revengerat | 5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897

Analysis

max time kernel
292s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

109KB
MD5

72292b69bc9a8b6191cd4f83db9b8598
SHA1

944c73806a03a3eeaabab1ece053710ee613e1f9
SHA256

5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897
SHA512

ee1365626a806687cda20a8654e151fe92b4a78512ea97941aa9875ad8775c47ee6631c828739d6c72be7bf5fe547332084488ef964feeb45dec6507f5e67ccf
SSDEEP

1536:i1hDv5wFD0+HV2LDdEB/u/RdbVRX37jBqagD3tSYqkXDl+:2gD0+HV2HOBQRdb3jm9SYq4l+

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000e000000023a2d-296.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Client.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs	indexworm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js	indexworm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk	indexworm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL	indexworm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	indexworm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	indexworm.exe

Executes dropped EXE 2 IoCs

pid	Process
3516	indexworm.exe
1984	indexworm.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Users\\Admin\\AppData\\Roaming\\indexworm.exe"	indexworm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	indexworm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	indexworm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	indexworm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	indexworm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1532	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	Client.exe
Token: SeDebugPrivilege	3516	indexworm.exe
Token: SeDebugPrivilege	1984	indexworm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4072	4724	Client.exe	89
PID 4724 wrote to memory of 4072	4724	Client.exe	89
PID 4072 wrote to memory of 1420	4072	vbc.exe	91
PID 4072 wrote to memory of 1420	4072	vbc.exe	91
PID 4724 wrote to memory of 816	4724	Client.exe	92
PID 4724 wrote to memory of 816	4724	Client.exe	92
PID 816 wrote to memory of 1972	816	vbc.exe	94
PID 816 wrote to memory of 1972	816	vbc.exe	94
PID 4724 wrote to memory of 4432	4724	Client.exe	95
PID 4724 wrote to memory of 4432	4724	Client.exe	95
PID 4432 wrote to memory of 3440	4432	vbc.exe	97
PID 4432 wrote to memory of 3440	4432	vbc.exe	97
PID 4724 wrote to memory of 2832	4724	Client.exe	98
PID 4724 wrote to memory of 2832	4724	Client.exe	98
PID 2832 wrote to memory of 3048	2832	vbc.exe	100
PID 2832 wrote to memory of 3048	2832	vbc.exe	100
PID 4724 wrote to memory of 756	4724	Client.exe	101
PID 4724 wrote to memory of 756	4724	Client.exe	101
PID 756 wrote to memory of 784	756	vbc.exe	103
PID 756 wrote to memory of 784	756	vbc.exe	103
PID 4724 wrote to memory of 4060	4724	Client.exe	104
PID 4724 wrote to memory of 4060	4724	Client.exe	104
PID 4060 wrote to memory of 2604	4060	vbc.exe	106
PID 4060 wrote to memory of 2604	4060	vbc.exe	106
PID 4724 wrote to memory of 4944	4724	Client.exe	107
PID 4724 wrote to memory of 4944	4724	Client.exe	107
PID 4944 wrote to memory of 3920	4944	vbc.exe	109
PID 4944 wrote to memory of 3920	4944	vbc.exe	109
PID 4724 wrote to memory of 1792	4724	Client.exe	110
PID 4724 wrote to memory of 1792	4724	Client.exe	110
PID 1792 wrote to memory of 4948	1792	vbc.exe	112
PID 1792 wrote to memory of 4948	1792	vbc.exe	112
PID 4724 wrote to memory of 4412	4724	Client.exe	113
PID 4724 wrote to memory of 4412	4724	Client.exe	113
PID 4412 wrote to memory of 2728	4412	vbc.exe	115
PID 4412 wrote to memory of 2728	4412	vbc.exe	115
PID 4724 wrote to memory of 852	4724	Client.exe	116
PID 4724 wrote to memory of 852	4724	Client.exe	116
PID 852 wrote to memory of 2308	852	vbc.exe	118
PID 852 wrote to memory of 2308	852	vbc.exe	118
PID 4724 wrote to memory of 432	4724	Client.exe	119
PID 4724 wrote to memory of 432	4724	Client.exe	119
PID 432 wrote to memory of 112	432	vbc.exe	121
PID 432 wrote to memory of 112	432	vbc.exe	121
PID 4724 wrote to memory of 380	4724	Client.exe	122
PID 4724 wrote to memory of 380	4724	Client.exe	122
PID 380 wrote to memory of 400	380	vbc.exe	124
PID 380 wrote to memory of 400	380	vbc.exe	124
PID 4724 wrote to memory of 4960	4724	Client.exe	125
PID 4724 wrote to memory of 4960	4724	Client.exe	125
PID 4960 wrote to memory of 2324	4960	vbc.exe	127
PID 4960 wrote to memory of 2324	4960	vbc.exe	127
PID 4724 wrote to memory of 2940	4724	Client.exe	128
PID 4724 wrote to memory of 2940	4724	Client.exe	128
PID 2940 wrote to memory of 3284	2940	vbc.exe	130
PID 2940 wrote to memory of 3284	2940	vbc.exe	130
PID 4724 wrote to memory of 4648	4724	Client.exe	131
PID 4724 wrote to memory of 4648	4724	Client.exe	131
PID 4648 wrote to memory of 3440	4648	vbc.exe	133
PID 4648 wrote to memory of 3440	4648	vbc.exe	133
PID 4724 wrote to memory of 3776	4724	Client.exe	134
PID 4724 wrote to memory of 3776	4724	Client.exe	134
PID 3776 wrote to memory of 1680	3776	vbc.exe	136
PID 3776 wrote to memory of 1680	3776	vbc.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g1gdahtd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4908D26E9E5944938F6B7AB025FBF31.TMP"
    3⤵
    PID:1420
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uylyzrrx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6E8B9FDFBB940D1BEF9BFAA1CB4DF32.TMP"
    3⤵
    PID:1972
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBCC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB3CBC2B7BA9471AA429C5E376C4B5A7.TMP"
    3⤵
    PID:3440
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-sjvnlua.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F035B83288E4D3FB4E0C09C2E6092A.TMP"
    3⤵
    PID:3048
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\scztj-kj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64AD0A1E35564572BB722E4BC28DCA46.TMP"
    3⤵
    PID:784
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x034ge93.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDB0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB43D82FA07948BC85BAE53E265E6E8.TMP"
    3⤵
    PID:2604
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D90BDD2162843869EF2EC27C17F1CB7.TMP"
    3⤵
    PID:3920
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E6E0CF5DF85437784641620864A13B.TMP"
    3⤵
    PID:4948
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zelprae6.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA168AACAF542758D6EEB1CE7E33D4C.TMP"
    3⤵
    PID:2728
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g26toir4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5421A20A7DF54F85883772E309E22.TMP"
    3⤵
    PID:2308
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ktulmwhe.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF00E7DCCFC5641D599B2183C44C84CED.TMP"
    3⤵
    PID:112
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD002.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69E53D2A34854D7DA7B5F3C1BE33FE79.TMP"
    3⤵
    PID:400
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iru5k0nq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD060.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF0A03D22BDF4DB580813EA2A55D41C7.TMP"
    3⤵
    PID:2324
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vktxbrpd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0F42330CA6E405BB1AED8B08F76E1E6.TMP"
    3⤵
    PID:3284
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kiyply37.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD11B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc416B8A6CD9644227AB28BB801E14371A.TMP"
    3⤵
    PID:3440
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_zwscesd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD169.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3945F6F0B15841AFBDBDBE2494AC5ED3.TMP"
    3⤵
    PID:1680
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y5men_le.cmdline"
  2⤵
  PID:1304
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD282.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF504FE3C6947CF9F7CFFE1A2EF1CA2.TMP"
    3⤵
    PID:2292
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5e3uegv.cmdline"
  2⤵
  PID:2096
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD33E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B29F0B9D3AF421C92ED5C5315385F47.TMP"
    3⤵
    PID:2480
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oheq3tll.cmdline"
  2⤵
  PID:3512
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD39C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE494BFCA95E1419E9A417ACC89B2A6C.TMP"
    3⤵
    PID:4060
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xq5y9gjf.cmdline"
  2⤵
  PID:2904
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD428.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AF795D52C9C4078A287034C98A1E7D.TMP"
    3⤵
    PID:5056
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgt5lf3n.cmdline"
  2⤵
  PID:4620
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD467.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc455FEB92B5884A668279987EBBEF4672.TMP"
    3⤵
    PID:552
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmi7s_cn.cmdline"
  2⤵
  PID:1792
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70B6523356424D47B7E9E2A7F514773D.TMP"
    3⤵
    PID:2108
- C:\Users\Admin\AppData\Roaming\indexworm.exe
  "C:\Users\Admin\AppData\Roaming\indexworm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vsix_yra.cmdline"
    3⤵
    - Drops startup file
    PID:4716
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA97A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc209C5BD173B5427C835E428EFE239CAF.TMP"
      4⤵
      PID:2980
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Users\Admin\AppData\Roaming\indexworm.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1532
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a3htymvg.cmdline"
    3⤵
    PID:1124
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7800E785B0B4A8680A1858F43504A8.TMP"
      4⤵
      PID:4380
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r3w5eg9w.cmdline"
    3⤵
    PID:3860
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD56DDA4B5434A25A9612E965D9C32B3.TMP"
      4⤵
      PID:2584
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lthj0dzm.cmdline"
    3⤵
    PID:4368
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50F220FCF2834DA6BA6CA7CD90289478.TMP"
      4⤵
      PID:1304
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzt_pc3u.cmdline"
    3⤵
    PID:4664
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58129BFEE4B549A4BE356716AF1C2792.TMP"
      4⤵
      PID:5084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\udrvb50z.cmdline"
    3⤵
    PID:1620
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B38C610BC6847759A25B82EE8849D7.TMP"
      4⤵
      PID:4756
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\used2k7l.cmdline"
    3⤵
    PID:548
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA124E70763B945B5BC18CF18602AA0F7.TMP"
      4⤵
      PID:3084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s_j1p67f.cmdline"
    3⤵
    PID:4496
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC27B5A4461CE44D09173C8467FAA4CA0.TMP"
      4⤵
      PID:2160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0pqthrfu.cmdline"
    3⤵
    PID:2944
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB34EACBFFF1D434AA7282A14DD515A2C.TMP"
      4⤵
      PID:1936
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ytcz8gc.cmdline"
    3⤵
    PID:4824
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8ABD8ECEDC6C4B87BBEAE4201B15FFCB.TMP"
      4⤵
      PID:2760
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ykqxysyu.cmdline"
    3⤵
    PID:2392
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F5D6904B07A498CB88DB11C1FCAA259.TMP"
      4⤵
      PID:3948

C:\Users\Admin\AppData\Roaming\indexworm.exe
C:\Users\Admin\AppData\Roaming\indexworm.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\xdwd\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\-sjvnlua.0.vb

Filesize
348B

MD5
f9d79311b4cca4c591aa8cfec028a6a9

SHA1
2c4d63d2b94e8e33b0349bde75889478d8d972de

SHA256
78f7a23fa14b298de205e44ba5fdea765cf33a4f72cd63662c0ae2b077154996

SHA512
25c75f86e2dfb2c863833b898741e8c903e763cbf13d40695d0a92c4845f480dcfba42cf1fd22da60f337a507ce71031bbb536f2be6ae1b77af974d3513f226b

Download Submit
C:\Users\Admin\AppData\Local\Temp\-sjvnlua.cmdline

Filesize
221B

MD5
918d4a52718b564d255fc045573dc296

SHA1
707a39cbc44e813dfefaa46c0a9d3b286863cb97

SHA256
7e309469fc0cf844a53f93fc2de04798692f4f6049b9cb61e88ed0ef6da11061

SHA512
206d2c88f96e055f4bb68e3d64d9ac2fd6032a32e893c83d06d74393648832f762ecb1de7933b511176814f0a261270acb4ad258b22a282a269931c46ce50ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.0.vb

Filesize
369B

MD5
75088557db6e2a028811c00adbf5b987

SHA1
3804c2dce38b94228464e3d2fba2ea1e43298965

SHA256
28b93c7c4a19e5c158e45e40b5431129f7ba2a5b25e7991e01b1eb4b8077029a

SHA512
1e273bbe0252674e0658acf8d1aca6f359903dd607066f8053acfa60a573b07a8714cd6fc01b98c21422dad62c7c7a7177e45b9d019c7234724b29ab273122ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\-wcwa1ct.cmdline

Filesize
264B

MD5
f7fa858facf4f84e4b788c68af734414

SHA1
db6615c23a1583a76d89cc2ce35b3121e4b901e3

SHA256
3d6352169e0ea265baef800d6e38cd8e2b7c84ff276f72b94118457d002935d7

SHA512
3774d10dfdb7c271aa4dea65f02a98182d22127ec2a48b300da2d4e55668d27924eab08afdf0350f8dffdba5f842e4bfcba0fce519d4311c5d84e77d343e2c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA35.tmp

Filesize
5KB

MD5
3eae52002ad24b42cea2f99397f93711

SHA1
df84a5edaf3ef670e7f3bec6d081ab93707d061e

SHA256
5b0fc7762bf411c6390aba60e37100f4788a845073da5c205fd0bb8ac9e64e15

SHA512
1cff5685fa83824ffa5fe7fb790f904a258d95a471a92b48cb8c1e1d39713f45ab9d1595070329c693c2bb2ec49ed2ad1b1e46ac99595d9c5742ecf43c8676ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB20.tmp

Filesize
5KB

MD5
11f77c0e0a6aa42f0bcf36ab12c126c7

SHA1
f11f8c2f76bd6e9cdff275a3bda985d04945867a

SHA256
6bcf61407f5dd32f2d4a7f9bf973225712ded85876593107c57ff4c7896674ae

SHA512
b6a750cd52f7d51a82e905f0fc0d83c7d5ea53a2a18e56f18a1102d1c8e47d227a7c7f4c99cdd7c36cd340aa85af2de547bc20278b281a9cdbafb54386e83953

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBCC.tmp

Filesize
5KB

MD5
ec08191d59afdc3400481d25e3065ca1

SHA1
431d79913d7257e2f056f961fb338773618ded23

SHA256
22e7d9edf141d7ba5ce5c34342f7d3d33bccd3ff8207dfdabe0174a5b9801db6

SHA512
5133f9ef4951dc474dc226ca49d24a34065e46fb47884686ed11018f5ad207aea80adc93f99e13e450f97baa10349bde5ef1dd687336241e6c642016198a0762

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC68.tmp

Filesize
5KB

MD5
e7091877c53c1f74da2ae5fecfc37f4b

SHA1
8c5de952efa263739d42d5838bba5e85cc072aba

SHA256
3c901c35bdcd9cec7a2e913c14464b57ecab6ed9ae51a7dd81a16aaa88e3476c

SHA512
71368f9f25ac17bdaf36a1f0341dbb508206a690f492ce5e103f7f1c157b1817dfe2457967c3b108ad3acff7e77d5b2164ef0d58fa74a92e14e288730567cfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD52.tmp

Filesize
5KB

MD5
330e59ea0f57416d07436fae4720ec21

SHA1
2af357dbf65d6e66712249d26755591e79d89dfa

SHA256
2565524ea81380047e32f18620888a66bf546ffc26dbc7e08369f23870e1aea2

SHA512
7bedba0fd403844a6237d578946925c3231f1a0e7b2c11613515b7c4ec7fa1327b35449710306d0f9a9785d4697278e4afdf381709f150a62e638d9a8061720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCDB0.tmp

Filesize
5KB

MD5
4edfca9411c2ab392720e2235fa7357a

SHA1
a6831ac76229c64ad93894a6a4457b519715b863

SHA256
9b9788840c7e2229562b56f06b9fd3518e226e209576f5e4a4d65504260f0d74

SHA512
82d75c940d7f467a3cbb0d86df348511514ce2fe230403a2fee20460de6b1044faa2268c774d501c1b358655a0199f9af03c71169153a1dc760d2eb1613bae9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp

Filesize
5KB

MD5
93f83dff60ab23024e92753509780c66

SHA1
fd432abcc0d443c64dfbd8d945c72fd77146b1f7

SHA256
e2b24c04c14f094f1e650144671758dc630c198485ee519057156eec9a2d3546

SHA512
3dec72b8ba6ab4d9b893aeda48ed8c0592f35a665186154b5edfe1b68ac7b0e7f7f05311d7d609b4fc370ff6d5d984d6a9236613827ec81ce2ca252d08aa49ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp

Filesize
5KB

MD5
b08eee47d5c37c62fe1e9417a5496a6f

SHA1
5b0ca036d45b8bcf4ac9011722f758b668c6e97d

SHA256
13188157e218b1154afde793ba6ccd1d89d3d23c4bb5f881f3abb19d5b6e4001

SHA512
ef05dee58aac6cd24c4267ead1578f7421862c82989c4b4301ecd592ebcb8899c6009aba55d40e7d7501b9f3fd96c8d23f08e5b264ae1561c3219549364f3ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCEE9.tmp

Filesize
5KB

MD5
ef123ba63e30670b2c49a30ec1ecb048

SHA1
69ce2d1a378f087d2d99830143d73f327876e9b8

SHA256
e52cd395c8041218ff6ec03bd797ecc6d59a39dade80af3a1c645c9a4dbc2dc5

SHA512
4d6d95c422869b3816b259f4b0509c1da176765abc30c32e402b6e6d5e2326c24c61bd77c46638e8fd40688e38881162b89681b9b0721eee97881c2f2eee6518

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCF46.tmp

Filesize
5KB

MD5
f79b6f578b2959be03ab683203d56ae4

SHA1
4179add616d75b35ac5435d791a726ad6a4612cc

SHA256
2ccf3be7c29cf8c7c6e7ad62596bd1911c764aaeb9e126b7c59d539a90531c46

SHA512
9cc28ae82f272878f54efe7e0d245d6f2700c7d6ac86713265828b7ed6336b0c1f24c5494f47a038be3c48ee771ad07b32a57ac206c0a6f051dd9d4f90b470ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFB4.tmp

Filesize
5KB

MD5
fc8fae02841567164eedfbf6b9088a70

SHA1
82778b0cffab42e4c20285d1b3653556ffa606ca

SHA256
3fe02bcf3340b81caa0e0568d4a1f7783ac992c6aeb569df8f029ee856c25dfa

SHA512
2f549159a35f2660b4272bcd610eb26ad3e71dd39da307affaf6cfa1c10d5150c4aa52b43beb034c22c7c23b5f476d0fdf12bf93c13f246d2ccf7dc68b659d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD002.tmp

Filesize
5KB

MD5
2f831dca9bf79695c0a498c5338dc3b1

SHA1
af86378b045cdda1b39a8d90505b85446240e76e

SHA256
9ca4f3a4b85cab7f2b418b22e43fabb91d35c56cb57c15464aecd376fa929104

SHA512
a47da80ae8a2dadfe73cfbfe1c8a854f819e47a5613e5bdc084ebaf876ddb2ec1e6f6326176d5ecb8e19db6b678426974ee94fb3a6871cb85b643f33e406990c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.0.vb

Filesize
362B

MD5
98c697d0135e14aac926c0701a8b72e7

SHA1
bd49384492450141bd14dd525dadaea8b83f9d81

SHA256
369bf94866b4cf4a4c47182d19b4bd94d47dd4282b761faee0c68e7523432697

SHA512
79a5631b25737b5debcda7a1d0b21a26e927457a65431c93dd372fdd90c745d2df6744e9451b0880767f6b635a47d62b606c7dc1127391a8dedd86411bd09fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckxfyqd5.cmdline

Filesize
250B

MD5
e799390a9b96e23771b64f93f59bdeff

SHA1
4de11783036af0fa6a8f032788da4778fc371e00

SHA256
fd3fbee274db7302abf86c96b34f2c89bbd5b5c76f809ed8dbf228986fc39355

SHA512
845cf6899f2a288d36542fc17b980bfebf9baba83a197ad3404b776bc3d2c2e0c7c3365fd7aac70f31ca254e6fca8b986f7e6afc96024791c375fa219576d657

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1gdahtd.0.vb

Filesize
362B

MD5
ed48ecd501fd2ec90b9359de04fc1a18

SHA1
9dd35b37dac1f0908fdafbb971157f576cb31c22

SHA256
3454a8ec9826e999653b677ee666c64116c8881a13fdaf16dc3e4153fab0dad3

SHA512
0006bb695aadfe28b3f6005772d9d53700c01392abdb9f3eaf4a8c7a48af7efa7bdc47a8a569e609070476e7f8fe1afc2701c529edaa8d03ecf7343e843b0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1gdahtd.cmdline

Filesize
250B

MD5
df353d73902126b4a19a166013daf039

SHA1
da732900d6cd7ad32dc1350189a8f952ab3284b1

SHA256
bd2b1b8560c19e4c84deb2bb8ab3a6ccc206495a44f4a1fc99715e0f8119b456

SHA512
e549f79bd0b1e1a4dceed95ca802ca7bcf263532b2877d84aba7beb214522efde2f93db0d75fbe815acf1a3f4f9e89fe6bd8031d1b7cfab9395b62ef261388e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\g26toir4.0.vb

Filesize
371B

MD5
a03f23d29973b0c1ad52e9c77c713e98

SHA1
0c425f07f98a55674c1efad5ac33e0af65255f35

SHA256
ee182384e0363b2f14b3d7530c943d350f9923fb3f7381fc29b90ec513f9498d

SHA512
36673b6c81f8f3fac8fa46ab418df69304a2caed5cf4bc860fe36cb19a00ade06562121b6aadff9395681da497a82a433b9a821041e81b152fa0f3e0facae491

Download Submit
C:\Users\Admin\AppData\Local\Temp\g26toir4.cmdline

Filesize
268B

MD5
c241be41fa44155a1ec8add6956a73e2

SHA1
f6f33e10dd7c299fd5267b732378778fa3965e45

SHA256
81ef493d821fa18dcea7ea10d3310b6ec32a3d9a35f7906a5d9e826bd4e2b9d5

SHA512
7e1ea70896b90fb1e608a0b13508eed84083867296cbe7a7de2440d67126398904ee8d72e22be4f7346e2706e4a59a6bc49e9258d50629d2bc8ddb128187e738

Download Submit
C:\Users\Admin\AppData\Local\Temp\iru5k0nq.0.vb

Filesize
368B

MD5
8c5c94ce9523fc00aa8f77ba9970c844

SHA1
fdca7988fb823d599eb00de2be871f7a3f557ba6

SHA256
22ca27df429206fffa3e79ebe49f4af70ffc6400b7957b07f26c0c2f37e28e69

SHA512
e4cd952f68a29a9b3705f413a6c272c871bfc5b6e24c3c96ce1d309975f83aa51885111182fa623d6780715825989d1111e4b7dce777b8dabc94e764f2e1eb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iru5k0nq.cmdline

Filesize
262B

MD5
6972fe3153ed6f5af8c4c4a5c06d8f79

SHA1
0a35a2830ae9c2f7c3be4ec0446e8de2882297b4

SHA256
70650ccb78eb84975711369847654e7694e443947c3f975bc3f80339559f4039

SHA512
2433892b9aa3b276f9b1a04b4301411d4b9f3fa34139b8197985c9cae0a18a806a29a3214e353dc12a2db7f5bde54ec5fa01c322d56d1878cc180f17bba1689e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.0.vb

Filesize
366B

MD5
07b10a393c633ddfe03650829ac72adf

SHA1
a91f5b666447054f750df3f10ca2f840a72243a2

SHA256
064ddb8b8da7931744430a9dbb24375788074db63fe9f0e74ac75c1afe274e00

SHA512
38880d1ad5442fa1fb55038c76f035031fe01f229eece65583774ce90c9f08fc34e5aa82f68d8cc587500f917d52e9eb47b29b989872359a803e0542f2f4dccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jr7_rn-3.cmdline

Filesize
258B

MD5
f5fa64569512299163c5dd5acf6f6d40

SHA1
d1d6733a090c41ceeabbaeb0d7f914b6d584165d

SHA256
9841144c1e9c4ad5fbb5213214600ddcf4e5588f663f6636ad3b26b8d5981c5a

SHA512
4e5b5ac165a49e6fa30d4fe57b94fd3c61fe6cbb11879d2e6e91f61503ca5cbd9377f90de6dd21d4e41ebc29ac7f8c54a75f24e3ac5f54b959a94bae1fac8c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktulmwhe.0.vb

Filesize
368B

MD5
7e552aa475227fe451bbf11a52d9b811

SHA1
933058d53d848d3daf1246ab7185beb9e101c302

SHA256
d23f1a481fd7538ff94e15558af73221d61e6bbc2eec208740c90bcb5fa0eb8e

SHA512
dde6f810ada06beb517e583720afa3edad4ccc740e1ff6a4ac21403e1227487d6a8c4ed2b15dc2bc6eaa5b84a47b03ac6b20b356b0260d55a4ee64fe53aa6026

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktulmwhe.cmdline

Filesize
262B

MD5
0b10df4e43a199886b7a5dff8972fdc2

SHA1
89bb32a7cc896482463ca8267b87712275fd6755

SHA256
7efff7b6a4b80d8567d13fd178c60f59c9d4d4ab30ba3b1ec3cca530da6adc93

SHA512
b7b4411293566cbef3c2c91d56b5467a09e11edafce4113c9bb8eab8bd4852c0962ef8d6ebcd4c3b57ff136ec4f7a8c9b673dfb89854b42fae17a644874976fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.0.vb

Filesize
371B

MD5
102f791566f6024af32b6e4eb24614d5

SHA1
03b4cce2ab9c69efd37795f7a0265f898bef605f

SHA256
a3b30928d3848dc1c5ed6fba7dadc767ce3e6ba026460f76171a239defe92b76

SHA512
09c693c5c60d29834ec7bfa0012eee38afdc4ff0f3db41f54bac380e019db13e607c14503d3abec3abb5f73d82737137b05ff0ec316f082fc395b308406d62a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3c-hbwg.cmdline

Filesize
268B

MD5
bd534c796d2526862b7f0a98880b7191

SHA1
b18c824435af825387696e4646812c05f3996fd8

SHA256
4ba1b8c0716689c07836b47185fdace42415aa2c516cfb5449c6761340ed4a47

SHA512
d6291ca9e86159e4caf45e8eca2dfbc54b70aa6d70929c535e0431f68eb385435d060015bdb5adcf31791c9f0ac10639368d22838fe2ecd81eb5cad89095b9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scztj-kj.0.vb

Filesize
366B

MD5
b6f9730115de46756b567e8f913595dc

SHA1
cb8bdd820b9d9405b2a97af9219e08c85e375336

SHA256
099e93435c884d79a8c6e2f8ca3fa227c8870e93be10839fea687ea24bc3ef48

SHA512
aceb5f099294258276e49061cbda8098eab9ee2927318f27d07d35f7c8ea93c3056aa7a3e25faf28a810f20ed4fbf3137e1650086a45197891babb7cb0111732

Download Submit
C:\Users\Admin\AppData\Local\Temp\scztj-kj.cmdline

Filesize
258B

MD5
c0d4cc4ba50e61cecfc43976630edb62

SHA1
99256f3d23d9af14c462034ba38ad2e5bc2667e7

SHA256
6ada058a6c42b4e6ae45266d7b3a3bf5999d5c85409d28b7247f7021c21dc123

SHA512
111f99224312debbb537efcce94b9608969e814ebd183e57ba999bfc1820512da85afe8dc12143d6c03250393c92a1291cab17c441235a4a6786697115993b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\uylyzrrx.0.vb

Filesize
348B

MD5
2824033d9d2f8ee59347116377cf6d9b

SHA1
fa5ac5a217129274f3df610e90dedb13a5dfef82

SHA256
c5a03d253201eaad5738d91cd7a6d239348a2e54a8edb19c50c110466ebdb736

SHA512
a76a3b01d94964df9b48f254e0c8bdda5bef5291431f06fdf3c7c897c04c8ceeb8dbafa61d01dda153712247133104c870ef234f603e0c9a8e8c480c0692ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uylyzrrx.cmdline

Filesize
221B

MD5
a31e4bbe481719a51ef780e00da3592c

SHA1
8a4f2315672276d64e734dc6ea7acc0f2c1c7a34

SHA256
7ce63aaab885d6fdd6cfaeb724cf61609fc6525cf0e1f467f8291745b552ac58

SHA512
05cc4d4e615545031989928a1c635a5cdb1b4af670e8831daaa59bafa1ca897ef5fedeae54864ba0d517228966e4d41c0b2a7adb1422ca8b6e275f02bc3c6098

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E6E0CF5DF85437784641620864A13B.TMP

Filesize
5KB

MD5
2214c876093e68709179d742d5af1e95

SHA1
e67426c777b682b436c6addcd42fbee760f75ad7

SHA256
48cb47e939238a904a4eea243c4c0fd3ae383139513e418db024f23fd96ddffe

SHA512
08783085b534e1e107c4e9dfdc7698818989d36093efff3c9111691d8bc8f3927d0a652d2cc2ffb07f94f5681c67191340a3ae686a0581e36ad05b202bd2cf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1F035B83288E4D3FB4E0C09C2E6092A.TMP

Filesize
5KB

MD5
60091d6d3610e52a0e67d2688352c36d

SHA1
268dae47b36857e990ec61de1cae3b8cfeac3d08

SHA256
bb4eb21cdc430e3ff988d2ea0c5e1fe0bc0667e4c1339fc65ab032234294d7a9

SHA512
c09b48aceac7b3bcebd3814d933cb6dbb89ef2fa73b1813d86d380d670a823df9e085050af990823c468e3b0349f40cba89a1964a12c6844816926caa458ec1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4908D26E9E5944938F6B7AB025FBF31.TMP

Filesize
5KB

MD5
53aadde7d4dde82227b316b57a5a7209

SHA1
28076dd0bdf1724ec1293a7dc54f95fac210d974

SHA256
1c469b6462e5e53adfc7d23eb770264179ab167ce9dcb2814c51bb8730b6eb97

SHA512
95dd34a020812d7f888d66ff23e11327cbcc0d2217c02297b10373a5819763f2e00ef0dd2be2fea346303181ca8e19425e7d956f9ef18e9a41d89a1f3f2bf3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5421A20A7DF54F85883772E309E22.TMP

Filesize
5KB

MD5
ad7e0c7168ed15f96d343a38454d080a

SHA1
8fac85701ad6b2bbe60ccc5ea0a839d911d26f14

SHA256
6232a3d19aefb51a81502ada1177f6a6c4f26a909ad5aab3d86de51985f01cca

SHA512
4284ddf89e11affef3a8f00792a8b71a13f1684113e61cac7c309ba7e86c655d3fe45ff10d42abf0ad002876fef5617f00dd8f6a012b38b9df8c7d1d55ab7fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc58129BFEE4B549A4BE356716AF1C2792.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5D90BDD2162843869EF2EC27C17F1CB7.TMP

Filesize
5KB

MD5
f4b8ccb9a2218a7426563bf602dbb3ce

SHA1
047e64c89bf897f2b908803c01e5767f0b3538da

SHA256
e78fa61a7dad18e3575466e634e76a8760f6e987c632b72140ada947fe7dfca9

SHA512
c057d11aa5821f0bf64a1c87ec3d48be4f0f3263b6d9d1b832a73d2e99372cef2457e0fff47696ce72e31f0969152c56132ab857371648d588c7e0f1ee9b4ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64AD0A1E35564572BB722E4BC28DCA46.TMP

Filesize
5KB

MD5
6109c8e816e691aa16df011af1b222e9

SHA1
3beafadd64c8b77c1bc10827d29ebdc784a55c73

SHA256
be380a83d0ebd463c21ca65a360ae9acf14bfa15e32d649e005c2cd3617c8acd

SHA512
a47ded32c0cef7910318f746221c3fc1facb23cd9232be30aacd83909a63c494133aff7c3147b87b5cb6207b92a8f0151e68e84359fd51101a9be888401d4031

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc69E53D2A34854D7DA7B5F3C1BE33FE79.TMP

Filesize
5KB

MD5
29c5a9e999a66e2a2c21bf393981b4d7

SHA1
f34fe08de19e1032819879e91988b1126eae207e

SHA256
17f40a3896dc18d0f928a701152bbd5086963dbbef39b35704730365fea5f4ee

SHA512
1a6ff42cd0e832509b6b1972947df8709009bbb952cc8d347aa2cca17b3ff74564c4e610626eceefebf8bac878663a9b97b428f22738f0c39b3b95ec7059da47

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8B38C610BC6847759A25B82EE8849D7.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA168AACAF542758D6EEB1CE7E33D4C.TMP

Filesize
5KB

MD5
a95dc928661731a2886629b581abb171

SHA1
e681c1074892cbf7a07f9234a129a1afb6e26efa

SHA256
74ff7a7faf9652ac7ec7d5593154064a2ea692e9e2c8793f9f0cc8e7e73f31f6

SHA512
dc1cfa1b7a745f0190f7b6ad45ca72f21c6582a34429663f02459dadae476ecce720b1bf3fc62a3b1410b77a1de34ddcafb520f507fffa94b81864f599feb004

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB34EACBFFF1D434AA7282A14DD515A2C.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBB3CBC2B7BA9471AA429C5E376C4B5A7.TMP

Filesize
5KB

MD5
ee633ce28424d18ab62d4010d5b7aa82

SHA1
677ff6edd3591c4d9b65171cfa381333caa8d546

SHA256
8b124412e72ce9b96ff8c55b65ac532cf3492f30743240de3cbc4c3217720f10

SHA512
46fefc85a49bae5176838b9b1001db58f4057ea6d1ada8a4c937aa34d7b395c5cbad78e7cace4d6b2d4d546e484aea694f09da520bacc4dc71e3f826d4bc2d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD6E8B9FDFBB940D1BEF9BFAA1CB4DF32.TMP

Filesize
5KB

MD5
e3ab9b497329f477b1d8bedaa815ec55

SHA1
5507ad2d252d0a773861c24882f7a40cd99350d5

SHA256
6c6717347f8251193c5b78ab8d4a0a9ab470ed65f3e65a2873fe08959383bb32

SHA512
d1681ba8937717541e3a5e7f2a58dc869e4e15f67ec35f9af22c97d017f851f731b6fafd0bb4e723fd07551e9764c2fcc7e21982a1f1ff7ce1fbb3207603a276

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB43D82FA07948BC85BAE53E265E6E8.TMP

Filesize
5KB

MD5
4ddc4c57fd1d38500f1e1e36d1c80dae

SHA1
037db607366a9f52bc9b60a6203bc4fc15b44419

SHA256
2d69af28605b08d20d9b191b2849bc88cae1f6a7956b2b24f7c7b3721fbcb24e

SHA512
5d7e027c821429d0296126d12e9c6ad94c205b84940a12d9ff78f3b1a3d9a58a57342a427078ed6e9d3d8218cbd6665c84651e3d0a89cdce1f7123bbd4c23fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEF0A03D22BDF4DB580813EA2A55D41C7.TMP

Filesize
5KB

MD5
6a6db771159557442920c503a43904b6

SHA1
8df46af5cf7d84e8f7817aba14b704a08ee16697

SHA256
19acca242ec156ef6483efae24486c3bc547a7d6add870e825ea30e6e7b140ca

SHA512
748a5e972b1c45246313dc2d9c7aa31f4434dee74946e41a6a1e90dccef7f38eb26d6e185cb772480e7bc24b4d896132966c602931e0d9dc7b4ad5a4b8628ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF00E7DCCFC5641D599B2183C44C84CED.TMP

Filesize
5KB

MD5
548c704c2c8add1705f3e9e277982a99

SHA1
2729f1c3ecb360275a1803097a1799fc0fe71b1d

SHA256
a8c38a9119b97c59c2cde0cb10c171e32b69ea4cc5e27dc366d933a3d00ceca4

SHA512
53cbdb43af99693b8d2fe78441b2fa3f8b6620f3fb569efef81bac2d92e7037427f8ff871606a7cc1bbec85ffa137bd8bdf2081d64cbc793302feb0f9418158a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x034ge93.0.vb

Filesize
369B

MD5
4776ddddec9bdbb929820fbaba208684

SHA1
cf10e4fbb3ce05c0b49f11a4d8167c5332809746

SHA256
3567c9e1bafcbf4f5bfb4913960fb5f6ca3b8c037cbf46053a2e1d9298de570b

SHA512
9a07faedfb1fe8c55f18bcf596d897d1ccad3ac173d5d24cc042722e684f21180511493fa21e76ecbb829d5cff5d4ad11a2c561534b26ce5f7a82d81b7598c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\x034ge93.cmdline

Filesize
264B

MD5
0fd320010ec890958eb3b87c8daf0f8d

SHA1
f50c755e794427b0ceeec58eb1553dbc4d7283a9

SHA256
b03a43c7d56afeda6a8970dc3700a24643ee3ee0693da83ab67548b480a0d585

SHA512
06d881582ddaae9715b04b010692ab06cc0bbca8ac627e1180833c3b32375a6998d2b269285c3a608c84c0b98558ea0410ca373129b390ff969fea48d96b91e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zelprae6.0.vb

Filesize
368B

MD5
5cc2df1b0de07a19c23de684597c5f07

SHA1
c868685bd6e87187e4a7d096a854de06e26c9ab1

SHA256
ec443d6c9ce9bfd961362da89d118060a10d309a3dd21b944805affe3fbe10cd

SHA512
3d541d6c7b9f470b34a61b6245277ce96d80f3cecaae7bab57980677ac7675abb9658f410bd6a1994f6cdbfa827b0209c83a11d1397298ba7238f002fe3c9828

Download Submit
C:\Users\Admin\AppData\Local\Temp\zelprae6.cmdline

Filesize
262B

MD5
0669380f3a062b42d07b8ced9180c15c

SHA1
64fcd0324968b812128834c8be93a7a7b0c1c248

SHA256
a10f9b3025ebf4be06fb0ead65102c315f97989e87012890a8d9010260be3d9e

SHA512
87a8da55294a9e37aaa571310c01d7389c4c3a2e2091c3fd3eb547b015b901481c874a9a802d842967c1cbac1b28497a8ca70df6c6a0815ec03b4668588d2243

Download Submit
C:\Users\Admin\AppData\Roaming\indexworm.exe

Filesize
109KB

MD5
72292b69bc9a8b6191cd4f83db9b8598

SHA1
944c73806a03a3eeaabab1ece053710ee613e1f9

SHA256
5d6d839926cf744de37b09441d7923ee3743f52bab93760ba9a95319056b3897

SHA512
ee1365626a806687cda20a8654e151fe92b4a78512ea97941aa9875ad8775c47ee6631c828739d6c72be7bf5fe547332084488ef964feeb45dec6507f5e67ccf

Download Submit
memory/4072-26-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

Filesize
9.6MB

Download
memory/4072-17-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

Filesize
9.6MB

Download
memory/4724-8-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

Filesize
9.6MB

Download
memory/4724-3-0x000000001C820000-0x000000001C8C6000-memory.dmp

Filesize
664KB

Download
memory/4724-2-0x000000001C350000-0x000000001C81E000-memory.dmp

Filesize
4.8MB

Download
memory/4724-1-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

Filesize
9.6MB

Download
memory/4724-4-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

Filesize
9.6MB

Download
memory/4724-241-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

Filesize
9.6MB

Download
memory/4724-295-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

Filesize
9.6MB

Download
memory/4724-5-0x000000001CA00000-0x000000001CA62000-memory.dmp

Filesize
392KB

Download
memory/4724-303-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp

Filesize
9.6MB

Download
memory/4724-6-0x000000001D3D0000-0x000000001D46C000-memory.dmp

Filesize
624KB

Download
memory/4724-7-0x00007FFB81315000-0x00007FFB81316000-memory.dmp

Filesize
4KB

Download
memory/4724-0-0x00007FFB81315000-0x00007FFB81316000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads