691d67cfcc7054950c10272b2700c37

SHA256
2477c561a1d189f7c6aac11aeb989ac58eeff215cfcd95b2777904fd53812ee7

SHA512
00b90b6b6f51908cd62076d0b26ac9c00950b857422424ae30d961b530393957a76145510ed5682ce94103a9e0ca8841bb2587d48a44b427532408a732535e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65E5.tmp

Filesize
5KB

MD5
f6948fa6aecede45b97b01d43bafbb49

SHA1
4cba549d45f0058f36e9701fe0022be69087ba5c

SHA256
2a1a1740f7052aa10c25de0f5be12125fd1c901672b9e80fcb2ef375f11900a2

SHA512
b3ab5d01b60cdf7e8d20c871364fd1ef56fd4904cc700c737a969332cd8c616ed63a42d48ea0a8516c28dcc9f0ae8d994ff228832f977e6ced462486854e3001

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6662.tmp

Filesize
5KB

MD5
159f374b49e640211f82530e480db709

SHA1
ef1decf839d17b39e5a0ae7ddf5afbaa7dd0ec2e

SHA256
5c57f11bd66bfd37ee7bd52789c45e2ad33a2561307fa6b2301379d213a1bf8a

SHA512
cf9da88ae126b7bc0169070f66a80ccbf2557471ec283be71e8a1824c386d38be98d4378e996d728134a1ee6e938c809d7db05b4f9dea7f037f2039ed13c84e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES66A0.tmp

Filesize
5KB

MD5
113c8019e7197ea000cd01f2389444d1

SHA1
668fc45f534e713098c10e389d98df42dd171142

SHA256
090413b4769bd69cad79d89c379b8c56b8621c32a9f06486d871c080d2696055

SHA512
92f685221d468908bc425e1538b6db03c8e0f4d87444b81d47cceefedaee3fa59fa63dc98480b1ae318d1f18a35d902a7b8506a1e7063ab6610d3f39a24dfad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES66DF.tmp

Filesize
5KB

MD5
9d8f49adbe5b87cbf6383b7c582fe61e

SHA1
0d2e50e61cf9eb7b32f1e21d7cf9c8577830d261

SHA256
482a095cee58eac920a3f066ba23b9925d331cc7818f038299ea624a275ccb53

SHA512
f95429537a12f21ed59b4121f96b49c4989ddb85959d3c9e0004c5f6d248ce99cc9865b79d92ae1eab863253f1d1f6e709bae99b6cb2bbce1883b1b667cc26ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES671D.tmp

Filesize
5KB

MD5
f9fcb31f401855063ef6d2bbb708a2f8

SHA1
8f901beb032009edcddf088f1e2b90db1ab0ed19

SHA256
7044528a7192a45183b1051491c1fa413e7e19bd405d812b3bf8e2ec6a81df9f

SHA512
bf984a6a191a09eb33559a428a87171b44383355925a74d4e1471bff0bfc9c4e10904135219d3148d1e490db49dba9e06eb5e4276bac05c880cd0616d3bf4e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES675C.tmp

Filesize
5KB

MD5
90135c9f14b836315efb103c351a8735

SHA1
19606bc5c0daf7072435eb9a00e06c091fa9b7d7

SHA256
d073a823306da6a28b562b83d1c0ea72e1a1b1fbde0a6a35e7707888109da0db

SHA512
905d08ac3c94e2a6309348279018e051b5375e546e30a474be88e70ce84bfb231de8a8d0095d94a69c38a6272ff44166d55a7a52ff59934b8d8ec14e000e0d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES678A.tmp

Filesize
5KB

MD5
a804ca6f67a3a89bd3053a109ca5a5b5

SHA1
e1739846c11207a2a788893acf22adeb61bdec75

SHA256
8d9a2422ae89c037422058a921d688ce0d8a34c67676cfabff7c2a17420d4dc9

SHA512
f639ba6e1c87f5532a0f28f0915f313b01ff2f5f53aef870848a106dc5b1ef5bc906be275866155494bbe02b059b2437b7737c53ca2c6e5080c91cc2921cb3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES67C9.tmp

Filesize
5KB

MD5
66c7c8be750dc112ab250086c70bcb20

SHA1
496ed95e0deab83618dc64ca649774508ec480a6

SHA256
6a0765e8177e618570682aae52f2418702aa1cbf21fa73c389154441a0e24e50

SHA512
7f19039ffc80cb23845fd7454f423e01b94f876cae4f2796aec2166acc8b69ef5aca72ce7c477ec303f89860775eed5372020767e35c35c35daa8ac4467566ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6807.tmp

Filesize
5KB

MD5
5d3f52c4bbd37d9e82de3bd147617106

SHA1
574d0601f3db1cf0bef662dda6523670efdc2f26

SHA256
b2942a200fedc59a586b48ec4592e75a3292653bca6de6468df56c5d1ecb5e43

SHA512
9f99fdf9edc33ddc386575eee811fcf708bfb8cacfa17acda608cc06c5af8958f8e4aa334c47966cfc56791a0827432af57d0e2134a56cf01b748d94a5591d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6836.tmp

Filesize
5KB

MD5
ce905586fb85651cf936577aea02c4bc

SHA1
c574d8f404545cbe6e48bab6b2a733353b844edf

SHA256
f31474eadbf08f77cf66b006e65b959fc18ef32153ef13ee39b22215e4a07e86

SHA512
8ce22e48ccdc28aa04ecc5d444b82263d9b7b055ac362092b7f28712746175cfede5d180adad207b79519e6686fd665259481463b13b38e23bca24fa2390e11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6874.tmp

Filesize
5KB

MD5
b9d3f75f35ecc1ac1403387bf3115cc9

SHA1
a22433b6156981ab0fcac1ecc355f1059a17841d

SHA256
263adb7a463ac4da72bc55af2ad47429ace0dae4d5f491d4ee214229ad2e5d78

SHA512
bc01f0bdf12163547e043b315bd06854fb3dd3c1933d44db75b368aee8af427910347c1c5d80bda356739907b55e28e03b6f2c086ebdcdbed91246aa68395a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES68B3.tmp

Filesize
5KB

MD5
05b3d174a08a8bf99a65f0219152dc32

SHA1
160b8c7e58ee8d2f42bfad009763a1f7d88c78b9

SHA256
c843b61c3941bc3a9b03d7b28252a015b715b23a411c3f2154c4a6f3e228f737

SHA512
8f9c95b31fcbb009be1240cd1d9233fba3f26477048a6186b3de6712b38cfaf618b7e0c288224fa556f20dbc58b21cd03e8c2cc089dfc25ad2abdf416144b950

Download Submit
C:\Users\Admin\AppData\Local\Temp\ettzz706.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\ettzz706.cmdline

Filesize
270B

MD5
dbf7ff21ccbf525e70e684640bd16aad

SHA1
e2da055fa7ef8ed78eab347fc6b873d84dafe605

SHA256
77d0e4b246689afdfaca32c14414fbcc46abae5d7cd5ec9b8f08c700f5ef669e

SHA512
3ae9ed5804ef552eb7bf83de8bd980e388667fd04557071189c688818b3d223be1d97020c357505844d64de9b384b8d0851f6324476cd39068276e898e579972

Download Submit
C:\Users\Admin\AppData\Local\Temp\fno4xoq5.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\fno4xoq5.cmdline

Filesize
270B

MD5
43c3685c3f299804b7daeab48c1569af

SHA1
ac6847fc8f272a0cd7b1514482b4afe70eaff20e

SHA256
a410bda2312dece85589e9a8dfec150958f0c502d55fcf0de68e186f4fc4ca68

SHA512
345859d4f6aa242169cd93dad59af9df6b97a9d55b43ab9fc0b5f23cc56452a7917ff983cd5ec5c7952505c3f4d9760db94b99dd610734bfa1c8b416079481d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\geodnwkw.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\geodnwkw.cmdline

Filesize
274B

MD5
44cc75c02ad05e76cdaa343177225a3a

SHA1
9716f785f79bd659b41836fd82c4a741cfffe3d7

SHA256
28377cec42b02dfd6bacd30575545590824c3c4b0f2c499ce24cb18cfc222ec7

SHA512
f6270db384cb59345095757a70c0303e891d9c494571d1a9c64ecb5820a8aa0f0c6201fac7adda1c27d4cd1ff20b2c40cada97cc3cbfaf6c453e420566da8a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1-gsq8t.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1-gsq8t.cmdline

Filesize
256B

MD5
edda622b2ef61c8364f7fd6415799b04

SHA1
e731c7419cbfea52de138a9b4b5f8c6e4a6c1c09

SHA256
615249f37452970cc65b0ce3a26e7e326d81f083370e879af751aabc5cc0fb03

SHA512
98f8a095bbd10b6330ae1d97a71a99bd56c02886be2dceecf24fae3da82e9993ade93d06e17aa2825015abc9723c7db565d27dbaf7f9f0dba42e32342522d6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5zwuvej.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5zwuvej.cmdline

Filesize
268B

MD5
09e2d94fe0acad88366cbde0746e29f6

SHA1
a2f4c5623ece323fa6e98b55736c27b75c8d2054

SHA256
c42aaf4bb58eb017aa47bd30e4b85dba6600fe1d4903abf10c64be42cdcb45e6

SHA512
220f7b5ad2266dba0e74dee00a58e67cba98fb422d4bf5856682dd7fb987ee5ae62786593fe15035eeb0ed5bad243b3e30b56327ada87d6aeed0bb500a49c342

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjxyamis.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjxyamis.cmdline

Filesize
264B

MD5
9ac29e78d997ad57965d050194e808e4

SHA1
7220302e7095575cee6e431afb6fda8ba5b625e6

SHA256
09f7f48aa138cf97742b5567daf7bbe0d9baa3afc1f9a8a59de8566b9c3b82e6

SHA512
0612f58a65b438bfcf4f0bf60a97ffd56d443cd989e2e494dd7591acfd4c35cf5328f3fa382a38dd3fb843f4aa026a5a6633411c24567347c219f5b5edf8531f

Download Submit
C:\Users\Admin\AppData\Local\Temp\quahe-g1.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\quahe-g1.cmdline

Filesize
227B

MD5
d379bf51c5bd67a0cf73b843d9f803d3

SHA1
1b9d1121860fe40643248706561e78c233b4141d

SHA256
5b6280223a956eb63ff1ef33854f503e1ea63cf29f0d4da65db6f3ac4f451ca1

SHA512
fd22ddf77c36d08ec01842a7f21bd2301a85bc3170462e0f969f18b429f09942a5fa0db9f7eb41b3420e92d4a2db8f5fad8964997f6eeb59570744641b0fb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwdjigby.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwdjigby.cmdline

Filesize
268B

MD5
38c3c0879c3bf1ff04bfe7457cfb6af5

SHA1
81398adb246b5a3fe8facc1ffeb3d504e0abbe07

SHA256
17ecf04c39a276c9f7ca9d656d5d5983bb755579fd0912e293235aa8f794b559

SHA512
54662b3d73cf59b8292aa0651de34c8b67aa1f288b253a0c12fdf5a792e60388993d2fc1a2ead11c9dbd92f9d1918c6e464c6d21f264e8a5f45f1ee4ea3a9d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\skq33e8u.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\skq33e8u.cmdline

Filesize
274B

MD5
34ce81823d8c6b564b76f74b106eae9a

SHA1
698067e317447416996cf1a4f84f8b74bde30d13

SHA256
6db23a1412ed8b5ea0845e804c945fd404cd6de1d8afa147fa4ff7cbcdf0d012

SHA512
d0e5053129556fc969cbd6987c4e28376f20fade8116f128dbd6dc0a675b678077b54b384570fbccd9e26b2fd2eec87b59bad3e5c19586c076bad72ae20238e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc65E4.tmp

Filesize
5KB

MD5
97f90d31bbdf02bec54371d2950f2f20

SHA1
3bb06b81f2c9b550dfe755e7613b4f3e22669c63

SHA256
191f3fdee3d4f346c91e06ddc67d88fcb3fc1ab7e1be25b0526e72bf6e0ef02c

SHA512
9611d249994dc1a639e6fd81769c446d7587c2a6253dedf43ded6357b5d4ee9db9c47e519b4382f1de97a47b6008ce5a62c11ea7ce615ef1abbcfd600d1733ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6661.tmp

Filesize
5KB

MD5
452354b8f76e583a97d073c24d9837b7

SHA1
f37484c4f1198d89bbbeb310e112899061c8ed4f

SHA256
c022c752232c34d61d8682fe90f26fe91f63c0bc9cb62fee79a84ee8a254b61b

SHA512
2dff7560f9bf5fed2bdf559de3e0cae1e2c21b8a59daf9d401358a95577381a305759994ff7a55bc5293c9714de4708d859d8f71f48c26633c62c215ce5f3421

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc669F.tmp

Filesize
5KB

MD5
71324862c7b45fd4c5010e3214c49178

SHA1
17c413579c5216b0aed9363311f96c62d237bf8d

SHA256
3b151877a52c4aa3faebc48ac7e4d2bb793bee3b6146ecbf89fa5af8e1014b96

SHA512
f06bc547080a07fb20840dbe0942633364f032f4e86d5297a5f748f4310b98076eb65037b8530c66f167dcbdd0cf663301a7e912903ca8a4f545decf3fbfeca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc66DE.tmp

Filesize
5KB

MD5
f91ad2c08406e8f7f5ebbeb063394fd7

SHA1
3a82be393abaa68b4c61ffd1ffe4b679623d6858

SHA256
b51cd8defd668ca7060e4e64b296b8683263c9fa183433fc0f01b6de082ccb50

SHA512
45e28009c8fc7690e83aa101e18b9bc0a1392890d3d8f80bb87ccb9e615fd10ff8baa0c2c38df1779abf51c7946d80b02b0c34aa2484859b6e863bbe2eacd7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc671C.tmp

Filesize
5KB

MD5
5c60372f12c186ea089c0f15cfff6ed0

SHA1
432262da0f1c00bd92f1e2e1f7a98f9cf7af48c9

SHA256
d41713ad01e7c19e02da71a61a245908820944efe7c60369f09aea7922b6e37f

SHA512
fec79d0928d966bb57e3a0b530383dbfcae19c6bfb2fe9b7ba42985e1888359b406f6508d95e8186bc9650f9a4c6a8a402ba8e93f49bbade6963fc70b00de7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc675B.tmp

Filesize
5KB

MD5
a17632fd23476ad93e2e8d480d4301b2

SHA1
a6cf184939b46b6b3ab119db7bb2b704a94b93a1

SHA256
309300f575636b15ce9455a8ce828f74991b1e07566d33f1b7a36ae816f93b78

SHA512
a6ef810516815d0d74cb4f733b9df6d38602edd6aecb44440ee2b4d6b5a3beed15b2cc92f395bb6a359dee02ae8ee60bcb924cca71584f062403e55640047d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6789.tmp

Filesize
5KB

MD5
ce3585e20a1a21bec81eeb286be8e21e

SHA1
b22e1621540487dbf33c6ff16224f684846a381b

SHA256
cdcb2fe63e17bad15a24fa4df897650ea0383c6c774570dc1688430d67b3b573

SHA512
4dcb91ff578d191c63643895ff60f1eaecb7db147f3f468dada100cb4cfda76119b074adfc365003be862414708f8f806f39936da8aa7261f27605404d98c475

