revengerat | c9d1c9ef3a637ac66861d41a4c35e9be5cb2abf286c585e093b5ed281bea1c66

Analysis

max time kernel
53s
max time network
46s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
12-10-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

108KB
MD5

f55c1e64f9428adef9ab57b608d01587
SHA1

c85960f54528f94ec839b6c2d125c7249815427f
SHA256

c9d1c9ef3a637ac66861d41a4c35e9be5cb2abf286c585e093b5ed281bea1c66
SHA512

26978fef89a5cdf7baf8ae04823c238e4db686fbcae5a5ee1dcc9acb9a4c06092289f4babf84d1cfe954fd67744e2cc5cfbe1b46668d807edd03632bfc083e80
SSDEEP

1536:7ALrNYa/BoIR5qlTSb6cPekifrK1J/r8Th9M8haZ40VRX37jBqapD3tSYthxdHM+:Ob/BoIRcfdh/03jr9SYt++

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/files/0x001400000001ab52-298.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 1 IoCs

Processes:

xdwxsvc.exe

pid	Process
3528	xdwxsvc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Drops file in System32 directory 1 IoCs

Processes:

Client.exe

description	ioc	Process
File created	C:\Windows\system32\xdwxsvc.exe	Client.exe

Drops file in Windows directory 3 IoCs

Processes:

taskmgr.exeClient.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	Client.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exexdwxsvc.exetaskmgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	xdwxsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xdwxsvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

taskmgr.exe

pid	Process
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Client.exetaskmgr.exexdwxsvc.exe

description	pid	Process
Token: SeDebugPrivilege	4488	Client.exe
Token: SeDebugPrivilege	4656	taskmgr.exe
Token: SeSystemProfilePrivilege	4656	taskmgr.exe
Token: SeCreateGlobalPrivilege	4656	taskmgr.exe
Token: SeDebugPrivilege	3528	xdwxsvc.exe
Token: 33	4656	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4656	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	Process
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	Process	procid_target
PID 4488 wrote to memory of 2996	4488	Client.exe	73
PID 4488 wrote to memory of 2996	4488	Client.exe	73
PID 2996 wrote to memory of 4244	2996	vbc.exe	75
PID 2996 wrote to memory of 4244	2996	vbc.exe	75
PID 4488 wrote to memory of 1424	4488	Client.exe	76
PID 4488 wrote to memory of 1424	4488	Client.exe	76
PID 1424 wrote to memory of 4848	1424	vbc.exe	78
PID 1424 wrote to memory of 4848	1424	vbc.exe	78
PID 4488 wrote to memory of 4648	4488	Client.exe	79
PID 4488 wrote to memory of 4648	4488	Client.exe	79
PID 4648 wrote to memory of 3020	4648	vbc.exe	81
PID 4648 wrote to memory of 3020	4648	vbc.exe	81
PID 4488 wrote to memory of 4164	4488	Client.exe	82
PID 4488 wrote to memory of 4164	4488	Client.exe	82
PID 4164 wrote to memory of 4584	4164	vbc.exe	84
PID 4164 wrote to memory of 4584	4164	vbc.exe	84
PID 4488 wrote to memory of 4068	4488	Client.exe	85
PID 4488 wrote to memory of 4068	4488	Client.exe	85
PID 4068 wrote to memory of 4428	4068	vbc.exe	87
PID 4068 wrote to memory of 4428	4068	vbc.exe	87
PID 4488 wrote to memory of 4400	4488	Client.exe	88
PID 4488 wrote to memory of 4400	4488	Client.exe	88
PID 4400 wrote to memory of 2888	4400	vbc.exe	90
PID 4400 wrote to memory of 2888	4400	vbc.exe	90
PID 4488 wrote to memory of 4368	4488	Client.exe	91
PID 4488 wrote to memory of 4368	4488	Client.exe	91
PID 4368 wrote to memory of 3536	4368	vbc.exe	93
PID 4368 wrote to memory of 3536	4368	vbc.exe	93
PID 4488 wrote to memory of 388	4488	Client.exe	94
PID 4488 wrote to memory of 388	4488	Client.exe	94
PID 388 wrote to memory of 3564	388	vbc.exe	96
PID 388 wrote to memory of 3564	388	vbc.exe	96
PID 4488 wrote to memory of 3528	4488	Client.exe	97
PID 4488 wrote to memory of 3528	4488	Client.exe	97
PID 3528 wrote to memory of 3156	3528	vbc.exe	99
PID 3528 wrote to memory of 3156	3528	vbc.exe	99
PID 4488 wrote to memory of 2704	4488	Client.exe	100
PID 4488 wrote to memory of 2704	4488	Client.exe	100
PID 2704 wrote to memory of 2944	2704	vbc.exe	102
PID 2704 wrote to memory of 2944	2704	vbc.exe	102
PID 4488 wrote to memory of 2076	4488	Client.exe	103
PID 4488 wrote to memory of 2076	4488	Client.exe	103
PID 2076 wrote to memory of 4216	2076	vbc.exe	105
PID 2076 wrote to memory of 4216	2076	vbc.exe	105
PID 4488 wrote to memory of 708	4488	Client.exe	106
PID 4488 wrote to memory of 708	4488	Client.exe	106
PID 708 wrote to memory of 32	708	vbc.exe	108
PID 708 wrote to memory of 32	708	vbc.exe	108
PID 4488 wrote to memory of 660	4488	Client.exe	109
PID 4488 wrote to memory of 660	4488	Client.exe	109
PID 660 wrote to memory of 1596	660	vbc.exe	111
PID 660 wrote to memory of 1596	660	vbc.exe	111
PID 4488 wrote to memory of 1216	4488	Client.exe	112
PID 4488 wrote to memory of 1216	4488	Client.exe	112
PID 1216 wrote to memory of 1840	1216	vbc.exe	114
PID 1216 wrote to memory of 1840	1216	vbc.exe	114
PID 4488 wrote to memory of 1404	4488	Client.exe	115
PID 4488 wrote to memory of 1404	4488	Client.exe	115
PID 1404 wrote to memory of 1656	1404	vbc.exe	117
PID 1404 wrote to memory of 1656	1404	vbc.exe	117
PID 4488 wrote to memory of 3512	4488	Client.exe	118
PID 4488 wrote to memory of 3512	4488	Client.exe	118
PID 3512 wrote to memory of 3688	3512	vbc.exe	120
PID 3512 wrote to memory of 3688	3512	vbc.exe	120

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\flgiex3l.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES466A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7985BFF909B4A3F92FC345C1FA81784.TMP"
    3⤵
    PID:4244
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b7s41t9v.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES484F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD552379E6A6C4E74B3533B8188D32394.TMP"
    3⤵
    PID:4848
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mdip9i41.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4978.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC58AB0F13FE944F190E99F0ED799412.TMP"
    3⤵
    PID:3020
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u0skwl12.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71597B7EB8F4B9F843A2372D43987C9.TMP"
    3⤵
    PID:4584
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a_90wjea.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED1ACF60D17B4A639AF992CA183D55A.TMP"
    3⤵
    PID:4428
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifcrw9zl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFEE9BAF70BE4E8A9CA33F596BC6331.TMP"
    3⤵
    PID:2888
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ggmd3tui.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95C4067ECE144871937E24BC876A523.TMP"
    3⤵
    PID:3536
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lik4p-c3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc996D17AA4DBC4189B2F6A3A29C1D61E5.TMP"
    3⤵
    PID:3564
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yazntbry.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc734DEBFDFDC42C09248B8F55EE51E9D.TMP"
    3⤵
    PID:3156
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dymwbfeo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5196.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56983218EAFD423BAE1C51BBD4F13F9.TMP"
    3⤵
    PID:2944
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bvdvti_w.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES536A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAEDB8D78D9340C1A457D996FB3C8BB0.TMP"
    3⤵
    PID:4216
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khuthwts.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5484.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94E649A794DA49E7B2D1F1D4B1787B4.TMP"
    3⤵
    PID:32
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rhmndzmq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B37D81AAFFB42D9B5752EB4534FC96.TMP"
    3⤵
    PID:1596
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\modjiasp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC40768DED81246CAA1FDD8D3933B57ED.TMP"
    3⤵
    PID:1840
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rjeketaw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13724569FCE4A7C8766AEA9C58665CD.TMP"
    3⤵
    PID:1656
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5i8xaxsw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5946.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc231C986470B342A78D59B9FB852BC51B.TMP"
    3⤵
    PID:3688
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i3c2mefp.cmdline"
  2⤵
  PID:4164
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17ECB50010FD48D3A27314F3922D3A0.TMP"
    3⤵
    PID:3732
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2mnjzefc.cmdline"
  2⤵
  PID:4728
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F5B53E7F6334B30BE2353B9B0BD2BF0.TMP"
    3⤵
    PID:4420
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ea8giy7y.cmdline"
  2⤵
  PID:3400
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES605B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6D953A3CE3948669348B2BF69E99D41.TMP"
    3⤵
    PID:4548
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\67vgigp5.cmdline"
  2⤵
  PID:4884
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF436C961494E424F8EE8D336EB40FD62.TMP"
    3⤵
    PID:2968
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wd6iqlon.cmdline"
  2⤵
  PID:64
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES629D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E117584E49744EFBAE8689224BBBDC1.TMP"
    3⤵
    PID:3564
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\__bozwgp.cmdline"
  2⤵
  PID:4692
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1851F8AA8CF4F5792C9F8E765C4A8C8.TMP"
    3⤵
    PID:4312
- C:\Windows\system32\xdwxsvc.exe
  "C:\Windows\system32\xdwxsvc.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3528

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\xdwd\vcredist2010_x64.log.ico

Filesize
4KB

MD5
d5997b8f3f9665fe1cd7defb29cff584

SHA1
7b281c8982b042d77e7a53ce282eab7f8417adc7

SHA256
ba40f96904ef649d30f9477d2e1b770b312832ba81e6345946645c15dd4ceabc

SHA512
88f66652b43ccdb551c9e876eab1e7f0bdbf2b8c19bb9b871402e94d1e826424b917495dd3b79c228724f49d1495cd3cea49fafb7a14f23e5e1eb6a29b68871c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES466A.tmp

Filesize
5KB

MD5
abf56584d5d8a22043c6e62dc05ee982

SHA1
840d96e0ae2d6ca5a2f56f48f7899b6ae1452801

SHA256
775b524cd44b19d208042e595ca0c42011458a863010914935950dd6d78bf824

SHA512
69944785b02eb4df54989d341d6cf0cda4f190befd9096343c41ed9fc2554572c1a4b2e805ea798671178f224d1b12c17e2f54690e591ae598ed7c392718fff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES484F.tmp

Filesize
5KB

MD5
4fbd8aeb8f6d460320ebd60406561933

SHA1
8922dcc646d98fd6b20eed2d249b85cb74e8ceef

SHA256
ca4cd2be6d099f14aaaebb9a68dbc76555455ef7b2373123a52077009e1ceebc

SHA512
d1a6565d0e9d005a464efafb04f364dc3fe15cc28434178bff0ce43b52144d48c7dbee4ead44b49a2f350a31f654ffa331439b278b20412d0a7228e88cf35542

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4978.tmp

Filesize
5KB

MD5
9804ab222bdcfd88ce3f4289546bdbef

SHA1
f0ea16f779bf1671a3d89461b697ed2a62781cf6

SHA256
43a8ba28946a602217b9fa0a3d0e9ba8d6fbf6ef340fc786864c967e562fb50f

SHA512
34f6054efddc8fdefaf2939aecce93af7d7e4bebf471377efd3b4b693e2082cce8c8e2eec9d3cc4ccf0861c3fd4ce6a5b59d117031ac6066279a53b95e50a790

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4AC0.tmp

Filesize
5KB

MD5
c2ebb14da1b6afe81d0d105feb068b1c

SHA1
aef5fd24109819d374e6cf7daac04fa013a4b227

SHA256
4dc0f87ac3db59adf4cc47fd155b6f5ed7189893a91b1a91e934bfd21e15be52

SHA512
4b77c34072c697af4e55d20a62ee0ca598b9a39f909460b05c4b65e323758a782aba169a6a5547da6bc450ea6eafc79b38915e7c6c3b720c3713369035f95cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4BD9.tmp

Filesize
5KB

MD5
a0476bfcb80519db89f88c6210b913e6

SHA1
da52ecd096c448dc0aeb82d006a0304ccd4c3d60

SHA256
dfd9c34f1200cb6bd8ad6b0776dace75b383ea59097182961c6a0027bff37345

SHA512
ba682e0d345456a6f321da29ac9cf6ef4353524a796a79562b6318fb436d190eb3c139d2f82f88a6d300734a21d2b88d30459a1adf7c631cefccc64c62a802f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp

Filesize
5KB

MD5
4da35df21901483585884acba7360197

SHA1
fa1cb86caf9fa51035835256d7c9306f31a27414

SHA256
9a399209adc8b8846a47c8bf298c56f98234400a3740ac096f5a699e8dfad6e5

SHA512
3d290dfa63cb7898a69724bf28ad90b570f30c8297a8993cf89226eb1a1e789ded28420324d25c7a18522216bbd554171d12adea3222b02c5c45e3871a5b8977

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E3A.tmp

Filesize
5KB

MD5
b1c093e49a1d45a75e52d44677d78797

SHA1
a9b068a3ca2d26672c526f89fb024c45672b085b

SHA256
5ea17f483ec0887e202f787ecadb557aae0e19141e936f129bbdb28d4a895112

SHA512
10c389b2c88726159560c50aa32e59d30b5311d9dc0158c5dad1f883fe705036b7409be88662b2529b642b5b6d9475e7d8334968b0ba1320f0c34e696b6cde15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp

Filesize
5KB

MD5
f7c19222fb4344c8c838bb44ca50ad88

SHA1
0e1f20573402202f2f4a9a43e21848675ec52653

SHA256
0997c2024c781b229b04b15d89e09e300fb05f36391384af2069c7716eb2c64a

SHA512
38ae9fd7e1f03a2635a60e6f2a32c8ef03ea1827c032cebb92f1cfa0483aef91b19ca4a1773728853e96895f617013b23c8fc2859eb38904359bb3adbd691985

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50AB.tmp

Filesize
5KB

MD5
c0395393601bcde7185ea3b1302ed5e7

SHA1
346cbacde22948e0d5fe302d1d37ce2df7a5e1d0

SHA256
e690511e825b89235b8d4412d6e29ddaaafba3064f205adbfdd0d05bb9bd93d5

SHA512
19709cefcdccc36fd541821a7a6d30e4aab5c9086ea82fafd48a22227e73d0e37d9746f4321b089fa7a1c5a427a9379ad8e3737bfb72bbb40041de39c6f9bc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5196.tmp

Filesize
5KB

MD5
d7ed6201e9e061ea114f2b16d0760a35

SHA1
9a7cdcf35b9228e71aa0c9b1d0a21288a9ff20c1

SHA256
fb1dec465bc38def0cdd273f21815c2cf8f7eb66016d9a6918e9fa10a8db939c

SHA512
d9bf43b410f96180d9f70a93a066ea20f8b0b62b63861e2364fcf77b1a5fefdf2042b4f7cad95648b47760064ad158cf9d54784084bd276b8afaec9c30a62d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES536A.tmp

Filesize
5KB

MD5
eef0a40e0fd5917141c62e69dd48c333

SHA1
dca013396266d0948efe4ecf63abbace54b2c114

SHA256
fbb261a904244d4c29397b1b75608b87d7e7757c4ff2a2d803487cbe10919d88

SHA512
2ee0de0648e323c785f448076d0ff252f7e5042d9ba49c169f68b81a5ac54b6fdcf948d421d5ee0643232d0da0ac2993a80da17669d128d31531832f676a859d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5484.tmp

Filesize
5KB

MD5
323d73690332a2ecc7693b9518c1ad71

SHA1
3ddae2163deb7b762035991fc90b627054468132

SHA256
043452e6a951553ac4c3d5ebd066c92ebfa38d6e4549414d42c85a098227a97c

SHA512
9ddf3fa9638bb18d4719a8de6675638a03ca2e9dcfe8931b1a2177d828afe98e8ec1b1cff2dc1d02052ce882d9a17b6c70d17e86351bbeed5886592035c1e52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a_90wjea.0.vb

Filesize
365B

MD5
70a76ddc934370916153a1b366b79b10

SHA1
15ba6ac072fb74aa005394477f396700656fdf28

SHA256
d6bebf1f9c2bd5eb2fb14e994a50f1213cff957682203897983a7fb18053b0b8

SHA512
792d18c0077fc714ffe490d34d99837aadcab60f063a261110f427ee936cd633ae3cb63f016363406f9b095f153b5d0853ca309bb42900210792cf6ca28996de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a_90wjea.cmdline

Filesize
258B

MD5
75d015011dc97074f566927109e9b585

SHA1
f7bbc3bb4417f24b98b219c75cac6af8fbfd748c

SHA256
f8a312e11ae5c3c455dfada00ae1a2b63a1f2cb385d453583e1d9a9f143c9a56

SHA512
4fdff8fd1adc165eafd83a3169c7990e0e2267ab1353096553c8d0845faed88ba870789a8cdbe0425045aba8a139ca52a66f3595d44a922c3ed6d9cfb618a9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7s41t9v.0.vb

Filesize
347B

MD5
806fbfa9a385be383e7f48a40407c4d7

SHA1
9cbca6dd912b3226e90efe8c7a1f59faf3afccd4

SHA256
973f507f758fecd75c861e89aa8c4993f2204486d87bfa1cc68eba5143d77f07

SHA512
e699fac4837a6439ea63b88eee886e315dd30a6b4cf86de767587e4d8f17a6e3e4a87be9c6a73b41134a16646ae7b34e8f54a300639525efcfb045215657413f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7s41t9v.cmdline

Filesize
221B

MD5
292fc245cbe8afbe7325bde01ed7e3af

SHA1
3c9aca1f52ea11ef069b4b6a633c0ce69ac8f71e

SHA256
e811ef1acc0e06ceb36b9605fee349e86c32f187250fe9edfd268dea44253c0c

SHA512
557ad5d23ffbd80feb7fcbcd0cf536165d0360d017282faa91445af22b2352069d55c672d7f4cfa403144a4a2790c1c5952785f9e45a072084cb03d1ab17eb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdvti_w.0.vb

Filesize
367B

MD5
0b703601b0e80ef94b205ed801966b9e

SHA1
9bdeaf41dd0ddfe8c0a759cbdeb78392f6d12834

SHA256
8b32721cf83b79ea8cf67fe4eff6109bdf6dcf9caec4496db4387bf3deeb0649

SHA512
a075aa018fe6c2b3b885561f6788f6e566472a2d425bd85911fd9b7ca4a4dbc6dc3b324c83bc821a1627219fd224cc835adec64ddf26584f524144d7fb7874cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdvti_w.cmdline

Filesize
262B

MD5
c14353a7d7a26983b63c6efaca1232f3

SHA1
9208489b444fbc6093fa798484ddeab7150bacc6

SHA256
3d2d9fb309396a3d406aede49dd388ba41eff7cd37dac6b6eb1b450886683d24

SHA512
bee903f157a098630cef34dd925ca1f1a1fcc65fac0ae24929e5f5af73f8e696cd8e2cc6157ad5266416dd1351ddfc3906b4c1d61e9c6f553585374caad1986e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dymwbfeo.0.vb

Filesize
370B

MD5
166a9ac93a3971c49538ca4d170e394e

SHA1
1a8a2c8e903174098ef8d8e43ca04a2012c8f3f7

SHA256
365936ce4dbec81d6859e34540c2a2973c002220d750317145425784fcec792a

SHA512
9184b813e181cd0cda3ee62ee09818d097979ef4ac6e28f8a3937bb6fced2e8f5df5c15c53f5ed8851d10aec554a7e13e444297d6c2ded5297246e36abec4c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dymwbfeo.cmdline

Filesize
268B

MD5
22adcc36700f832319784454dee2a420

SHA1
378bc877a9be636aa6eca4f49390ad94d76ac1c2

SHA256
1a97820984187b682096a24dd060ae5e3cf279208aebb43096fd4d35f0a221a5

SHA512
06d9c4e365456c5838e9a26368b3a923b1954817db2331df7e857c0512e2f5abe5cef4aef0544f177aa9c54c83477276e07194498757e1b108ae5e47bd34fe6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\flgiex3l.0.vb

Filesize
361B

MD5
32fc2dc17b4f4ed3274fdf0037ade46e

SHA1
d0abeb10824fd2cea51385f24b8021c68006fe3b

SHA256
6a1ff970345ab58f1b7210703aa7e2bfcb48ee377bc5ad909de1d3604a3556fc

SHA512
63bb2a316dacd7b7e0ed58cbdd17b4fbe5ca8658d6bbb4c591231860e41eb68b122b3f8f711b38e938afa5021531d75cd0533a420f75ef19e3dcfda5d72bd75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\flgiex3l.cmdline

Filesize
250B

MD5
fb8377d47a0e79e1effef791be3b3900

SHA1
4dce4aba805531ca4414b175cbf272cb12f280e0

SHA256
6297306c12a96fb291de5fe0cb23ee6c2a6df2263f9e64ba3eff268c71cd18a2

SHA512
054e1f67476838e9d30a502d07d9e7e6c67bc66092edf20dc83efab096f4aef6d29dda623540885a1943ca0f8d606a891a3cbfa7677718c067746f4748b4fa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggmd3tui.0.vb

Filesize
365B

MD5
9e7c484b328dd42af8d90cb87a61f533

SHA1
257866b6b63f209ee7973faeec6d3f342e081a3a

SHA256
4306ed60a490cc993558e7cc2131a6ac2ff9fff708e41798a68a6bb4d9800556

SHA512
ff712fcb9701d8c14cf7c237b117d05e81691ef303f2a4616324a81ad53be896f95b40c8ba32e1bb5e45d44329108131f0f5fe14dc8bc05a4c5903b4a41fd410

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggmd3tui.cmdline

Filesize
258B

MD5
92d7213a00b8ff674844f03baea7c1cb

SHA1
f7043d0dbac3cf38d893c4b3b6d4d97c356cb706

SHA256
08bc35d5eaac2728bcfdb814f09b3e575f7875f0ee46e41b69438f1fa757bed1

SHA512
c46fa3ddd869baeb57203c9deb3b4993f1aff611de468e495b3261c591c6f27bff26bbdd81001ba7b055ba4f0feb7a258b515b7e63492f48f1dac343c30ad4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifcrw9zl.0.vb

Filesize
368B

MD5
7229f134ccbe86e214389cdcdf39cdd4

SHA1
59b5a9fc75fa7177bcacc9a5e7925b0addc32473

SHA256
f69790eb9ddc7fc4c9ebd02013a7f2077078dfe1fb04b019272399d81707d6a7

SHA512
cfffb14bcbf4e6674c9be8fabe8f98923f663f0b81824b0d2556e32a8eab266abb6af49278adf0fbcce1f507609846e570dccfa32ebe00b43cdcfdd250ab217b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifcrw9zl.cmdline

Filesize
264B

MD5
6453847463bd80efd5a144fe81290a76

SHA1
6e8b530069871c05a735993cf19d6c801fc6d15a

SHA256
ec6520d1b17c572cfccfe3b851632f2e79de0069fe49e4a99b0483a4d32d560e

SHA512
fc5f300929554c396eaf8ff6c367f08b19c92728acf560fbb03f32f0591c41a5fe5ce7e8beafcf8201cac360c1200c9b7801d4e29e4a73c3ff15651e7c189a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\khuthwts.0.vb

Filesize
370B

MD5
03fe8241c9dcdbddcf309b44e99d3e52

SHA1
45fc83fe13cd36e9224ec727150715bb40bf4fef

SHA256
f30a7a5c7c64d7d3f96476a3f0f4a8fd02d25ca5aca6b564e7c0a58c438fadb1

SHA512
bb59031b6f6bd41fd25ce864cba4e04f108b7e0e7ff8959df37122b91d7311e0b7d6cb257c422cb90f3933a4d9f2e1885ed33f81c1680610df2234be417da162

Download Submit
C:\Users\Admin\AppData\Local\Temp\khuthwts.cmdline

Filesize
268B

MD5
2bd98e0695cbace0291f97fdef158ad5

SHA1
ad26459411d67ba940729a025336393f85ab7066

SHA256
4caeb2eb89885ff451576771322553ed0cd443703f7fc686f08f4cf5ef484680

SHA512
2572fa9a5bea10137d611b6ea6a956a8f2fda4be625779783196f6beccd199726c8910ad2f412544ef51267c5e859e2331b51d146bcf2c573b53ceab2e298c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\lik4p-c3.0.vb

Filesize
368B

MD5
ddef54241eec5d7f422a424cbca9408c

SHA1
34715db7608b6bec184db8d3b423a1fb4bacd07b

SHA256
11552b19c8792ee9999b3ca7c4ccc28eec91a3d8115868d221bfe6366b9a7321

SHA512
17e50a949d0328be9f0f7340ec82f932395c4b18c2e1903cf77d17015a4f756008cf5efade57d3b1ed0db1ab69b04558109775126a395d39f2a55fd0a2825583

Download Submit
C:\Users\Admin\AppData\Local\Temp\lik4p-c3.cmdline

Filesize
264B

MD5
ab7311e5231c427f16fb768f5d2e2b36

SHA1
1f21db33341c95cf37113a808c5d436ee12c43fe

SHA256
9d82abde198bd546bbf672b0e759a1f24cb863caa626b3db95b7379581c95aac

SHA512
cefe35ab1980dc1a13693ff1d67ae1615b80c739a71347ef40066886f5eaa90b7a8623f5972c89cc12b5502ccdbbed6bfd5f57964047c35d0652c0ceac95e919

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdip9i41.0.vb

Filesize
361B

MD5
d8176c8dcdf8032b0177a9d0bd58e58f

SHA1
027c26e620508aaa5461a2bd020d5e1430bb2cb1

SHA256
95094a209dd5615c821706ec3cd5ca63f0ec1d9ec5db192e1d791a17a3660894

SHA512
382d09544c10eca698888a3d46600eb1aff5818650adb499fb3567caea0a789565a2f6dd250d6fb8e319fa1ffde4ada690fb9c99f80198d55b593d0b6321512e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdip9i41.cmdline

Filesize
250B

MD5
972a426bd710cbc196e42ab38ec16562

SHA1
70a9b4cc37634969e527154cb75e93b4b126073e

SHA256
07e543453119895efde66356034504154e57d1a58c354308e5b794f139fa6629

SHA512
11ecc6074782000ed0abfc5a1fdaca3f36c1bbdfd4746f0d9ca0da4d45437a0377257a70e396aebcf663fa1775cd908a4a0766692afa65bd88f9d0be33021fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhmndzmq.0.vb

Filesize
367B

MD5
1c44a8cbab99c328d5459b1480105369

SHA1
80159d2c209ac1fc827c3480faf365192d144d17

SHA256
3831cefa757fff48ac587ed7c1cdf606e8c8abce1a85a4e83d773c00330618f8

SHA512
052ce2adde6070990a030e4ea3c3f3353ec2d3da63fb4abb37412dfd7f37f3bd13e263bb3f159ac7138315024d041e8a6a11e7c026fc8ea82a1038419f1736ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhmndzmq.cmdline

Filesize
262B

MD5
f7d2d5b122b0ccfde72ccb776b5d87f7

SHA1
7b5f0180e2a0851f5fd8215b8079593e1a835c2f

SHA256
c5450124d75849dedfca37324f9a6167c4e2ab921892655c7997b06ede6cbdb8

SHA512
d5059bf6adbf4591b4fdab69ee1e1453068869f9a9bc400277b06ba645fec2ebb5f4add14d3768ae82eff57fc4518ed3a90bc4a276dd8ebe3aa2eab844d6d2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0skwl12.0.vb

Filesize
347B

MD5
d4a86815a673759078e816a6ef8c77bf

SHA1
31527dcb71c8ac1b0077778630b6c0d148cdd0e0

SHA256
a3bf981bc0ef42705a62444dafe8ee03f0172ab71350fa818e3003f7a0eadaab

SHA512
06b9214f337cbbbeea8e0cfcf4963634b9b035d7805d84c1806b74950c8a30374fec4ebcc9801689a90eec54643845473f90d8d4f8e9ab6244891d59f45bb9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0skwl12.cmdline

Filesize
221B

MD5
b8d54545a84fc80c912e5d4974b3a295

SHA1
29050bfb067e041aa9deae6cd9d7fe170526ea97

SHA256
bb4aadaee56c60aae9b984956025147f8cbc2aac20c5d49fb28a1411f5c0920c

SHA512
fee0f22f25e82b74fff9fe8872dceb5dcd3ed9fca18f8c577a5a7b6f56448712bae8784837dc4cc42aa9aae4be64c5924f685d2b48d7526f8ded0303766f8f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc56983218EAFD423BAE1C51BBD4F13F9.TMP

Filesize
5KB

MD5
5201879a7e04332289f9d0322054e622

SHA1
ea4b0fb5f15d6b03ee2331529f48522b95cb3347

SHA256
b1b01b72827ccba25b2ee8082711ab16f15020e689feac3e83298e4a3c03219e

SHA512
1f14301b48bcab846b4488c4e67cf037872f92aac80558965342eca053eb3f945864a721b6287ebd6893753d3ce3fc7f266e69a4dc1ba69924949d7620641933

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc71597B7EB8F4B9F843A2372D43987C9.TMP

Filesize
4KB

MD5
cb33e098b48172a7716264425fb2c27b

SHA1
f3831b3ed71b2fe98de1d6f736382ebb457173d4

SHA256
ab4d166de9bec2a84b1cbdf17451099c3888e136e1b6f97eab3e730bb182cb5f

SHA512
52b3e602aa6cbc01812aaad38f57a815dc92ff04dd8f31ceac18c8865ea686eefb02e8c7350e7012a631890627d1e8e0922024a9291317acb6f83e3273a2effb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc734DEBFDFDC42C09248B8F55EE51E9D.TMP

Filesize
5KB

MD5
c7c9057383f1585d75f4157ffbf435ab

SHA1
9a6bd1069e7522e5369d4f42fe6807facb802899

SHA256
b21a8493c8d57dde7de652bdcfb5f961e54e2f0a72d4b5f840f022b7d5320f4b

SHA512
f77e11ec0a108ec6b3f32c240d301c02ae3740d8c4adc54cfc4353147d9dd3a125935cb81123f5888b21dbb7479164bd104b19f2e164c2bd0ad2b89fa9b39b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc94E649A794DA49E7B2D1F1D4B1787B4.TMP

Filesize
5KB

MD5
8ade15ed1d80f56ac26d3e0320569426

SHA1
991f9dc672ab0eaaf0da3fbe67e361686bcdcbc0

SHA256
fe4161b8576af5854856e218fbda2511e57226285729d7799affe3ffa90b665b

SHA512
66f0939658ee3e7359ac4b4e8a58e5e179d3c6c8b41bc061a0f14e38560b156ffb367af5ccc492c0ad630e22d18de3148853271dc72b057f1ca461e230ec5f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc95C4067ECE144871937E24BC876A523.TMP

Filesize
5KB

MD5
8c68e64c0221a6286dc6f9700a826fb6

SHA1
0f59117e506eca8d38e3f62e20c5fb4a7efe0d6c

SHA256
a471a498192580d6b3d50e5dddd94f18cbfb63c916c56788ee507aafa269a794

SHA512
ae026416ffd28b5dbf5c8bb29256be01e8dcb4fa6abb3c1459cdcc91a1aef19a18460f472dbed6256ccb38c015fd4281ad10f4be817fe22b98f12772934a4528

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc996D17AA4DBC4189B2F6A3A29C1D61E5.TMP

Filesize
5KB

MD5
84c0ddfd63352a3d8f410ee43c42ccf6

SHA1
51f33172e6dd6c4cbf19a71f6bf73f74c1677648

SHA256
2cc99b5ea16753b50f07e35314b4566958e10a473deb281d97ccba0a27400005

SHA512
27916028942da1bbfb19ae752d8527626831a7a9f13ea5022888618584a683431860e401b253d856503c6bbcb3e17a04d81649706cc5f822dee364a86aca2740

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9B37D81AAFFB42D9B5752EB4534FC96.TMP

Filesize
5KB

MD5
fc9f4d1d6165fba4d3d3eb3fbbc33430

SHA1
a6d34a51f4ba11c053d37e9792888d5cfcf69e6d

SHA256
4be29e04f0ea9295e215b0c044c6cd636e6690ecec92e794dc15c8a401b8c6f5

SHA512
48392289194cb356caef5dfeb769940d173c19247c5f1eb67fb399ca515c002f5168524501c034d81897808a3b15216f1092956b96d24a70cae8c471eb6dd77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAFEE9BAF70BE4E8A9CA33F596BC6331.TMP

Filesize
5KB

MD5
9362f5038e83070f7a41ac898fae8195

SHA1
199808e30952b4df33dbfbde982d1471a226b97b

SHA256
85374d7934981bb47828ab0634f85ea3b41c6575ddd3438f553de82763a82f16

SHA512
b4cfa059a83f9aea9ef4e08055d9aebc8d378d6b79828592a1636c6144526388900d4eca9f2b98ac9faec8733343c8839f3848e6689f7aafdcf98f70b6526df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC58AB0F13FE944F190E99F0ED799412.TMP

Filesize
5KB

MD5
77b88684bc33b844f2eaf6d95ad8271a

SHA1
74642a86685375547ac078b85145b2a1acc8f2ae

SHA256
8ac43e5c156a3d8c687cee62e2d19d613cf3fa32c2701d8f11b02b1a274a0554

SHA512
7840ff496a6b1a20462d59d3d7898b9ca2e2db0f8871443059d21d18ab02edd36199d0e213e4bda6e1544e9325ac877cd608f079d92be7b1477c605f2ad74945

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD552379E6A6C4E74B3533B8188D32394.TMP

Filesize
4KB

MD5
11ab4f6d3839dabf6022e05b0e3199af

SHA1
f70f743164c320004f39694d0f7135de828ee485

SHA256
86d0c7170a624e19fe010271241c2da9aebccd8ee584c264f43a07f67da7d0b6

SHA512
81c072139a61bb86061322a394f9a19ea42e671d6f1fcb2500ce544d05f98e8f519a16c9d60ad6f4510ae6fb7c5099caafd3fb71c6ce6ae14e57f79d9283194c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE7985BFF909B4A3F92FC345C1FA81784.TMP

Filesize
5KB

MD5
29cf1ddf294ace351c66759f2e045229

SHA1
df4eae349cea36667585eedf3c109097be3d3eb9

SHA256
ae08a4ed0865b676688fcff9d5fc820854090d9b44bbdefacd5c5e26f4cd293e

SHA512
18c3a611a4433406f05b4a856909dfff513e81489d42f04871c2e2f8c05ca717476480ea6971ab52685011dfdfbeeff441c723295603fd9468f93f44b86f2727

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEAEDB8D78D9340C1A457D996FB3C8BB0.TMP

Filesize
5KB

MD5
a4b02be1be36d35d3f69b5e939ef6ae4

SHA1
adc51fc1cdc8b041d317e016dad681accf757ba3

SHA256
6956dacfa91390db2d07f8edd7c09b53d59463ab8811add4202977a635b6c563

SHA512
249e3683e35e0c423145632198aa7cbd351f7a4a1689a527f2473f081414dcc7c10f6ec9ccc9eddcc21449f1929af29756095cdd9b48dd17ef1f4cf83d982ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED1ACF60D17B4A639AF992CA183D55A.TMP

Filesize
5KB

MD5
6ad70be08cfefa12479ffcfc0dd06233

SHA1
5aa6abb749fbeb732e149b0ac58de921eef1995e

SHA256
8e74037e57f80218ff3f2c0348f1c8c05dd169bb0e908fbbd050ad4fe4eaeece

SHA512
2496642194839bda2e7c05f129d438ca591c1aa8cdc6fd60d76a7465b1df128b3ab1b19fb09cf12b751c1fb22bd5f675d33079110678c095d30b076ccd39599f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yazntbry.0.vb

Filesize
367B

MD5
90a41858c1ff095de02d92591729a3b7

SHA1
ccdf4fa9bcfd31c860b65b7bf6fbc08ed509daaa

SHA256
87cebb1f8df70782870d875a6ecdc1b705f6ddbf4bb9331d7499970be79208bd

SHA512
8675cdcd575ed0da0051040e9704cde2f285a2f028aace0b77bee6b5443bb50bb1db0898c8a78e6b89f8385bcb5f5d28cd611a0687a94a1f589ed2c9d62bd418

Download Submit
C:\Users\Admin\AppData\Local\Temp\yazntbry.cmdline

Filesize
262B

MD5
818d678573ed9443bf4d2fd33e586213

SHA1
05ddd253e0780cd635c867e5621855f47653b216

SHA256
8368e328439c0eea87e930571ce2f2aaa94d16d83373e18a37c7a5199327d398

SHA512
9a932b30b3168ed34197add7e2f3f6928e37c49780bf86d3906dce5b79cd86fca0f216e958e2cb9eae369d55fa22e8c84c1e298b24db0478deb22429e0e805e6

Download Submit
C:\Windows\System32\xdwxsvc.exe

Filesize
108KB

MD5
f55c1e64f9428adef9ab57b608d01587

SHA1
c85960f54528f94ec839b6c2d125c7249815427f

SHA256
c9d1c9ef3a637ac66861d41a4c35e9be5cb2abf286c585e093b5ed281bea1c66

SHA512
26978fef89a5cdf7baf8ae04823c238e4db686fbcae5a5ee1dcc9acb9a4c06092289f4babf84d1cfe954fd67744e2cc5cfbe1b46668d807edd03632bfc083e80

Download Submit
memory/4488-15-0x000000001D690000-0x000000001D72C000-memory.dmp

Filesize
624KB

Download
memory/4488-2-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

Filesize
9.6MB

Download
memory/4488-3-0x000000001BB10000-0x000000001BFDE000-memory.dmp

Filesize
4.8MB

Download
memory/4488-4-0x000000001C090000-0x000000001C136000-memory.dmp

Filesize
664KB

Download
memory/4488-1-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

Filesize
9.6MB

Download
memory/4488-5-0x000000001C230000-0x000000001C292000-memory.dmp

Filesize
392KB

Download
memory/4488-8-0x00007FF8C0905000-0x00007FF8C0906000-memory.dmp

Filesize
4KB

Download
memory/4488-0-0x00007FF8C0905000-0x00007FF8C0906000-memory.dmp

Filesize
4KB

Download
memory/4488-240-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

Filesize
9.6MB

Download
memory/4488-11-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

Filesize
9.6MB

Download
memory/4488-302-0x00007FF8C0650000-0x00007FF8C0FF0000-memory.dmp

Filesize
9.6MB

Download