revengerat | 8176ff71185aa68a3d034ee352edb744808cc1c0c8b17ec188b0e0a87ec3d66f

Analysis

max time kernel
1050s
max time network
1044s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
18/03/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

503KB
MD5

18027ab757117250f63fd4cecfb17554
SHA1

780bc94badbc0d1beb029c60e9023afc0351d265
SHA256

8176ff71185aa68a3d034ee352edb744808cc1c0c8b17ec188b0e0a87ec3d66f
SHA512

9b724169672519ada3730540e50cb0979d9f3db06e95aafb785ba713f04dd3108d05872f8acc11d72c51990e4f6084325d03bc866fff5979e18edc462cb20218
SSDEEP

12288:Hnh3gCeDX0PfUC2jykOJQVB3z6Lm//HFl2Qc7kc:HnTZNGB2LmGV7kc

Score

10^/10

revengerat retard discovery trojan

Malware Config

Extracted

Family

revengerat

Botnet

retard

127.0.0.1:333

127.0.0.1:21

127.0.0.1:443

127.0.0.1:80

212.102.63.147:333

212.102.63.147:21

212.102.63.147:443

212.102.63.147:80

Mutex

RV_MUTEX-TwUnoWrUUgHRH

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4452 set thread context of 632	4452	client.exe	82
PID 632 set thread context of 5072	632	RegSvcs.exe	83

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4740	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	client.exe
Token: SeDebugPrivilege	632	RegSvcs.exe
Token: SeDebugPrivilege	4740	taskmgr.exe
Token: SeSystemProfilePrivilege	4740	taskmgr.exe
Token: SeCreateGlobalPrivilege	4740	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 632	4452	client.exe	82
PID 4452 wrote to memory of 632	4452	client.exe	82
PID 4452 wrote to memory of 632	4452	client.exe	82
PID 4452 wrote to memory of 632	4452	client.exe	82
PID 4452 wrote to memory of 632	4452	client.exe	82
PID 4452 wrote to memory of 632	4452	client.exe	82
PID 4452 wrote to memory of 632	4452	client.exe	82
PID 4452 wrote to memory of 632	4452	client.exe	82
PID 632 wrote to memory of 5072	632	RegSvcs.exe	83
PID 632 wrote to memory of 5072	632	RegSvcs.exe	83
PID 632 wrote to memory of 5072	632	RegSvcs.exe	83
PID 632 wrote to memory of 5072	632	RegSvcs.exe	83
PID 632 wrote to memory of 5072	632	RegSvcs.exe	83
PID 632 wrote to memory of 5072	632	RegSvcs.exe	83
PID 632 wrote to memory of 5072	632	RegSvcs.exe	83
PID 632 wrote to memory of 5072	632	RegSvcs.exe	83
PID 632 wrote to memory of 5564	632	RegSvcs.exe	88
PID 632 wrote to memory of 5564	632	RegSvcs.exe	88
PID 632 wrote to memory of 5564	632	RegSvcs.exe	88
PID 5564 wrote to memory of 4260	5564	vbc.exe	90
PID 5564 wrote to memory of 4260	5564	vbc.exe	90
PID 5564 wrote to memory of 4260	5564	vbc.exe	90
PID 632 wrote to memory of 2508	632	RegSvcs.exe	91
PID 632 wrote to memory of 2508	632	RegSvcs.exe	91
PID 632 wrote to memory of 2508	632	RegSvcs.exe	91
PID 2508 wrote to memory of 3172	2508	vbc.exe	93
PID 2508 wrote to memory of 3172	2508	vbc.exe	93
PID 2508 wrote to memory of 3172	2508	vbc.exe	93
PID 632 wrote to memory of 3932	632	RegSvcs.exe	94
PID 632 wrote to memory of 3932	632	RegSvcs.exe	94
PID 632 wrote to memory of 3932	632	RegSvcs.exe	94
PID 3932 wrote to memory of 408	3932	vbc.exe	96
PID 3932 wrote to memory of 408	3932	vbc.exe	96
PID 3932 wrote to memory of 408	3932	vbc.exe	96
PID 632 wrote to memory of 5804	632	RegSvcs.exe	97
PID 632 wrote to memory of 5804	632	RegSvcs.exe	97
PID 632 wrote to memory of 5804	632	RegSvcs.exe	97
PID 5804 wrote to memory of 1292	5804	vbc.exe	99
PID 5804 wrote to memory of 1292	5804	vbc.exe	99
PID 5804 wrote to memory of 1292	5804	vbc.exe	99
PID 632 wrote to memory of 3784	632	RegSvcs.exe	100
PID 632 wrote to memory of 3784	632	RegSvcs.exe	100
PID 632 wrote to memory of 3784	632	RegSvcs.exe	100
PID 3784 wrote to memory of 1912	3784	vbc.exe	102
PID 3784 wrote to memory of 1912	3784	vbc.exe	102
PID 3784 wrote to memory of 1912	3784	vbc.exe	102
PID 632 wrote to memory of 3616	632	RegSvcs.exe	103
PID 632 wrote to memory of 3616	632	RegSvcs.exe	103
PID 632 wrote to memory of 3616	632	RegSvcs.exe	103
PID 3616 wrote to memory of 2088	3616	vbc.exe	105
PID 3616 wrote to memory of 2088	3616	vbc.exe	105
PID 3616 wrote to memory of 2088	3616	vbc.exe	105
PID 632 wrote to memory of 2004	632	RegSvcs.exe	106
PID 632 wrote to memory of 2004	632	RegSvcs.exe	106
PID 632 wrote to memory of 2004	632	RegSvcs.exe	106
PID 2004 wrote to memory of 1652	2004	vbc.exe	108
PID 2004 wrote to memory of 1652	2004	vbc.exe	108
PID 2004 wrote to memory of 1652	2004	vbc.exe	108
PID 632 wrote to memory of 4200	632	RegSvcs.exe	109
PID 632 wrote to memory of 4200	632	RegSvcs.exe	109
PID 632 wrote to memory of 4200	632	RegSvcs.exe	109
PID 4200 wrote to memory of 4588	4200	vbc.exe	111
PID 4200 wrote to memory of 4588	4200	vbc.exe	111
PID 4200 wrote to memory of 4588	4200	vbc.exe	111

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bwwbgkhf\bwwbgkhf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5564
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB83A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8366ABABF1A8426690791A9B91F4A719.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\goyieuvy\goyieuvy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAFE1492144CEFABA5A6AF77CB509.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jer334d2\jer334d2.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB953.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDAD26DAA28E64CD7A6A579AC62673C2.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4moqckki\4moqckki.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5804
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEFC29805BCB4888A7D36E5D1B578CF2.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oc0czcp0\oc0czcp0.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA3E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA8DD43B437447DCBFFF9790AFF855.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nquerp05\nquerp05.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC544C4A5803E45339CD55A8B8DFCBD7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eebduo5m\eebduo5m.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE28B03A33F954050A51EABAFBE50F9AF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3u2b5vhn\3u2b5vhn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC184F6BA36D54B3690A12D40B9658B1B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ge2xo1wv\ge2xo1wv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF21C3B726654A2A9B5E7E1E466513D7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
8KB

MD5
5b96262894a6775aa100267f4c761048

SHA1
5cda0183486488a33535d545eb9e8844276ca7b0

SHA256
d1ee408c0404d538350e99d1e85c2e6a789ee84c1bb5618f52cf885ad411487a

SHA512
fc9e7de845439b788f2506065dc707d7adf92a6f7809d5987f86a3f7b77633a4728dd2ae385316d37cc8a1fcf42817c006596d5b87856d839474ec2d129199f3

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
93d27b63be9c1d207676dda714d39bba

SHA1
57a2c9e2f78bf17665b4c1cd2725135ada2eaebd

SHA256
918e92ef9586860f18148fefacec6cac6913a71ea885a2083babfd04e728fe0f

SHA512
789cc6de78f54438fe4daf0dad6f1d56022a77d0524baa9a89228bc20cca436f49234dfa5683f8daf1d038015a0d36a16d1908aa641a00e828425d81c4143dd3

Download Submit
C:\PerfLogs.exe

Filesize
8KB

MD5
503b3039a01264467a233bdf80171fbf

SHA1
51ce0ade9e83f0905f29daac91b1aaaf07dc54fe

SHA256
e63b5917cf5106009ea2d7c4e8ae73c0c9e8e4cf2b0ea645eb06f9cd16318289

SHA512
b961d0aa92d09b902aeb87cc32204f70d4bd443692ccbf582eac4982c9babac224b3d0a2622ee7d5edcb91b050f6f605ad815fd66de0ec4930b7b5cbd5b30010

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
bddf5340534c12d54ab9e55aa473c6bc

SHA1
6577f83d77ce3801d5f15e66357bee8620250ff2

SHA256
c1dfccc61a9715e80fc344d5951b95bb29db315642f77917cdfdd6cedd8eed3c

SHA512
d6914482339362ac310ab80356846cb8221349bf658e2f821a8382bc8cd69972dc45fcc5f70080c6982b31a4cce182a9ff0d97b7da6669d9b5c4717e2f8a3b7b

Download Submit
C:\ProgramData\RevengeRAT\UUKIWwie.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\ProgramData\RevengeRAT\windows-delete-winpe.ico

Filesize
4KB

MD5
1f0ec21c4fa48137a0526c3c0fdea8bc

SHA1
d7868157fa33266e837fa897cdf281463cd9b2c2

SHA256
6bb158d3401976e135ed0b4d7bc4cc9f00771a9b1c2629e3fa3edfa88d2a921f

SHA512
5327893ddfc43910f482dc544faf1823bfccbb96816d7246f7bc91ce46f185b1c6677e04f99ae4c62d79fe5e3793b85f8d70957d6073e3e2fab385477d685773

Download Submit
C:\Recovery.exe

Filesize
8KB

MD5
d343dc2c5d8be191e947703c92d1fc1e

SHA1
d8889b12182f7354d9bc4f53f81e5699b3edb438

SHA256
50613b64fe146b58b146fa76593d75de7856d41fecbfcb59f410f613eb9d859f

SHA512
b163e22d0707360caf378dfc5e8828e8d2db261ba96a377110c3a41a750c9ebe8e552a9d44aa6810b3ab02e114ccca4bcd162acdd8c339702b551f917b8a435d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3u2b5vhn\3u2b5vhn.0.vb

Filesize
341B

MD5
2eaba4383c078d42b2f7b6b56b3a5753

SHA1
5587ecf57731e8778b752069e01fe8ed58cc8423

SHA256
00a43ce37f29e94bb7554ed4cc4a4951efac366e2c5cb15bba82453733442600

SHA512
580a75cbadd4185020ed4748a806ceaf1d7b541da6387202e9e3e24d3d8d04e9fabec9f7871085826e84fbaab34d75fac2aabb9ec1e7f4964272c961821c67ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3u2b5vhn\3u2b5vhn.cmdline

Filesize
207B

MD5
95e9e190fb8fc565ac344a740a10ff8b

SHA1
133cb66f6ebf1b154859b5fd7688426dc54be3a9

SHA256
393b6c6746787c97e909f9ff8e5534c31f6c8a69960507b413fd2612815041a4

SHA512
6e6c03e7a4c5037f22e415da4473446be0cb33f92b5c58b047495080af3059b836b93e34491c2ec702c375e73386fc2d7c2726d0246a452d759e22fdb6430b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4moqckki\4moqckki.0.vb

Filesize
355B

MD5
f9ad0fd80cd20785a4c2310cc7bc8c5a

SHA1
401f2099128cc33475ba6a586daa7b217ae41611

SHA256
28a4affaef125abca3716c975cb04cb52ccdf2226c916ddd9bce8c0785008120

SHA512
2b22f9ad8c29355cd62640e2ccb1eabb5d72a365dcf2cbd66ca6099e2cc1570030745fa8fc21519dae72e52f9cf872c291d8b93a371cfcd8b46f3a9bcf29fc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\4moqckki\4moqckki.cmdline

Filesize
221B

MD5
dee662490a3c31112af59fbef0cb1e67

SHA1
9075b8e44674678ff7c88358519baa9341740db2

SHA256
61d191e9699c9fc1ecd57606309684d15875c580ed33ac1fcdcbdbde78ad8ce9

SHA512
fe223d8edf4661be8200e43e97771c4f0b8e2879740cd4e9f08f4246b4192793e9f163425c008747c8acb2a800402c17967555367f01178ce765acad81ec8989

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB83A.tmp

Filesize
6KB

MD5
a6243b581d3c6f8cf669412099ad9570

SHA1
41537a8579062ebf60e4261cdae051d320cc1149

SHA256
f79cd87aa00fdef134f54c332ebce27f4b0a16854793a6be40a53acaf8c8620f

SHA512
83f094435a5b451a87e24b4d36a36a5296c291696f8b46cb23601580fa6968c3b694662bf98456f5fca8aa002affed310a37bd5fd02e516afd4034c26b63d3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8D6.tmp

Filesize
3KB

MD5
7342990f290a39e8aeaab97b2ddf3d2b

SHA1
eff302e132a397e93bcd717c73b5c21e013dd711

SHA256
6b38185ab3ed7a64b19a0ef36df6161c622e9f654fb5a3d2731c3a05a9da102e

SHA512
ca54ab966ca4b73373e064354ea2d3b9a3da1d347493f81fe16cce65c243ad00f3c60e3426d5ea2829cb81668ea36001cf6eb9c72c380b95d72463d9390cfbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB953.tmp

Filesize
3KB

MD5
6d6be269faff0aef74f0d50e61f848e6

SHA1
7085bef0a3fcc9d848281135aff614ed80671be4

SHA256
a5916d1d2d557ceeca5240a99699e23b83684eb5b7e1ec56668ebcfa354f2340

SHA512
d4e4c90c687b4f80a1b6670cc028f1e1b804659df397290bb768b2a55dd553ef3c2b75b49429384981a44a14927f78d16f189c80b3cbd9ae1d71f78dee997750

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB9C1.tmp

Filesize
3KB

MD5
f483d656af23e013659526a64ec91a49

SHA1
20b2cf4ef3bad6553634377d385ef07790e3d7ba

SHA256
6b233698bb6c666fc1206b5fdd1ac41f8b65125e001920b002f44f6ef4d126cd

SHA512
39aff4345aa2ef9ad0463d5d73347f24cde5d0cdaf4e153de2e770d8030749dd634e485a5dd6e9bfb2bbe7def2d1618102d440892173ad5115a1c506b90f2a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA3E.tmp

Filesize
3KB

MD5
7ad5b7d27ca9cde4b5451412e1e9b398

SHA1
d50f77524f557b51a52a3730f2fe3d753a785cb7

SHA256
0118570403f38b6f1f84899e96ba7ef770b5d239478f1f05d147c7669eece011

SHA512
3384beabd888a4ca09c88926094327d06ac88bdab9102395aa006f497e4dd3d75243047279ef1f5df24dfa6603aaabee811396cdad73ac8985593701ab9f86f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA9C.tmp

Filesize
3KB

MD5
fb7ac2c62f154bf1b0bf630056460a11

SHA1
6814bc82b74700340e50335522cf66be457ec7e7

SHA256
e227defae1062da38b669f3d8fc7eb5959dda55b9535be5a6dbd6851f3bbb6c8

SHA512
a13689e56cbbe5db444903dfbbae87f91a52533686fb3d51cb1f28151f6a0c232c80cc66a2ec5c100813f970c6d7c90b456f915c7a5fdf36d5ee8d27feda164a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB19.tmp

Filesize
3KB

MD5
d2d8bdbacf7fc5f58028e8a786734fb7

SHA1
fd89a660d47b4595c4ef7f2edec1db4397aee76b

SHA256
3f16f17979aee2ebc6c782dd3ac0f53a92469d7ca0868a8187677fa0ac01abc1

SHA512
4c8f1b536fc5d6cc6d4beeccc310675c1741b1daa45e71abed165de8c02fb14dafe0cf35484f05860a6f339a038dc27aade9be2dde5a182fa6ea335410d772f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB96.tmp

Filesize
3KB

MD5
3b38df88ffd91c7822d80ac38ec86129

SHA1
dba3f624a0121305f393d5d1b156e650f56c55d8

SHA256
73444793c412a654681e770913377e274d57fd15d3fc398663146b1a66ff7fb3

SHA512
ab1d5d2ee6ba4e7b6b92ca99e5850798e22d0a4178ba2e3e15a9b2eae5ac184ca6ce11419557609420a6eb08379d413ca72a4238966d64fceae9949675c9f8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC13.tmp

Filesize
3KB

MD5
2239f449c5b75b658581e2b8b43af75f

SHA1
69bf804231053b5876839999997620565baee5f4

SHA256
30e3f63061fc044e6006272eac548cb0a8648ed53dc379d1f267dd3ffbfe9467

SHA512
828d0b7cfdedb307075334ac52fe24d4208246e5af8a630af7c63fae9bd3f8c83f7ca5ee762c5c42dff4d39cffd29db5ec8f75c3362dc308824028f57ba2f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwwbgkhf\bwwbgkhf.0.vb

Filesize
357B

MD5
505146fca8f36b7caad085d4f3e0b932

SHA1
dade832e28e42223ce507c3df9fe8380849af45d

SHA256
6af204d197d34512299b0dde6422c82ce104f01709e4ecd7ccb58424afb3993c

SHA512
a3a998d66f34e70972e20b9bde05f2006fec96c30ed9e556b4e1da3dfbba92fbcff9a211c81c0aa93ef5abfedba126a9776e18732af04da1764c748661f4b033

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwwbgkhf\bwwbgkhf.cmdline

Filesize
235B

MD5
9385f3d54368ed11b9b2c00e1f2cb882

SHA1
b33f59742aecd62162c24a81b846cd7b6d8fb955

SHA256
bf340d8ba99829b7df597b8a9053658738bab9eff898609501ad6a1741be0899

SHA512
91d08dd4793e30a1b80b39cc40d063c8969f47f4cfa8768e53ea06f6483a8c948070bf348e0900b067cc6cfc3ac28f940e82af2a63c3ccb40b82be03ce970150

Download Submit
C:\Users\Admin\AppData\Local\Temp\dONFueOci.txt

Filesize
44B

MD5
742160e4a4a1d12b2e9682bc6116fc9c

SHA1
bc3f16b140dfdbf5b4de6ee73659162d4f3ca2f4

SHA256
23c1afadb9dd7c91730ca7f9b483f2b4b2b5c9ff2fc6b095ee071e2c99f03a77

SHA512
2b49f5b5030298f3aa171d190afdfe61ed1e5bc409ddba64fb36c72656b8205afca9e325e4e4577acb9f66aafbb2bb5693255b313a2e293f2c7bdc7a8ab55875

Download Submit
C:\Users\Admin\AppData\Local\Temp\eebduo5m\eebduo5m.0.vb

Filesize
352B

MD5
7ad335976b6538d4bc10a51f7bf8bce7

SHA1
e6bff208e4139bdf91dee890cc9b6688f3070daa

SHA256
e9e03d227b8540e5a8bd6067db080b072dad25960f611d6b9a8e1887bdee084e

SHA512
20d9c3be9ec6d6b034ad918d1ed41114389b33f7c24a10ec26a2be620833c6fc21c815626891a0c35e36678ac2b4bcc5e9418f53939953a8123acedbfb503a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\eebduo5m\eebduo5m.cmdline

Filesize
218B

MD5
2e4820e5e663fa22e5213d9eb5601f0b

SHA1
853cbd6a90eecb41acf2f365d480b83d4f1abe3b

SHA256
9f8d74e8b483f4f2033476e10b8473b8526e28db24e899f9a00667600d6ffd5c

SHA512
7e957df96f85c05fe75b749f9ea430516ab00ac0282ab1db6e3655097c350c807a29bd055cb1c88ea2f5a86e1caf2ae508e9caf986acb24f19793db5e5d85e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ge2xo1wv\ge2xo1wv.0.vb

Filesize
345B

MD5
8a8a5989a3891b0b9d7b508630564c45

SHA1
dfc1064e99c5161afff231a24e31a7c260db7809

SHA256
323f2d4f28f0ae55e47f80c91ac4cb1498fca55cb02d47a8c09479e39309b5d5

SHA512
e7bb84ab94d16dd58e2a544c25bc226457bbb54d7aadd1bd5386c51a4c2d2ec7a9a6ddffbb1a5f21cd9a1916e912da6d932c35884282acd05670d96d4597b840

Download Submit
C:\Users\Admin\AppData\Local\Temp\ge2xo1wv\ge2xo1wv.cmdline

Filesize
211B

MD5
2ff533b6f0fab6daae94e64e963d81ff

SHA1
d8dde10809df26e27cbc587b8e9093950b5b3cfa

SHA256
458284479d79aa4fed8e8a998a0531cb90319ddf37429ed4881dda2cb0eb2ad2

SHA512
f817955a1c6e5c835e7a495c53a682ba2174b46ff24c917ffdab3942a918fd4d4cf503dbbcd74309ab19fcf2daa9b2a4ad545cb6f626e542a41e0a33e2687889

Download Submit
C:\Users\Admin\AppData\Local\Temp\goyieuvy\goyieuvy.0.vb

Filesize
345B

MD5
7573edb1c3da5682370e8f909d9002b0

SHA1
434c07f81dd147bbce901b5c5dac1038301aaaf3

SHA256
aa12bc90a66992a34ddff377eb6d990cd33e682317659d50ca6e17485308d1fd

SHA512
5862adea3b9c3356783b7ea40d15fb68c40d7095e540d5a06b1906a39cc6c23f30b0c00b4374bc1b0a0a03de67743b1fe97c03abcedd95ead1cab072c1f7f75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\goyieuvy\goyieuvy.cmdline

Filesize
211B

MD5
4ff8b82d1261e04e4a747c13a7512d5b

SHA1
3fd3df9b4a1eab607734a10c184b90120de41530

SHA256
fc29cc9e277c1175cbd7ecb3be0fea3dccb36f5f11c99aeb75ec56092a87b337

SHA512
6a0bb0f40600e6a7597ba230af96ce84446493030e0a3486881cf64b4162b4281c042abb21f176bd683d7938fa903057dd9e4300875d40206be927f6ebe77f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\jer334d2\jer334d2.0.vb

Filesize
361B

MD5
098d4e8d1a870ca4cd8251ff30b73e95

SHA1
142b8a81f96033edd89ef228310999f27d3272c8

SHA256
b266ba0094fdcbab4fae8b68b9b8ffdd5d5ce16a1165b79719537952b407c765

SHA512
3b5e3608f017a9ae0a7674590f212e3a91e5b2f844ce68d85a8864e9ccad2c68ce69f6a4953dbf423f1ec6bddddb1c9cb5e50ddf431dcc341720c6495e8e17af

Download Submit
C:\Users\Admin\AppData\Local\Temp\jer334d2\jer334d2.cmdline

Filesize
227B

MD5
310edb0a062681344bf29fb21af8b65f

SHA1
7214bf7e1516e22a980fbe9ffc2f25f0621c93e9

SHA256
1d54dac17455c5e078e2eedb8d59350aac192e7c339dbfd0fa1f1482fbf67728

SHA512
65d26f0670c0bac63b3941f5f1422628e2e02bc13336070c002f93133bfb4533702b3f600ca1535f4f7af6df97fa621020f611be5d21a59491033c99b1a961d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nquerp05\nquerp05.0.vb

Filesize
341B

MD5
9172ce0fad8ca295ed306f8982b31258

SHA1
a626890a3089a91b28deb4ffcdc2fe234413cd2a

SHA256
b558e113f134944024260ebaeb3106f1712aec382eb7a7a30718a9de81ef8b84

SHA512
7bedf1dc3acdfe639b23a363a96046196907fcbc4782a44df2f67ba0e275f4b6a06abd2d6906d3efac556cb869e304e03fd7848d439f04b4239234ed794404a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nquerp05\nquerp05.cmdline

Filesize
207B

MD5
5dfd6db0de55f653b1068432fea827c3

SHA1
34b343afcc181078c69476129d4828fda49e00e9

SHA256
d15dc3748d13158b6769deed4e611ede28696e71c2422f235e40c0894ea52d1c

SHA512
216dcf98f4f6d95ee95d048d402a81c63cae619aacf957b727eb20659af73f9eac6fe4e471ee4d30afbef0cde906160a2d847b6adbcca18dfde6bb3d5b77a97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oc0czcp0\oc0czcp0.0.vb

Filesize
357B

MD5
c4cbf9a1ed8203ae7894d17934819fe8

SHA1
d8bde3827c208bc0b3207ffd6ded4b503151fbd0

SHA256
a3a9033115815cae4eead0a35c86c42ff20b2c542eac08541393e3841d4f1625

SHA512
82da35fbe09e79e50ccf8adb24c1daa4104e4b5239a0cd184ffabf011f8288afdbaa48df8c8d0f0b0e77001bbc7cf3cccc54b9928b6d44852d7df516ca837892

Download Submit
C:\Users\Admin\AppData\Local\Temp\oc0czcp0\oc0czcp0.cmdline

Filesize
223B

MD5
685dbf5db5fa2d8dec5f0ec3d2c61135

SHA1
f50bdd9c5760b402b4bab5c7692c6806e19fdcc7

SHA256
b5f708a185f6e4d0642e16323d06d8e68d54d765d29758c784737378661aeb91

SHA512
efcb05c341f21d631852f39cb068df13caddeac96c310dd08e45864bf64dce8222ec63feeb14e765d23ec616639fc2366b12a062e3564d6390c179c525243470

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8366ABABF1A8426690791A9B91F4A719.TMP

Filesize
5KB

MD5
6455e9ffba59dd009b46a119ca0fe301

SHA1
ba3078d4deff1b51a10e51698c91478a88065c23

SHA256
70c27ecda95869f5aeff42844af006f13cb4fec55a3ada319ad6708da861d06c

SHA512
9fd3dedc153e31eefd17a87d58d935ef19d85019d678541067a31114e8a61aace3690f178fa1e2f69e988451b4fc7c57faaa832f2b8adc0e0f13e1cf4c6608b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAAFE1492144CEFABA5A6AF77CB509.TMP

Filesize
2KB

MD5
412dccf15536c209b91f5dbd18839976

SHA1
62d9cfd5117cfe80e492eaaf82df0ddc6d021ac5

SHA256
07dde44b7a5999333a5e1106d2e566043c50125e478c25a98c494d515218adbc

SHA512
8fa33d9794557879430b0b2551421eb45c8e06f0d0a5d0c9aa9b865336995db446c157d91d6a481224f9b92b573c5945b26a2dbaf1d078e6217300b0b3dc8bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA8DD43B437447DCBFFF9790AFF855.TMP

Filesize
2KB

MD5
460f9c2c73201ddaf923fe3420a54969

SHA1
f2c078b4850189a58a73fa3070982d69fd8c1494

SHA256
09d40c9fd267efca1c8f853c85347a6a2478546c8de7863e69626daafff5c3f1

SHA512
193c754ba83cdb02fe7045a2609ebc40b1bc3fb7cbdd7779a88c4280b26d888c31671e75f53b555d812aa02e05697bb89e6a476671929b33cf0185653a4c23c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBF21C3B726654A2A9B5E7E1E466513D7.TMP

Filesize
2KB

MD5
5dc504ddacae44fbcfc99906527a7971

SHA1
415d3e9bbf4a385fa29ec275d27115ff2fb30f0e

SHA256
fba0fde1f724e280c705880f8ee9119ad27a9d1227479132189d51cabb8d1f37

SHA512
53646fc516589f65223d0826dcbec4756243cf052825e15ec346e90218dd42b7f1be664766fb3fe8026797d65c6b7bdc096867f34e3f33a3d8a0c7625241c30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC184F6BA36D54B3690A12D40B9658B1B.TMP

Filesize
2KB

MD5
355a4c9517cc0733fd14702da69521de

SHA1
a82f21debd3bf6a236461f6199ddb6ea57e611c1

SHA256
cfde6a2f60155f6208871922538ecb09c20393e6365e61bf72fc0998113c693c

SHA512
9e06a2761a45ecd7bc2a8c9792e6e2e6066360aec047d6d46aed2e7ed44e217508348a01229023bf67d6a957947a8e6abdc772516550fb1d2e7a22b48a47094c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC544C4A5803E45339CD55A8B8DFCBD7.TMP

Filesize
2KB

MD5
6ff6650f91c40a62bddb764e8364192a

SHA1
c7818a159b4226d2171be2d04b397a137fff9eb9

SHA256
4386df5789fdd10f7535d670a48859c5dc3877decf3811e27db126a3578102e6

SHA512
ebc316954711d714f16452f6ab8c4679bdec6b9af3c9a6f1bfada5fe1494daa8ace91b4f3080a83804869f2c386cfb4783ce74cde9d5cd6af5f954455af02841

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDAD26DAA28E64CD7A6A579AC62673C2.TMP

Filesize
2KB

MD5
6a856f9842deb8ef23ae751813b82e76

SHA1
2580c84c94b31e1b2a70165a7a8cade36897f644

SHA256
c79f809d470049d6483b5944925d186740b02fd0f8a69d1f1468d564c03688a4

SHA512
c4feb29a7752fba0a27559770a14e349657d34ed2e12a85a68b73a052efecb993112201c3b4f19a8db51e44d72de63aec03e4bc679b8b9b79ae4a583c6d45f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE28B03A33F954050A51EABAFBE50F9AF.TMP

Filesize
2KB

MD5
76744ba4a12dfa044f13aaa7ec3b4291

SHA1
6b38314696c048d7155089d6e8b22b5b817ce126

SHA256
d571eae9a90237333cf0b91565e8b72cf52e8809fc3e993507369057718f5723

SHA512
3965d21d61f026785273a477e176a85f08eb3554defb47b749e469b30443204c661c37047479f36308e897b476c886bd2267c7db9b454898a2eae0a7d0610549

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEEFC29805BCB4888A7D36E5D1B578CF2.TMP

Filesize
2KB

MD5
ba71c864b7063ddc4ca3a0b0b460c36e

SHA1
f65b1433647be410949442766956103184b7d83f

SHA256
ece9db2a6c407ed82888a965a9a3472d8cd58797e21ac9428fb4632b4ec1b6f6

SHA512
ec2e2cabdf5907cd05bc6cbb7ef7b85ab30533bd67ac2a56994107fd7e9bdf30ace28f80a15e493e6f8573b603b8d89c131b60bd5d07e7fd5493b20764c23aec

Download Submit
C:\a5f1eda8760fc790760b7e5a7f56.exe

Filesize
8KB

MD5
7475ce16db22bd77f847fac01c5758e6

SHA1
dd4f0f9ea93bf034d20526babb9eb9e93647b728

SHA256
e376dea6259af5270c4e80f43afe95cc9a6f7365d8ab70fc32222d3945681ba3

SHA512
659a747fbe09c037f50626d4d82ccc5548d9453ab8693689c65b44909896b59f10498dd6b021007db6d9788816a1dfebb2ce11d031dc3d2f38b10244f6ac8eaa

Download Submit
C:\e3fdda64d5d3944e27f92d88.exe

Filesize
8KB

MD5
470cdc897d05bc4483761761ddd9531f

SHA1
c27c80aff3059f58cac84018333f898161724690

SHA256
b94a3da9448e601b50b884ed6920291b903157e246200a690a24d0e3af7b0746

SHA512
bf59d4bd3952de2f71c99050f8f55bfb49f6599e31fffe5a3a2273aace797516fd68c0ff6fe529bc316f87d4787349d6655f30f5494f314faf921580301f4e0d

Download Submit
C:\windows-delete-winpe.bat.exe

Filesize
11KB

MD5
52ffea112bfa0abab2121aa9375ac7c3

SHA1
ef55311dea75f1c9070f8b071e0483085d54c301

SHA256
2be14975e1948c43940abc8a050501a1c76db980371a0c90da57bf288aebb159

SHA512
3c3c35b76fa02665aeaa3c44800283a82acaa443a2afa55e5917dc35e2f0385cc940190d0d242b2ca49de23cc4002c0024b68d357fec9276676b0c8d9adcb4d4

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
8KB

MD5
d9d601e9ea3369dc2837f992a96a8cb8

SHA1
3da9845676a682688e8d3b5b0a01523ba8e9bd9b

SHA256
fb7685e1c7fa87e63e9d6d0ef18cabba16aa4df6855dd2fbe088aac73586261d

SHA512
f4f14ca449e9f68f60d7e9f6c0bc15600e271122f2d1104bae796bad3b3027ded56122440539f9f2e5e8af7e145e4ec02fbf5d38c1ab66922966e2161a11ccd0

Download Submit
memory/632-9-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/632-23-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/632-14-0x000000007505E000-0x000000007505F000-memory.dmp

Filesize
4KB

Download
memory/632-40-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/632-15-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/632-25-0x0000000006130000-0x00000000061C2000-memory.dmp

Filesize
584KB

Download
memory/632-18-0x000000007505E000-0x000000007505F000-memory.dmp

Filesize
4KB

Download
memory/632-16-0x0000000005A80000-0x0000000006026000-memory.dmp

Filesize
5.6MB

Download
memory/632-17-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/4452-5-0x000000001C470000-0x000000001C4D2000-memory.dmp

Filesize
392KB

Download
memory/4452-4-0x00007FFF8EB50000-0x00007FFF8F4F1000-memory.dmp

Filesize
9.6MB

Download
memory/4452-10-0x00007FFF8EB50000-0x00007FFF8F4F1000-memory.dmp

Filesize
9.6MB

Download
memory/4452-6-0x00007FFF8EE05000-0x00007FFF8EE06000-memory.dmp

Filesize
4KB

Download
memory/4452-7-0x00007FFF8EB50000-0x00007FFF8F4F1000-memory.dmp

Filesize
9.6MB

Download
memory/4452-0-0x00007FFF8EE05000-0x00007FFF8EE06000-memory.dmp

Filesize
4KB

Download
memory/4452-1-0x00007FFF8EB50000-0x00007FFF8F4F1000-memory.dmp

Filesize
9.6MB

Download
memory/4452-11-0x00007FFFA7E50000-0x00007FFFA7EEE000-memory.dmp

Filesize
632KB

Download
memory/4452-2-0x000000001BF30000-0x000000001C3FE000-memory.dmp

Filesize
4.8MB

Download
memory/4452-12-0x00007FFF9DC70000-0x00007FFF9DDF3000-memory.dmp

Filesize
1.5MB

Download
memory/4452-3-0x000000001B940000-0x000000001B9E6000-memory.dmp

Filesize
664KB

Download
memory/4452-13-0x00007FFFAAE10000-0x00007FFFAAE18000-memory.dmp

Filesize
32KB

Download
memory/4740-29-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-35-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-39-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-38-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-34-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-27-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-28-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-33-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-37-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/4740-36-0x0000029460B10000-0x0000029460B11000-memory.dmp

Filesize
4KB

Download
memory/5072-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5072-26-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/5072-22-0x0000000003140000-0x0000000003161000-memory.dmp

Filesize
132KB

Download
memory/5072-21-0x0000000003180000-0x00000000031BC000-memory.dmp

Filesize
240KB

Download
memory/5072-41-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download