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc67C8.tmp

Filesize
5KB

MD5
730c7ec54491d81264c7c47a773b2ab8

SHA1
d979ecadf7e80953aa0c229ff77c453897102053

SHA256
71150a843be31e9ac6735e9066f949b54bb0826a951ee6e11f8906a73dc02d44

SHA512
fab4abaa2c0bacaea2f534739e953bb248579f91aa47ea0f5eac896202921df1815356d70316a00d862820afd13d5511f40d0061391d36be836c797257a76318

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6806.tmp

Filesize
5KB

MD5
43ba9fb6d7febe860455dbdccbb73006

SHA1
910740f113336290128eb5cd6c8778c89a52fe78

SHA256
efee7902eb2ebddcf1b81b575f2ca31e9caf397f4a7fba0f8c63c9440bff1234

SHA512
848a0bfa57c9d774942c3034de7cc1b1431c00e456d5e45a62abaf5b274627031a19aecc68f071bc2a9f831092f6c9880cd0c4513f82ae0d7d09a81b409ad137

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6835.tmp

Filesize
5KB

MD5
4a3a362989568541b75e7132990505ee

SHA1
d8d831e5f2f2cd0d51feee6a9ee4f8f01553786b

SHA256
05897a89ed88299ebd4045aa4ff8064752631d80c4bfb694f664824468535e92

SHA512
0f047bf6c5664b8f881833b42f67a842b2aac2462f4016f94977bf015c6f8d11830a8b4bd2f1e744bcea4989214930886adcb0919ad629f5af49f40b82ad6a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6873.tmp

Filesize
5KB

MD5
f0a0424632f58d31e6f42da83f47823e

SHA1
e89db83ec2b32588516365096b63fe099c63525e

SHA256
32d96d9257cb4225b2422b39e03c55504f9ca1a6100e2e21a75c36401570d29a

SHA512
9c40fec000879415cda632fed10b547da42e0ab341a24af25d65ba69c025c894c41804620611f5a8d929631c382aa6eca8d6320ac74c995aefbd1312c0c6cc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc68B2.tmp

Filesize
5KB

MD5
cccd12658d666441d1d80906a7127028

SHA1
665cb475bd1748fadf1f607fe9550e2ec4c89c4c

SHA256
53f112f5d6421aacc71ff8acc478317a302feb37f34695c051f6ec40fdd52e8b

SHA512
8f528de3df02d8a4a2f9493a11f9c929d469ac2ec74aad744f8b4b37671eda2df5e900aafba506a514bd22616b115f10a57435305da31cccade243dca706551c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc68F0.tmp

Filesize
5KB

MD5
47bc25715f9e5592cbdaf196b000a7f3

SHA1
16846bb61f999895bcb3f0b10e9470621472e1b0

SHA256
2c46701b1c8ddf5cbd126824ab61f8e7acdc7e850b87b773f9998ea0c79c6c11

SHA512
c48b9396b7edc0d8807f8dbae6f1ce255536886b23fcc7c5aaadc9d1e5a33e9b0f060b90680a29645ba5c5f27abfc3dfd746e17bc8511805b6b0628da8a774f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vljsci9m.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vljsci9m.cmdline

Filesize
227B

MD5
0d5dd075df869a388ec80e99fb7edfa4

SHA1
b215df1be3c47de2c59f41d28ed7452543313b12

SHA256
848a40e4fd363bdef77c0ecd62c18f9e354b2521459621e4338d0f3bdd046f4b

SHA512
cfc8d912067386c5cfc8ef94bb9393af7ea4286e685ea105e71b6fea82377443dd2638d67442efb2f9ef7292c77c00db332e2795cddbb4c1e76017037b426e3b

Download Submit
memory/2916-2-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-3-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-0-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download
memory/2916-1-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2916-4-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download
memory/2916-306-0x000007FEF9610000-0x000007FEF9C81000-memory.dmp

Filesize
6.4MB

Download
memory/2916-307-0x000007FEF9050000-0x000007FEF945F000-memory.dmp

Filesize
4.1MB

Download
memory/2916-308-0x000007FEF85D0000-0x000007FEF8E34000-memory.dmp

Filesize
8.4MB

Download