revengerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/RevengeRAT[.]exe

Resubmissions

08-12-2024 17:12

241208-vqsrsavler 10

08-12-2024 17:10

241208-vp68savldj 3

Analysis

max time kernel
35s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 17:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/RevengeRAT.exe

Score

10^/10

revengerat guest discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000d00000001a4f5-453.dat	revengerat

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
47	raw.githubusercontent.com
51	raw.githubusercontent.com
63	0.tcp.ngrok.io
50	raw.githubusercontent.com
55	raw.githubusercontent.com
36	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
80	0.tcp.ngrok.io
49	raw.githubusercontent.com
54	raw.githubusercontent.com
59	raw.githubusercontent.com
61	raw.githubusercontent.com
53	raw.githubusercontent.com
60	raw.githubusercontent.com
37	raw.githubusercontent.com
42	raw.githubusercontent.com
48	raw.githubusercontent.com
52	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs regedit.exe 1 IoCs

pid	Process
2116	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2092	chrome.exe
2092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1780	2092	chrome.exe	30
PID 2092 wrote to memory of 1780	2092	chrome.exe	30
PID 2092 wrote to memory of 1780	2092	chrome.exe	30
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2716	2092	chrome.exe	32
PID 2092 wrote to memory of 2548	2092	chrome.exe	33
PID 2092 wrote to memory of 2548	2092	chrome.exe	33
PID 2092 wrote to memory of 2548	2092	chrome.exe	33
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34
PID 2092 wrote to memory of 2556	2092	chrome.exe	34

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/RevengeRAT.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7f79758,0x7fef7f79768,0x7fef7f79778
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:2
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1540 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2104 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2112 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1108 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:2
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1560 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2716 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2756 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4080 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4060 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4084 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3588 --field-trial-handle=1188,i,3324499629243893436,16941685139208811380,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  PID:1200
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:2820
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\seu3aphg.cmdline"
      4⤵
      PID:1628
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B3F.tmp"
        5⤵
        
        PID:1748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ua7jhabi.cmdline"
      4⤵
      PID:3004
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CA6.tmp"
        5⤵
        
        PID:1188
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gs4kwhk7.cmdline"
      4⤵
      PID:2728
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8DDE.tmp"
        5⤵
        
        PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\90l7m6jj.cmdline"
      4⤵
      PID:2676
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E99.tmp"
        5⤵
        
        PID:1616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vjykk2oq.cmdline"
      4⤵
      PID:924
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9020.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc901F.tmp"
        5⤵
        
        PID:2996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hnjuqlxz.cmdline"
      4⤵
      PID:1796
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES910A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9109.tmp"
        5⤵
        
        PID:2060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvhggwoy.cmdline"
      4⤵
      PID:2500
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91B5.tmp"
        5⤵
        
        PID:2136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hakbqujj.cmdline"
      4⤵
      PID:2148
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92CD.tmp"
        5⤵
        
        PID:1872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bsjbncpy.cmdline"
      4⤵
      PID:2584
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES931C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc931B.tmp"
        5⤵
        
        PID:1868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\onydapiw.cmdline"
      4⤵
      PID:1456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES937A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9379.tmp"
        5⤵
        
        PID:340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d7fwkagg.cmdline"
      4⤵
      PID:2272
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93C7.tmp"
        5⤵
        
        PID:2100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_oubwwnd.cmdline"
      4⤵
      PID:1820
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9406.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9405.tmp"
        5⤵
        
        PID:896
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dnutcow9.cmdline"
      4⤵
      PID:1884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9464.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9463.tmp"
        5⤵
        
        PID:708
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hpf8q9cz.cmdline"
      4⤵
      PID:2004
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94C1.tmp"
        5⤵
        
        PID:1448
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gjct8mch.cmdline"
      4⤵
      PID:2684
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES952F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc952E.tmp"
        5⤵
        
        PID:2536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j-19bwsp.cmdline"
      4⤵
      PID:2620
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95BA.tmp"
        5⤵
        
