60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

13-05-2024 17:36

12-05-2024 17:17

12-05-2024 16:15

10-05-2024 18:05

10-05-2024 17:48

Analysis

max time kernel
301s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 4148 file.exe

description	pid	process
Token: SeDebugPrivilege	4148	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4148 wrote to memory of 908	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 908	4148	file.exe	vbc.exe
PID 908 wrote to memory of 4596	908	vbc.exe	cvtres.exe
PID 908 wrote to memory of 4596	908	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 984	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 984	4148	file.exe	vbc.exe
PID 984 wrote to memory of 2336	984	vbc.exe	cvtres.exe
PID 984 wrote to memory of 2336	984	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 64	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 64	4148	file.exe	vbc.exe
PID 64 wrote to memory of 4500	64	vbc.exe	cvtres.exe
PID 64 wrote to memory of 4500	64	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 2088	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 2088	4148	file.exe	vbc.exe
PID 2088 wrote to memory of 1692	2088	vbc.exe	cvtres.exe
PID 2088 wrote to memory of 1692	2088	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 2128	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 2128	4148	file.exe	vbc.exe
PID 2128 wrote to memory of 3148	2128	vbc.exe	cvtres.exe
PID 2128 wrote to memory of 3148	2128	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 2912	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 2912	4148	file.exe	vbc.exe
PID 2912 wrote to memory of 2476	2912	vbc.exe	cvtres.exe
PID 2912 wrote to memory of 2476	2912	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 4920	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 4920	4148	file.exe	vbc.exe
PID 4920 wrote to memory of 4624	4920	vbc.exe	cvtres.exe
PID 4920 wrote to memory of 4624	4920	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 676	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 676	4148	file.exe	vbc.exe
PID 676 wrote to memory of 2236	676	vbc.exe	cvtres.exe
PID 676 wrote to memory of 2236	676	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 4180	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 4180	4148	file.exe	vbc.exe
PID 4180 wrote to memory of 984	4180	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 984	4180	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 4640	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 4640	4148	file.exe	vbc.exe
PID 4640 wrote to memory of 2624	4640	vbc.exe	cvtres.exe
PID 4640 wrote to memory of 2624	4640	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 4620	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 4620	4148	file.exe	vbc.exe
PID 4620 wrote to memory of 4752	4620	vbc.exe	cvtres.exe
PID 4620 wrote to memory of 4752	4620	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 1264	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 1264	4148	file.exe	vbc.exe
PID 1264 wrote to memory of 1860	1264	vbc.exe	cvtres.exe
PID 1264 wrote to memory of 1860	1264	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 3272	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 3272	4148	file.exe	vbc.exe
PID 3272 wrote to memory of 4260	3272	vbc.exe	cvtres.exe
PID 3272 wrote to memory of 4260	3272	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 1232	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 1232	4148	file.exe	vbc.exe
PID 1232 wrote to memory of 3948	1232	vbc.exe	cvtres.exe
PID 1232 wrote to memory of 3948	1232	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 2784	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 2784	4148	file.exe	vbc.exe
PID 2784 wrote to memory of 1704	2784	vbc.exe	cvtres.exe
PID 2784 wrote to memory of 1704	2784	vbc.exe	cvtres.exe
PID 4148 wrote to memory of 4300	4148	file.exe	vbc.exe
PID 4148 wrote to memory of 4300	4148	file.exe	vbc.exe
PID 4300 wrote to memory of 4184	4300	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 4184	4300	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fow0ral6.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA999.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3CEFA115BC94C7BAB7C1D7776C14524.TMP"
3⤵
PID:4596

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sn_xb1sr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc394391B780D040BFBBECE25449C85E59.TMP"
3⤵
PID:2336

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbkuhtcp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE2D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc208857CABE74D8982DCB9E332760CE.TMP"
3⤵
PID:4500

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwmop0zd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB07F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDE09B4EC87C4DC282A1014AFAE51AD.TMP"
3⤵
PID:1692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e6ybuwkp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB263.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF651EC4BFDD947DD91C08B9E9BA2BCD.TMP"
3⤵
PID:3148

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xt35q1y.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB503.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C5B3A7515D24E71808F26FF326FE8D.TMP"
3⤵
PID:2476

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zeg5ke2h.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6300A93A75642E0A760FDA359F2693.TMP"
3⤵
PID:4624

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ye0hhyaa.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA4CD8E8A4B0431887AF6AD677869B68.TMP"
3⤵
PID:2236

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bwiy1v_c.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc167984B9E63D4AD9ADD42A5617B7431.TMP"
3⤵
PID:984

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ptmqk1rz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75E60CBD9E28423780E5604CB7E42D3E.TMP"
3⤵
PID:2624

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h8kdewew.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5E4E676F7484E729E855DA5BCC05752.TMP"
3⤵
PID:4752

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ewbsvknc.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC04D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9D1764D663242DBB31E65905727A576.TMP"
3⤵
PID:1860

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oh56bgwl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC213.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA09A1DB94794783B0D490F0EBCF2D6E.TMP"
3⤵
PID:4260

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_i2dhhgj.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDAD56D84CFF43458B3AE4E874A60CB.TMP"
3⤵
PID:3948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r83srloo.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3665FB1E7EF34ABE85B419C6C4F5AC3.TMP"
3⤵
PID:1704

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-jvl3vbm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc401DF6B6786B48EBAE5B4CB6553A8D9.TMP"
3⤵
PID:4184

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8d4knjff.cmdline"
2⤵
PID:3128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc135240D3EC0D469094C554D88090877F.TMP"
3⤵
PID:3536

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c8p_k45r.cmdline"
2⤵
PID:2000

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E654BA9524B4E45B6353A344531D8D0.TMP"
3⤵
PID:1688

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-nmmli7f.cmdline"
2⤵
PID:3792

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD136.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE52A713ECA5D45BB8F1C67711217352D.TMP"
3⤵
PID:220

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r-j4c4a1.cmdline"
2⤵
PID:2188

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD23F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc680393477FCF491C931761F9929F6189.TMP"
3⤵
PID:3692

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\diun_zsh.cmdline"
2⤵
PID:2408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD378.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38311F5AF3A34E04AEE768A89618B057.TMP"
3⤵
PID:2804

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nlfv1oay.cmdline"
2⤵
PID:3752

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90928DBA7DD446698CFC72351E6C810.TMP"
3⤵
PID:4732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mzq_0-gv.cmdline"
2⤵
PID:1008

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92A7381E3B0C4D05B3D8477968BC23AF.TMP"
3⤵
PID:1704

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1ogsapzv.cmdline"
2⤵
PID:3796

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD760.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD08C329DDEB0489F8DCF7E7CB8F43AB.TMP"
3⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\DumpStack.log.ico
Filesize
4KB

MD5
d5997b8f3f9665fe1cd7defb29cff584

SHA1
7b281c8982b042d77e7a53ce282eab7f8417adc7

SHA256
ba40f96904ef649d30f9477d2e1b770b312832ba81e6345946645c15dd4ceabc

SHA512
88f66652b43ccdb551c9e876eab1e7f0bdbf2b8c19bb9b871402e94d1e826424b917495dd3b79c228724f49d1495cd3cea49fafb7a14f23e5e1eb6a29b68871c

Download Submit
C:\ProgramData\RevengeRAT\libsmartscreen.ico
Filesize
4KB

MD5
e5e3ca9573f74e3b13b79068aec7cf79

SHA1
a1779b1830d417d2c6ca4612340ba1118678424c

SHA256
fbd9922e4f261aaa2efc66f95a58595b81d361ccb50a70cfcd05416b09e2db99

SHA512
7388c02418d255f31e5e7e1b390387b8bffc3dd56cebc7c8559880b49649b6b91e77e7a3e513644d5358167543ffced1b630a9c98f1cb307cf47fa253a54fe79

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xt35q1y.0.vb
Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xt35q1y.cmdline
Filesize
227B

MD5
8ce47fcb16a9db5e2e587867415e5c8a

SHA1
903da07fa89b56817510b79e55ff2ffbee928f5f

SHA256
e840554e26c3384e34e4ed43dcfd5de9b33e3343021a7ce797ce181aa49a9338

SHA512
50aecefa20a1c8ef7f1d7dd60b5fa8ab7e288a5baa37c7268d4ef07025d0c061114ba66ee86829610e3843478bae14f3aa6a532cd863b52dfd865b34ceb56905

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA999.tmp
Filesize
5KB

MD5
91f50318ad79950e919252d755455352

SHA1
5f81503d569f7830c01630f37c1aa5fae290c45d

SHA256
7f859c14bddf55fe07dee99b204568d448b15ed363e02aa1d6a8a8bd837a1069

SHA512
58946c9731262043c0d2ecb843bac0d490e909a52cf4b401c2ff1ca310f5ac820bc9f7df22ea9cc4f46b36e78b4c1f8498ba48ea11824630ea1cd0ff7a93f031

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC48.tmp
Filesize
5KB

MD5
63230c5477b5d799ed04769318fbf8d4

SHA1
54c7d4ca7b41a81fc491c4407628b70ec5e403c8

SHA256
595d5783ee27b98fcf85a105bdaa537dbc21b076cc0254ea81c20d7e304be12f

SHA512
e4c8bac596af0525319f2568e8ee74cf758c1d208d4ab61b4378af616eeb8b311c6394e1c69d01b1472361f9374bb1c162ee696b6e88bb16f36607f52ed23d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE2D.tmp
Filesize
5KB

MD5
ee03ea95d64c4a638e71d76ea14fe7bb

SHA1
9a78dc0dee3b3df0045e89073850117c316e8db5

SHA256
7b6f7ea73e782a91f010d5a19b30b748c5eb7d58848053132ee771269fef2457

SHA512
b34803eac42c75cdce54ca5938e448917e9f4538d340218767a24aab03d8941d7d42b8d785f6064cce87409a28299f2c633fcac3195f2d216f9bc675455c3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB07F.tmp
Filesize
5KB

MD5
d3d44dd32b4b88a9b03f4d955574b0fd

SHA1
84de011be98421330f49ea00feb5e02d38b63efe

SHA256
6e8fdaa06af715acdea9a9147ab9e72072a543e07fa51932f1b92a2a3febb05d

SHA512
f313cd66957ecf3fa65c8ad6a91611efddbb26aab7fd8b3391a1e0349bee454a22675de57c10ba79b6bc3ec0dd444970342df45cb50938a14e2d32ffdee56e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB263.tmp
Filesize
5KB

MD5
c463d08da91f03eacb6312bd18a4e39a

SHA1
4d7df7b9ef7fd12f1cdd89970cb4efbebf1bf37c

SHA256
e375534cc3792c9b11b78135863f0bcd2ac1b1bf4bae02271e2ff4f92ffaf265

SHA512
b304f72c6127d80b35c1b89ca1960aee783b9da6efbb7136627d486f76268ac139f2813e27db5b265d238f5a95c1cd33565ef64e9b7609ef316f72eb12eaa84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB503.tmp
Filesize
5KB

MD5
0f3672c3cd7913d1d1239035400fc88d

SHA1
46f033fb8851400d81f1ba7f7d05ee1460fce734

SHA256
0dfca7485866f5ee7a27c78ff9e7827de60b4ab1601519cf65932ab5b7977592

SHA512
66ea8c2ddf75ae3665be3c936c221c06ffb7b39fb7f8bf8dedd37bc07724431917f0a23102b1cebc32253965b4c9c3c88fb8f00d2742ee3a70c8332f1b2ca754

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB735.tmp
Filesize
5KB

MD5
d76509c914965bef30c79a12e05f0977

SHA1
cecfa8d2e777504d7e6e398c7b5866e0e7d91efd

SHA256
00cb8c894d7dd6ed710c3ac8dc62736b6023eee73c0faba76673aca4cee86ddc

SHA512
3d761f8177215f14f7e2798f426a80aacbed0c62229dd0a583ab8613609a99a97ee88f15db3034bb81f91c048faa065bf02901e15074af0a4be161863b861601

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB9D5.tmp
Filesize
5KB

MD5
8a3963f69e0efbcc79d04a06064ad3b9

SHA1
f2e7c19e9ea716cd55708b7b6a8cc3680d29ebdc

SHA256
0272fbbb54a99ff8cabcf51bd4892f2c0e34e4b2f21cd886d0cf993d5336653e

SHA512
b1ade5f3c34933698917e055fd67d3495e051320437fe8bbb50c8611f1416d6ae707115a0c041ada324dd2f1ab5361bbb14bc8412b3b01a702441d07ea35f9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB8B.tmp
Filesize
5KB

MD5
4c553e2ffcd6ff13e872ba0f44c29b2c

SHA1
a951f70f537820de07423a5f429660d128a29e17

SHA256
aa8a107d70013d32cf709ebb67e4faed8dbe62f013af63dd17f63f42b27fd99c

SHA512
0363bd1bba904cf037e952fa73d178ae0f597962a19ebf45edaa482fbbef9cf9625fc8d407a6112387b72da93025ebf59d6837965704d9ef0e400f30bcb10169

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD21.tmp
Filesize
5KB

MD5
16c0647fb1619c098e72ad574411507d

SHA1
65e605fcd08011eff8bc249812ab2861cbd4e067

SHA256
cff89b6b23986ecb88419052dfc4d1b1f5493ce7379e466284bc1132724ff82f

SHA512
201685585e84552a0397a6dcd057f482ac5caea57bdc6d04eed3f3fa05899122157b7bbebe8b7e917f63999f2c1d071b88e8589847bef36ff9afcef78f51f8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBEE6.tmp
Filesize
5KB

MD5
3593a4fa296ff3ffa8302566ec16cb2a

SHA1
e4570e48ee28e51d1db7c8e8b8b89e1be87eec3a

SHA256
df9bcdb39d9cb2b1b5de3722af237657917753d7e8caee2968d09a57084bd6c0

SHA512
6eadd6729dd121a01dab80aeda3df171bfe9af9ed889f4a87b41dcfbd3548f23c1f40d86fb004f95f7fb8e38f32b0dd64d44939a438218c50346cfb491988894

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC04D.tmp
Filesize
5KB

MD5
b0159994562aceaf58c44bf844839053

SHA1
0168c9417f3d5516d00e5572958cc8105f72cce1

SHA256
7bb2e6026db2ea272bd29f9d616ee1f90a97d16143acf0e166eb13764b7eecad

SHA512
7a31f039b8a3c224f9408b7dd78b3201c5723352a48b9b51440ac1a5551539a8e0df2ff7665d69f3142405f161c622a2d4a97d0ac199b26e9c5eb8d3488a1c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwiy1v_c.0.vb
Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwiy1v_c.cmdline
Filesize
264B

MD5
297db7b1f1f31eb890bc400bc96ab537

SHA1
333059631cb89c4c8899953e192601f5ef30d59e

SHA256
d70ceadfe7d6d3d3967aceb72ec4c42dcebfdb92e09df1e6d196a73654c04eb1

SHA512
3cc1740dd0bdf65729f8075f8d1b7bc0fa53917b756b58093e9db140422bfffad42df8a73ecbf6cb0c826db8270297243d1be97f01f21e07d58329f6946bd32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6ybuwkp.0.vb
Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6ybuwkp.cmdline
Filesize
256B

MD5
0e34bc5568dfefde50903a2b322df773

SHA1
23df4619d6670adfb9f687739e3a00edd3342a24

SHA256
ad070c86d55cb5ebd81e939cfd0115fb5f3f7624a2488cc6baedccc326e397fd

SHA512
60b57388911ad41744aac0a9812b115ef9f0c775d8fa64a8cb603de30a1ecc0f6e4ca10d2851efcf15de915744c097aaf64e19e6a529a1d7b8f70d58d31a9981

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewbsvknc.0.vb
Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewbsvknc.cmdline
Filesize
274B

MD5
293db9fc94a0649586e9baabf83d7546

SHA1
39e11093c23626f4e08ee345463d0b76bbf5a7da

SHA256
796d378886acbb61f5a3e94d1e35ad92644dad494f26a762974c4720521eb5df

SHA512
aa5ffb80754767ae9507c148347db19c52dc49403206d1b358a19977a761ab6a1e1253b01f2615f7cb6a05a9944e2020256da1e2463d622ce097eaf369fc1154

Download Submit
C:\Users\Admin\AppData\Local\Temp\fow0ral6.0.vb
Filesize
354B

MD5
0619b27afb2734098e0eb2efa2bcc058

SHA1
a74b1a94a782e896c1875118427008ecd388cfe1

SHA256
6e2c6d006cfd52021216add229fdc9c52aeb3c0eb775685ef53e4eb11cf8dfd9

SHA512
b5d2c2e44ee9992b8242b0592baaadcc410dc61c718b1ed0d6d0ee9016c6f78af61a8d8492e90ec658987441c11447392c24e338406e72995c32aefefe775df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fow0ral6.cmdline
Filesize
212B

MD5
2d9456d2c9404ffe687e3f7a10b8de69

SHA1
276422e4b225174e67268038746fd32cce6e964c

SHA256
3bb9ba9516045cbd2223881a0f3d429f3c30952bd8bbe854868ed705aba84c34

SHA512
e12407e68f50221f22b441dbecc73748cf4af929bb88c14c1c3c46f2f9c1faa394f8731d5e01c938b0aaca0ae65c2b9640d080122be9b3eac0196b36af229bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8kdewew.0.vb
Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8kdewew.cmdline
Filesize
268B

MD5
7cb5ad9f3e480f4acf4cc4f7abf0386c

SHA1
e776b13f4bab8a79d74c0ba11940de2f0b7b2fd3

SHA256
758c063f134601a6cd736cec10e5afba60bd52a972151864e6e693418e2349db

SHA512
c9bf1f1458e3faef8a914327a749a30115ce536ac299ea593e1c3be66b5fd5620be3b7a4de6187e0767ce80d075f05e311b8e1fa3b24d7d418b78cfdbdb23801

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbkuhtcp.0.vb
Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbkuhtcp.cmdline
Filesize
256B

MD5
307767d9cbf75a3c8e939eaf9839812c

SHA1
c48b5fc69b4b83e1cbf597a05dd239b0e8240c57

SHA256
3dfaef9893254e16dd424a90a65ddb9f3d3da94534f680909477c447b3769d04

SHA512
bede16c7050ad1a56f09574c56b358e8f7adfdb172f21518561a1d4c84186e2dc7168537c721795cf74473d3f9ba3d2dea19d5a52330594652012ff7bd898df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oh56bgwl.0.vb
Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\oh56bgwl.cmdline
Filesize
268B

MD5
4347a6d3eef9a793fde8a236d1489664

SHA1
cb824e8bbde4df523a793121b505ee663f207fb1

SHA256
1e6b2996763943e481e361f31791b1de820a77562de942de181f2b89f08c0f7b

SHA512
cb1ba85ec06bfe47726ca531eaafe37fe7fc8efb885c3c789146bad49f09c3f0814546ac1f414dc11e7a29eb22e634f90b67a48e50079800443bdd270c719f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptmqk1rz.0.vb
Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptmqk1rz.cmdline
Filesize
270B

MD5
b97c2b21788e51ef8b15dc7cee0ce125

SHA1
10f3329b48aa364e1ca5e40799a54c07e763ef14

SHA256
d6dbfcffe089c7b2e9a91a852c3447938d01393a375fd3853d6e1a04d8717485

SHA512
a8b47031c88de5620690aa4dcab12e2a156b54bd9f80ef4c5fc1773e12288dfd8749360937915f80d9970cecf7a0e23e7925362b10201d58d62179531fe7c874

Download Submit
C:\Users\Admin\AppData\Local\Temp\sn_xb1sr.0.vb
Filesize
355B

MD5
1d5920ca826b304931c938be871defd3

SHA1
7ecc6286cca874e193ded478fe18b8f11be2b788

SHA256
9f078d86982c51c8c9425e73ec10c0d1ca0bddb592599cbfe03a9380a711e317

SHA512
22bee9ea363d5dc9e8f90613decc55000ec2872a3b4887c9b82f27c3212619238b4672362eb3add6c5c71b53adb9c1294014122f3d23fe4966a64c8eb1f08012

Download Submit
C:\Users\Admin\AppData\Local\Temp\sn_xb1sr.cmdline
Filesize
214B

MD5
2905457bb26c465fd50f38489ba1112f

SHA1
1bb07c6adeff9950ad1e330bf60a0a44980d1e01

SHA256
26296e58a48e1c59395d16ed6074147f0697f868a258d52adc27abe4c9c90adf

SHA512
eae299150018ae924e0bec8bcc6d89d6c50b95a20370bf191523dcfec3c153399d98069e6dd22fe7164cc4c433c9787b898d7c42ca9a97e9a318ab2b07f7229f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwmop0zd.0.vb
Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwmop0zd.cmdline
Filesize
227B

MD5
40b3e64afd101fb89bd648bde7739c80

SHA1
ec1bd2ae86d659ea09d57c3e98e8b7761a02a281

SHA256
a8f45e53f20a9122a707b94799312470634560480008a82339818809af0b33e5

SHA512
1ab96bf02688e96858740059e0b8319767126cd2706d068110d1e4ba40a6f0fa56623197b097ebcfb4ba7789cbd9fd2be250f80c0408eed235b2c11f001346fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc167984B9E63D4AD9ADD42A5617B7431.TMP
Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C5B3A7515D24E71808F26FF326FE8D.TMP
Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc208857CABE74D8982DCB9E332760CE.TMP
Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc394391B780D040BFBBECE25449C85E59.TMP
Filesize
4KB

MD5
0474e6df2e561a8ed76e4e5c5c979def

SHA1
0e10aaf43e738092115471ba6de2f9487028e78a

SHA256
c1564f6d669366a1900b121e3e6c131f07778fd0f6e255fd255636856b9184d1

SHA512
d9b4955c99683db380337aa93a621772b49abf2b6b288f8c6cfab2ce12d24ca81c7626a5212d34ca5af87f89aada98c8a07731ef49dbdaee40c376e11116db2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6300A93A75642E0A760FDA359F2693.TMP
Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc75E60CBD9E28423780E5604CB7E42D3E.TMP
Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA4CD8E8A4B0431887AF6AD677869B68.TMP
Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC3CEFA115BC94C7BAB7C1D7776C14524.TMP
Filesize
4KB

MD5
0e6982e79e908f1c068c4cb81eda01ab

SHA1
67001d12831c5ed15647fa0e4556ab57f22aa6f9

SHA256
11799b25d45379021e66271b74c0f0701587970768e6674b2a9aa66acd3ab3c2

SHA512
feec9d5397a2a6c3332f5f3f9410001b9b6840d3b7f596aba7829bec91c2b5e6e3cf4aaf624a90a85d5a2201bed1894504edcd470268d29835830c6a7d886767

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF5E4E676F7484E729E855DA5BCC05752.TMP
Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF651EC4BFDD947DD91C08B9E9BA2BCD.TMP
Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF9D1764D663242DBB31E65905727A576.TMP
Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFA09A1DB94794783B0D490F0EBCF2D6E.TMP
Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFDE09B4EC87C4DC282A1014AFAE51AD.TMP
Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ye0hhyaa.0.vb
Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\ye0hhyaa.cmdline
Filesize
270B

MD5
6c573e3725414c824918f13f09211383

SHA1
ef9b5b18658cde8f865841d1d4be4722b0adb6a9

SHA256
30d2599deb692991503114695ada7cc009e47bba61146444d540b52681d396b1

SHA512
8aab8cf61005137abaccce0b69e9503d725ebc26d0ff4514cd50d887b42d5b03617fc3f79f04f61a7f28a512976691c9097b20bf9bef4b3fa85ee547be5314ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeg5ke2h.0.vb
Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeg5ke2h.cmdline
Filesize
264B

MD5
4dd17c41093778986e0eef026e292c74

SHA1
15b8f46da88732d38d3c525d4886274ed5ded06b

SHA256
7d503fef733fae704b672797ad381123e437fc7a881310388fa53ba99d1d4a59

SHA512
5b7e411a8e1e561777fece782f0d732d7e623df96e7c90c40eeea35ab4ce12801152dfefcfdded6960b41ebe8a5bcffac3adf7140fa052e78e3858bd6113ad37

Download Submit
memory/908-16-0x00007FF9873F0000-0x00007FF987D91000-memory.dmp

Filesize
9.6MB

Download
memory/908-26-0x00007FF9873F0000-0x00007FF987D91000-memory.dmp

Filesize
9.6MB

Download
memory/984-42-0x00007FF9873F0000-0x00007FF987D91000-memory.dmp

Filesize
9.6MB

Download
memory/4148-5-0x000000001CB40000-0x000000001CBA2000-memory.dmp

Filesize
392KB

Download
memory/4148-2-0x00007FF9873F0000-0x00007FF987D91000-memory.dmp

Filesize
9.6MB

Download
memory/4148-3-0x000000001C4C0000-0x000000001C98E000-memory.dmp

Filesize
4.8MB

Download
memory/4148-0-0x00007FF9876A5000-0x00007FF9876A6000-memory.dmp

Filesize
4KB

Download
memory/4148-4-0x000000001C990000-0x000000001CA36000-memory.dmp

Filesize
664KB

Download
memory/4148-1-0x00007FF9873F0000-0x00007FF987D91000-memory.dmp

Filesize
9.6MB

Download
memory/4148-10-0x000000001DCA0000-0x000000001DD3C000-memory.dmp

Filesize
624KB

Download
memory/4148-6-0x00007FF9876A5000-0x00007FF9876A6000-memory.dmp

Filesize
4KB

Download
memory/4148-7-0x00007FF9873F0000-0x00007FF987D91000-memory.dmp

Filesize
9.6MB

Download