        PID:2884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3urmuryj.cmdline"
      4⤵
      PID:2204
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9667.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9666.tmp"
        5⤵
        
        PID:2440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9yae61k9.cmdline"
      4⤵
      PID:1796
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96C3.tmp"
        5⤵
        
        PID:932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\op8bwamn.cmdline"
      4⤵
      PID:1684
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9722.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9721.tmp"
        5⤵
        
        PID:2220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d57ntskb.cmdline"
      4⤵
      PID:2888
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9780.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc977F.tmp"
        5⤵
        
        PID:2028
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cbsp4k_u.cmdline"
      4⤵
      PID:2860
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97DC.tmp"
        5⤵
        
        PID:2084
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xg3ofpgo.cmdline"
      4⤵
      PID:2424
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES982B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc982A.tmp"
        5⤵
        
        PID:1792
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j67qjjux.cmdline"
      4⤵
      PID:1456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9898.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9897.tmp"
        5⤵
        
        PID:3048
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      PID:2272
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:824
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        
        PID:1804
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1992
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\otshqejx.cmdline"
        6⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3506.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3505.tmp"
        7⤵
        
        PID:1404
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mzdznmdd.cmdline"
        6⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3573.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3572.tmp"
        7⤵
        
        PID:372
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7p0-wt63.cmdline"
        6⤵
        
        PID:1956
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES360F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc360E.tmp"
        7⤵
        
        PID:2072
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahjcm0qb.cmdline"
        6⤵
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES365D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc365C.tmp"
        7⤵
        
        PID:1716
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lylflnci.cmdline"
        6⤵
        
        PID:300
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36F8.tmp"
        7⤵
        
        PID:1284
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mfckwyqd.cmdline"
        6⤵
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES389E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc389D.tmp"
        7⤵
        
        PID:924
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\55f76cjc.cmdline"
        6⤵
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A42.tmp"
        7⤵
        
        PID:2952
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\odd6qij9.cmdline"
        6⤵
        
        PID:1292
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AEE.tmp"
        7⤵
        
        PID:2108
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ajyzwnty.cmdline"
        6⤵
        
        PID:2416
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BC8.tmp"
        7⤵
        
        PID:2396
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\luerdgdd.cmdline"
        6⤵
        
        PID:2868
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C84.tmp"
        7⤵
        
        PID:2352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2588

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
PID:2116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
PID:2028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9be6efd617b535c3c6bd9c9592a9e231

SHA1
7c4547effd0637afddf1c244686ef3f315e35bdd

SHA256
c6ed7b7f83a4e81afcc1cae60f08fb28e5f579c349901f1e2e065e062882cb07

SHA512
3a9ddb476aee1ea1bdb581a5d02d82c79cc616cc10a39a560f809c935fae7c812cf567b4f04cc1975d467fc40f228c5b822c599fc589435064a8b75e023c41b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8240f448be1f99814f4ee91f46a5925

SHA1
f0200ed16f54db114493d684abd8f762c4ed9c1d

SHA256
2b59642a055952affc597373ee7c5e20cdebd544fdcdabe136403dcd046520fb

SHA512
695b4a018e9d8677b898c8683523c979f565abff44ec30fd2a84ed2e53753a0d9ff4fd8160a2f96d219af480a909d7a80d7b176ef952b089766b87ddcde64961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8f22fd89-cf3f-471e-8a2f-ae5d1afe41c0.tmp

Filesize
6KB

MD5
f3064900df945aa8b7050975535c9f74

SHA1
ba9901adcb5ad08e612235d2c973ec33a0beb8a6

SHA256
68bb0dc1d5def480ce978231ceeb845a195686cd363923df90e70e6b61dda275

SHA512
52beb05b556f84fdcd4fe283521ddbe6fdb202bcc423f726205af6b86f9e7a0e179f0956bbee486088c1879fdadb487ab65dc2ea1ff72ab6c343dd3d2c625faa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
3eb5b078633f224c1b60333269cb00ba

SHA1
793b4c49df84ccb5bd78ca6c9fc66363d4aabb7f

SHA256
bc6e2d7297d012bfa94f429e8d845d30fb183aa7a2295da3495dfed1b465fd33

SHA512
965358f6ae8b504a23836d645aba269a80938016e19851e84ef763b101541add522fba24b522a61ba8afe3a60eb571c1b11889f0be1a2d3a4f6ed385d45f2cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
8260d0bb7bf0b89a96b077fbef5c6158

SHA1
f1c54bdb6c0de5855235cd6b28dd4efeb72f0203

SHA256
10819e274217993823afeba37bacc73a7bde6721d75529865884ce385a22cf46

SHA512
d06c5d0a0402ab89b3b96dd603e067d610a2507f124591ff246b0a0d931baadbf7019668c8bc730f4c1b3045e65e2ef9e6f67a7af47632d03ca7e8edf4796d75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
95c22b2acd7098b8be81062f3e103225

SHA1
cdf7aa3c6c66044b7cd5d60bfff4a6cf98bb7011

SHA256
afacb303e69851e206b0542b0c2a153005498626ad213e56a14aae9c2633567e

SHA512
e18cd4dd071cd100759470c76c863ad5950d8bb8a43469e9ac77ccf842740a162d436e9ac2eadb5706005a5e71d9f34e678fa8ff978514d89ff4fa7f7cdc01cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
427efcbcb91e3dc9321d9c603bdfe26f

SHA1
378a4fc7db736557c2567e93b173430dc43c1d2e

SHA256
34140a05a44f205439ac15968605e15da816bca5779e7d7cb48844cd217d7e59

SHA512
d235114b40e6a74210e74b91020136e62c0f9e9ca836df74d2f181bbb1071f4556d5559084ee30cd9aea733be5572c5fe1f58a2b1dc18894156c77beec0b3a69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
169KB

MD5
42145624269357c7a8aeabe348028e18

SHA1
e2126bd232d6403561648d226706526a2d17ac34

SHA256
c1aef754d94e5a01f5e315d685be062d0c68b07611e52f0734d953f48902552d

SHA512
de79442438494c0dd65418c9ea2b2bb4c86297c57a131d7027078013d94935016a5bf34269b61c860572942320098b6369070732fc0628e63235a0276256bab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d45baa39-fa70-4d32-8b46-def23029245b.tmp

Filesize
169KB

MD5
3acad60d532d424f73dafeb95ed04630

SHA1
2e6bacc5ab2aaae1a3ec8779e5d414c585ea617c

SHA256
6cd8210ef81774f97936822648482024a5549e2d1e6fce9f5e9d6be9fe56d902

SHA512
546b69a4bb8aaa4655f7622db25199d3aa8eb234955a8797084f5d157ca5b151c1a0abc256a52143b2d6771517c3a0d6dd10a5bc614f8a447cc42fbedbd664c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\90l7m6jj.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\90l7m6jj.cmdline

Filesize
224B

MD5
5e74e3344c0014ed0c0a3b0f87a756ae

SHA1
d0e965719594ad946aaa61794243bc7a3e4555af

SHA256
7c734a83e5b24e370abd0c630617c382b7f9641c75ae4060aee8890a360deaf8

SHA512
8091ccc2b79b6db4b9b5fe7b32ffac770f0a12eddbd275d858e723162397f26567fb00e1b5a8ba49597dc75c791b81ccf3ee507fc386e9a8ae6f5011f503a51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5015.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B40.tmp

Filesize
5KB

MD5
03a6281547610c752e355950b99e7f7f

SHA1
2b2a850e6a22bc7e25f10d6f76333b1d2103d63a

SHA256
192fefe4225cf0b82ef7a2d20d144b7b38717cd2e209313327f3980e1617ce5f

SHA512
0a94a65d64dfd5c4d9f03308d173315f7046848ef364bec8b75f34eb474a4a94e3bd81c43c5edfbab067c1148906dffb87854022c0e09ec068d54b7ac68a319a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8CA7.tmp

Filesize
5KB

MD5
eee0c8b794542f8687e88bcc42a6e4f2

SHA1
39197a4ff19b6e2622d7aafd3ae61665d5c9c89f

SHA256
0e755714c55a6539d81baca25334fa9c90a04b7f60021b2884d9a825bffc7fc4

SHA512
5ee12fe44345081e08f9f6c0eacee4f71920393c575f06fe2182cc2b6e118adbef210cff50e765b7daa550ef181d5b0f33b6aaaee57b16f6db69985a0a452bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DDF.tmp

Filesize
5KB

MD5
c0d6551560723775c778dee62e688ca3

SHA1
b072b3c2bf07c35556c0b30bc6092e4370545cf7

SHA256
8d0ee6740b024fa4e5001bd580048a69a96802a9a9e1bdbfe84f334881efea2d

SHA512
44f501682c5d44fc5ada36a534c7da8a63b805e48fbdf2b2cd71730e2cdafd8b8179c337bd21eb40905d35ae9a2d58f7de8d3ec3a51a9e434c4700c6f5ef510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9020.tmp

Filesize
5KB

MD5
8b44671e1e3c8f0d05aa5a2308f7d6e8

SHA1
43042f7566f087d45615249293edc6cc6cbec85d

SHA256
29acc3eafe62ba4084ba9f40c9dc0f606f7973e33706630c9d9ec4ac892236ae

SHA512
92843f50b9713147c6c0d0d0d1e61673b279b6b1a13e5886ffbe924c018c7c8952a50ed85d58a484759ba77bfefbd586a0ef7f945c81e4f41a01770732ce427a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES910A.tmp

Filesize
5KB

MD5
653589f050c8c01f51aa0e2f5034accf

SHA1
c8ac68ea47eb088ee713fad6c91701588aece88f

SHA256
565d733f7b1132b8a8df0e7a255219f136c631c4743abb32983f300025b3a36e

SHA512
98b77003bb08750f7914d0bcbc271b4d40d665ec31a8237bb00f677699b40aba66466b57448c3b7a12953098eee7c8e5cbe25bc006bd266553ef0ac645865e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91B6.tmp

Filesize
5KB

MD5
6717d18e6b74e32310cde2f62bb66fe1

SHA1
4303ea46fdc5f1022eb452c535cd7940b096b421

SHA256
444eef66823f59ef5445a634649d4fd293a3dcf2f9061416638d9c66839e234f

SHA512
52cc693e98865df4cb5688623c527c811d578005374456a20b507a09c96bb7385ba966154890a780387d8a213a6640ea12d7d4665d90f6ba6943726ee21b8f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES92CE.tmp

Filesize
5KB

MD5
1ccbd3d8552a8b87b3541e1a51cdca4e

SHA1
ab74e64351f6c818cbb7bfc644c8e2045fa78d9f

SHA256
71c77001d7a595f619cc74d1aaef41d9c8b56a860f524bfa0d0161435264987c

SHA512
b184ab7f96d2663907222aa4791c96c3548e2801c0f9138f7d6afe25d78b0a780d2edbe5510a739895c50e0ded0d59b263f12099648f99536b11d327423a5e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES931C.tmp

Filesize
5KB

MD5
dff8badced3b9e7c1ed761a3647b545f

SHA1
e5b516f5cc1d04423c2cac87ad1f08d07d2a4e26

SHA256
95a97b9cb9179e3682250baa277893973777eac7aecd4dce32ef00e0ca7cb394

SHA512
846fa5f5cb0a0584490cd5051a6850abb735c1cb7405911e8f585def6733638994d5a73e6b54f789dd717f50b9c777fd2c461337d59841cb7582c27f2c765785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5028.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsjbncpy.0.vb

Filesize
375B

MD5
085f35c737b484465e1799359126ee1c

SHA1
f51feaf15af726cb9cbc151cd86b9913e428abcb

SHA256
940fb15c66dc34a66b192569ec3588a11285af4f7230c27d54191dcff5dd5b1e

SHA512
8314ec82f79a6dbd1e946be25984635c149ef6689e33d8010680f5bdf3bc8803bc14d8dbaa92717fec261d7f27e8f87384478130c3fe5ee37f3ec84fa2bf1402

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsjbncpy.cmdline

Filesize
265B

MD5
b3d0f11124c6b24d75af3dd1eb9a5005

SHA1
4cd72807d3708fb64e2e7fc409db69d86b77871e

SHA256
71f49ec10404c7b1107e57a7e068785a9502514e65af012edc08162abc40016f

SHA512
c8daa284f6081eef0b8c5b3493e16a74f7732f3824cc4a67d4af2da7cc5475cce7d086904dcb6371bfd33c48e3f7ceeca33b8b3f309e509b047febf88c2a6dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs4kwhk7.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs4kwhk7.cmdline

Filesize
253B

MD5
977614f1d603af9d8e34dd7a4c03d255

SHA1
7de46d955fca3a2620ee1bbb9825f27fca9eade1

SHA256
992ecdaf980d9959d0bb3bb17c7cac34c4e0c98ecdfe08a5d024a599a25fca7e

SHA512
17730c71b10b0b44cbbaafee6bac9abab0fd366426163ad5c72683520c3d8cb2f3b02e96416b392a5c99b6e476d1d6d74214354e5eb7079a3bf9b565d98f9eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\hakbqujj.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hakbqujj.cmdline

Filesize
267B

MD5
bf610fe39c22fd1fd4d1d61d246f17e2

SHA1
0cab7990a5d3410534b1ff52390a60ae77952f89

SHA256
69b262a58b5035ecc51c088db2bcb99b6e05cd607875633c09f84b9f49037d61

SHA512
18190a449c170288f47eea9609e05c801f9ad66b54f052f5382c66e285cf5ac61407a9a2922ecda069a037e7080442672400c37789fd1fed6036e965c61cd4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnjuqlxz.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnjuqlxz.cmdline

Filesize
267B

MD5
85dc110b01797ab16a80659440fea6ef

SHA1
6da83ab6c713c7eceb0c4130aff89f72f18adfaa

SHA256
d9e63e544c649afb56d361b75806e9688300aeaeaf63c8cf44ebe5f76e451436

SHA512
e42be2b31583feaf7445be24785ae41b2e86bc838da0f710819f0c9490b5896d9cb6f4c004a1adfb697df9a0b0a18dc6e8425aef2cb3b4f022ea2a2791bd0847

Download Submit
C:\Users\Admin\AppData\Local\Temp\onydapiw.0.vb

Filesize
378B

MD5
a52a457213a9d0522f73418af956a9ef

SHA1
cd46e651cb71f2b3736108d58bd86c7cf3794ecc

SHA256
be60d63078e797b8b46dc31f978e20e9819ef09b6fd3d5869934ace0530f23f7

SHA512
9d3458eefcd36539d4e97ed847f06faf96e0a8445e1d352d6a77506a042f513fb39523f90eff3aa1ef06afb000371e94d1968bc61d28bfb00f2a8cbbcc2eb3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onydapiw.cmdline

Filesize
271B

MD5
bc6babc22c57344367ee42b7b56b5d6c

SHA1
8cc3c9a0ddd527dd459982fb0d7ffc6239dc3339

SHA256
1568878ea9a274d6ec8fe468ef96b87eecf98165fbd76253e76de7711353ac3d

SHA512
ad59272ee4afc6e3223ee2c720c4ba6cb58e2eb69bcd44650e53e80eef311d40cf60c3a4c8a1b76d81008393e2dfc5bcfea538b9d0828fa21f701eb40e69e9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\seu3aphg.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\seu3aphg.cmdline

Filesize
253B

MD5
90b81e22026e3b78b6ca78dc68c94c2a

SHA1
6c0efba565b2de3d8431acc3763222d60b406d7c

SHA256
5f502daebb4909f440a110054c9e53e0fd73fd5194edf989904ab5b1ba3fdaf4

SHA512
d7c9bb42fbded5c4b48fa05be0aadc25bcc034ae43dc74aecd0c36ca8756a88bdf176b603803af7e1e45b0a613a10f3accff59371c0d9c4178debb671d91b88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ua7jhabi.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ua7jhabi.cmdline

Filesize
224B

MD5
e0908b075bcd49d2577b9e58df0281ce

SHA1
7fa37e43e94f98a1b66f1cf154367ed73fdf0fe4

SHA256
190c34bc5dce8d06c65e4fcbb6f7e6fca717d85380440b941a81eede77d02263

SHA512
56642fb2fb92533986f3ebf4162fffe8ad1a646359e631b75152a3ee19bc8be4022b56bb68e64e7e3a537ed0931895fd10dfa78dd0d63f78d42dfb82e09ceca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvhggwoy.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvhggwoy.cmdline

Filesize
261B

MD5
1cca59d6c13e2bf5d7f51974fe108a4a

SHA1
a5b887182718435ace084055a3398032eaab1b0c

SHA256
81db8f360d03ab7ac0baa7265bad3c3d2296db911aa5eba383d0ca79f4d2cbb3

SHA512
d17347cf70a140d47188e51dc2684188fa055cc3b64d92d9dd653cb4ced0c9ebd7a382c7347bc572f7689a968a6c7b5fe2028cec5e80e3912f0ed30ba3a10801

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc36F8.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8B3F.tmp

Filesize
5KB

MD5
955c29e6642db6b23d9ca8d18903794f

SHA1
2a12553a01cafeaf83d2f52febb424af00e649bd

SHA256
6839c94e5031c8646f5d3db534b41c09076e93cae238d1337aa8a1d41ad741f5

SHA512
30eaed32fb99fa62ef8883c4b6e34678175cf8ce24a953d80e43ef67a68f79e9a59996ea3cb4465c6f6d6e0b03a0fab1b241c1d21430bedc49e3e757293fe296

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8CA6.tmp

Filesize
5KB

MD5
d7d67a3915a3aae053cb2867a77fd9fc

SHA1
829757b4c84456ea3771deb6988e77bfc3ad117c

SHA256
d1d578383b3b0b42856bef5deb0fc8cd2406e1f9bc8f6818b2c719a66e6d8093

SHA512
bb877e96798c34921c613aaa44e424593a791f450a10e254e5a643ec774d527178c7b36bf91cf683e712d893e8e321c8ecafc6a2521f148200f769c9ce2d78be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8DDE.tmp

Filesize
5KB

MD5
666d582d0f49759982ad0b7cea623a35

SHA1
54f28f61b9f4ae52dcce4ee9eb8ac0b8d7809ba8

SHA256
b890a7bcccc09c2d2577b944bb32e3419d70458e5ecd02f2f846325b86bef862

SHA512
29d157e897c2e0547cf105ebee1dca1eabf410ef364fb807055e2dfc79bae4be60ae2d8f012ca02eb37696b335fa0eaffafa1db7a032b80945fcabf954b18d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc901F.tmp

Filesize
5KB

MD5
a4da846ea032d0e25d23ca969a569fe4

SHA1
facf679f92a929a6fd914bb43f7b52e6536b6802

SHA256
329ca0161ca179613635d25604e61a249ba4f1b762f5672bfe27c3bb9a7f47d3

SHA512
3255e2339afa13b7e0f1d74572712bcb87ee7366859b3161bf2570b57a9738c1d195a14a7f784849e1ce2233f31b048c393c07f854c0a7a9fb037693d941f8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9109.tmp

Filesize
5KB

MD5
f039d48c1767e0e4303ba43ffe355c97

SHA1
2e92eb77d16962623212f004480717303db5101e

SHA256
e78a94663d6c227a309e24b0952ee7ec52c49fe817a02f29516b36d24d465acb

SHA512
4a5e0e693827cbf1a742f71e8b6395382cdfee797ee1e8b0b3fb9e4132e593da9cc532a5cb0b2e9d660d2eefc29f6b0bba849792a6385100348d18cda0950ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc91B5.tmp

Filesize
5KB

MD5
abeeccd127afe60188318600ec0e2795

SHA1
adc607f07fc09053d796abf25095c76b361436f2

SHA256
d1df4661c37810b6e6d906cad05c9e45c42a080f2b832e56c9e08316a35f6792

SHA512
7a6ff2db0e83b9b6d24210fb9a44ea3e0345221f656f46290841bf352edac16dc5a4cb4e8a914ef60c6ca507e6bd5eb1e169ea187feedb7b3050022567dc0ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc92CD.tmp

Filesize
5KB

MD5
55e078852806b5d83533794483a09a7b

SHA1
ed79aa8f044b59bdef3c7091acab59f92543227c

SHA256
be654a24194cd1ffca4dd20466530905c4f208bbfe0f464746d6784bb56e60fe

SHA512
632b637781498756bbffa5b267d80ed155f6b89a2842a9691f7cf302ec8ddc1b360d1f4202661b666fd01a1335c6d0ef2f2c69a10c5ff15f086156f2eb031068

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc931B.tmp

Filesize
5KB

MD5
4a95cbe7406a930bc0b431ccf5ec97a2

SHA1
1ef8622262c9d6c829affd42877361fec2ac105c

SHA256
61d27f9f3053d3366d2ea7234418be37478f0c1773d7d622f2b9c7e0c39f07a3

SHA512
b83016a32a253624ee336c74cfd1265f4bd5c95fa7667d776e236783a537215440b4d2a5f7ba6f9421a756ce11b22c3584544d3f9c5d9c4b0a7e12a5fc09da14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjykk2oq.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjykk2oq.cmdline

Filesize
261B

MD5
403f9564a9dd58e53f5e9a55b38c88d9

SHA1
e2249bbdc082a8eb3cd6f9c0b0adead4974df9d6

SHA256
3228cf9187f423de42a43b8478435f74ba052f3d9814d79ab589ec252b912ff9

SHA512
084c05148c3041429905e3e1706ed1b0e8634e6332ecf6db1e507dfa263a40cffa50cf89ec12314f5a39bc5ed8e2172cd9461105626644cd6537b666ac3f0fc2

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
memory/532-481-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/532-479-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/532-499-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/532-491-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/532-492-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/532-483-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/532-496-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/532-485-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1200-511-0x000007FEF4060000-0x000007FEF49FD000-memory.dmp

Filesize
9.6MB

Download
memory/1200-475-0x000007FEF4060000-0x000007FEF49FD000-memory.dmp

Filesize
9.6MB

Download
memory/1200-464-0x000007FEF431E000-0x000007FEF431F000-memory.dmp

Filesize
4KB

Download
memory/1616-592-0x0000000077060000-0x000000007717F000-memory.dmp

Filesize
1.1MB

Download
memory/1616-593-0x0000000077180000-0x000000007727A000-memory.dmp

Filesize
1000KB

Download
memory/1804-840-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1804-839-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2588-534-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-934-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-935-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-936-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-933-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-523-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-930-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-524-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-521-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-988-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-522-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-842-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-985-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2820-512-0x0000000000D30000-0x0000000000D70000-memory.dmp

Filesize
256KB

Download
memory/2820-816-0x0000000070B60000-0x0000000070F6B000-memory.dmp

Filesize
4.0MB

Download
memory/2820-838-0x0000000070750000-0x0000000070B5F000-memory.dmp

Filesize
4.1MB

Download
memory/2820-478-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-843-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-841-0x000000006FEE0000-0x0000000070744000-memory.dmp

Filesize
8.4MB

Download
memory/2820-474-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-472-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-470-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-469-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2820-468-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-476-0x0000000000D30000-0x0000000000D70000-memory.dmp

Filesize
256KB

Download
memory/2820-477-0x00000000741D2000-0x00000000741D4000-memory.dmp

Filesize
8KB

Download
memory/2820-520-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-466-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2820-467-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads