revengerat | cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe
Size

338KB
MD5

277ada55027e622cb40e0073f3bf1455
SHA1

6afe2ecf96f343a309ae3862666a348008f64767
SHA256

cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e
SHA512

ab67089fed2cce855b5b4f4cd7a2315966568fb5a1e6607f3d09173c04e685c0a3cbe8d7e3245aa484b73368c5d66826dc52e51eea81f39b1048a23a9b323a3a
SSDEEP

6144:Rwv2GhNrav9aCHQiRgkktkAvgyFvatu6REs9TBaM5O5vWNUc43:Rw2iNzCwkgkktkAI8yY6Rpw5yu

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Mutex

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/1844-3-0x00000000050B0000-0x00000000050BA000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
4040	Client.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Plugin = "C:\\Users\\Admin\\Documents\\Client.exe"	Client.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\mscfile\shell\open\command	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\mscfile	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\mscfile\shell	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\mscfile\shell\open	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\mscfile\shell\open\command\ = "1.exe"	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\mscfile\shell\open\command\ = "1.exe"	Client.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2044	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe
Token: SeSecurityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: 33	852	mmc.exe
Token: SeIncBasePriorityPrivilege	852	mmc.exe
Token: SeSecurityPrivilege	852	mmc.exe
Token: SeDebugPrivilege	4040	Client.exe
Token: SeSecurityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe
Token: SeIncBasePriorityPrivilege	2044	mmc.exe
Token: 33	2044	mmc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2568	mmc.exe
852	mmc.exe
852	mmc.exe
1080	mmc.exe
2044	mmc.exe
2044	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 4052	1844	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe	85
PID 1844 wrote to memory of 4052	1844	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe	85
PID 1844 wrote to memory of 4052	1844	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe	85
PID 4052 wrote to memory of 2568	4052	eventvwr.exe	86
PID 4052 wrote to memory of 2568	4052	eventvwr.exe	86
PID 4052 wrote to memory of 2568	4052	eventvwr.exe	86
PID 2568 wrote to memory of 852	2568	mmc.exe	87
PID 2568 wrote to memory of 852	2568	mmc.exe	87
PID 1844 wrote to memory of 4040	1844	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe	92
PID 1844 wrote to memory of 4040	1844	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe	92
PID 1844 wrote to memory of 4040	1844	277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe	92
PID 4040 wrote to memory of 5112	4040	Client.exe	93
PID 4040 wrote to memory of 5112	4040	Client.exe	93
PID 4040 wrote to memory of 5112	4040	Client.exe	93
PID 5112 wrote to memory of 1080	5112	eventvwr.exe	94
PID 5112 wrote to memory of 1080	5112	eventvwr.exe	94
PID 5112 wrote to memory of 1080	5112	eventvwr.exe	94
PID 1080 wrote to memory of 2044	1080	mmc.exe	95
PID 1080 wrote to memory of 2044	1080	mmc.exe	95
PID 4040 wrote to memory of 2576	4040	Client.exe	96
PID 4040 wrote to memory of 2576	4040	Client.exe	96
PID 4040 wrote to memory of 2576	4040	Client.exe	96
PID 2576 wrote to memory of 4464	2576	vbc.exe	98
PID 2576 wrote to memory of 4464	2576	vbc.exe	98
PID 2576 wrote to memory of 4464	2576	vbc.exe	98
PID 4040 wrote to memory of 5044	4040	Client.exe	99
PID 4040 wrote to memory of 5044	4040	Client.exe	99
PID 4040 wrote to memory of 5044	4040	Client.exe	99
PID 5044 wrote to memory of 1048	5044	vbc.exe	101
PID 5044 wrote to memory of 1048	5044	vbc.exe	101
PID 5044 wrote to memory of 1048	5044	vbc.exe	101
PID 4040 wrote to memory of 3448	4040	Client.exe	102
PID 4040 wrote to memory of 3448	4040	Client.exe	102
PID 4040 wrote to memory of 3448	4040	Client.exe	102
PID 3448 wrote to memory of 3980	3448	vbc.exe	104
PID 3448 wrote to memory of 3980	3448	vbc.exe	104
PID 3448 wrote to memory of 3980	3448	vbc.exe	104
PID 4040 wrote to memory of 4680	4040	Client.exe	105
PID 4040 wrote to memory of 4680	4040	Client.exe	105
PID 4040 wrote to memory of 4680	4040	Client.exe	105
PID 4680 wrote to memory of 4712	4680	vbc.exe	107
PID 4680 wrote to memory of 4712	4680	vbc.exe	107
PID 4680 wrote to memory of 4712	4680	vbc.exe	107
PID 4040 wrote to memory of 4272	4040	Client.exe	108
PID 4040 wrote to memory of 4272	4040	Client.exe	108
PID 4040 wrote to memory of 4272	4040	Client.exe	108
PID 4272 wrote to memory of 544	4272	vbc.exe	110
PID 4272 wrote to memory of 544	4272	vbc.exe	110
PID 4272 wrote to memory of 544	4272	vbc.exe	110
PID 4040 wrote to memory of 3912	4040	Client.exe	111
PID 4040 wrote to memory of 3912	4040	Client.exe	111
PID 4040 wrote to memory of 3912	4040	Client.exe	111
PID 3912 wrote to memory of 4728	3912	vbc.exe	113
PID 3912 wrote to memory of 4728	3912	vbc.exe	113
PID 3912 wrote to memory of 4728	3912	vbc.exe	113
PID 4040 wrote to memory of 1584	4040	Client.exe	114
PID 4040 wrote to memory of 1584	4040	Client.exe	114
PID 4040 wrote to memory of 1584	4040	Client.exe	114
PID 1584 wrote to memory of 664	1584	vbc.exe	116
PID 1584 wrote to memory of 664	1584	vbc.exe	116
PID 1584 wrote to memory of 664	1584	vbc.exe	116
PID 4040 wrote to memory of 5020	4040	Client.exe	117
PID 4040 wrote to memory of 5020	4040	Client.exe	117
PID 4040 wrote to memory of 5020	4040	Client.exe	117

C:\Users\Admin\AppData\Local\Temp\277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\277ada55027e622cb40e0073f3bf1455_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\eventvwr.exe
  "C:\Windows\System32\eventvwr.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:852
- C:\Users\Admin\Documents\Client.exe
  "C:\Users\Admin\Documents\Client.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\eventvwr.exe
    "C:\Windows\System32\eventvwr.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s0sjudwi\s0sjudwi.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E41E2C2764748ADB7C127E82D8B8EB8.TMP"
      4⤵
      PID:4464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\41hoomqy\41hoomqy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA004.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3D7D56A69F84C04A5166F0DDE8C8F5.TMP"
      4⤵
      PID:1048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ua0rszzd\ua0rszzd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2185DC84BA4C4CF8809330AB63784FE4.TMP"
      4⤵
      PID:3980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r2pb4chf\r2pb4chf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA14C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E6D35E236D840FB9DB4A22AD8B4B3EE.TMP"
      4⤵
      PID:4712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxbuwjif\yxbuwjif.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFDF27902AB74A21A196D3B0A36FAFF.TMP"
      4⤵
      PID:544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ebvr5w4y\ebvr5w4y.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA294.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41E766ACE28B41EB9DDF73DF9C987CBB.TMP"
      4⤵
      PID:4728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cib3fmww\cib3fmww.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA36F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF5C471CC4249D09F582D376BB97CA.TMP"
      4⤵
      PID:664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4p0vojjo\4p0vojjo.cmdline"
    3⤵
    PID:5020
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA41B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5EE226FC52544A5B912B0E1649219E1.TMP"
      4⤵
      PID:2236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n2pqraqv\n2pqraqv.cmdline"
    3⤵
    PID:4864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33098B3E4CC5410AA3CB9DC3ACAF9E9A.TMP"
      4⤵
      PID:2804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\20lyl2bk\20lyl2bk.cmdline"
    3⤵
    PID:1656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA572.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE458A7877004D6E9EC7997A9839C.TMP"
      4⤵
      PID:3292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0lpul05m\0lpul05m.cmdline"
    3⤵
    PID:3196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA60F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC756AE3E254833842AE4BF2AD3E577.TMP"
      4⤵
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0lpul05m\0lpul05m.0.vb

Filesize
289B

MD5
956fdc95bdca3de2ed6cc80606048f9f

SHA1
6c8e5de2c9de74f8fb278ca453d3354f4d342f35

SHA256
0e23c8f93c74005d1e04d0de0e20d004fd22dc646f0891a52a897cf8337f3144

SHA512
22c79880ada88ebca041e5badc87dffa44ffd90b8a56f1d4d1dc430b0d6c81d36ad542cb20addfdea431a4c47413a5c8955b97224fc9632307b97d005d3ce83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0lpul05m\0lpul05m.cmdline

Filesize
188B

MD5
41c054ae21c33f4e0004bf966a66d6b2

SHA1
bbef8ac28bed35c12020b05cc287b68393bb675f

SHA256
1188d83e0b8de4d9fcef6742158d5304ee8c01e77c46b1f79aca92f9a52a174a

SHA512
f2b9f306edb4c60d9d3fc1264ce117e6fa5a232bbb7a820325fde8a088cc096044d7e2ea71a7567a1ba7d09b2855b9b2d7d57a16df87d1f2e9d93c5c1c448da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\20lyl2bk\20lyl2bk.0.vb

Filesize
286B

MD5
94754b77cc54cd9d3b5d72d59125921d

SHA1
8150666495927144805f03554fd33b926f5c8b97

SHA256
d706e2c7fc2c298c545659fd02167f66d1765766bbdb0d05cfaa2131640de819

SHA512
ba8b61690b829e1799e7299efd6d5318c1b7637942b45124f8b417078ff521e9b105807f552c2501ba489c6a562b5b5d1eb393f5d5c1c0f2ed70185f46cca2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\20lyl2bk\20lyl2bk.cmdline

Filesize
185B

MD5
0dbeded42f30f0244733e8ae78451e52

SHA1
ce611562b6bf319214e1c624ad19540c6b01cb29

SHA256
6af61c122eab71ae2ae1213c9ea0b868b60c818ecf24a4d246db28130194472b

SHA512
356e18d9f4b729cf2d32987d985a36d3b56071a218962ee83a89cb890dd2b74123d178998e40b26ece8a17af62db9e06b99566df72699b58a4fc029aa478d2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\41hoomqy\41hoomqy.0.vb

Filesize
272B

MD5
3ded0f0ff6199a06bd7bf4b5082b2d22

SHA1
410b41fca47a9c1ace37be6a8da271e407fb3924

SHA256
47e47f2e38695f8112e0f2d71768e450f8899c7697d20d0647e6513adf755abb

SHA512
b3ba84c531fd823963ca949a936c3ab8ed2e1e8c55876ccf7175aa3a72d2480e1c256a0ae46d0683d828309954dfa9e9c2656eaec1d698cd783476697020a483

Download Submit
C:\Users\Admin\AppData\Local\Temp\41hoomqy\41hoomqy.cmdline

Filesize
171B

MD5
fc35f9d72bf2e21d875ef2a46eb2f4e0

SHA1
1813c02bd310e552dca2626c29935d9a7d201a44

SHA256
e39fb02bca7428452ebefa804cd89a1b194bd9f84620dac513ad483724b2f0c8

SHA512
c835cba246253a2d18d04721bc4f7fa16b67b2771045e99241b81c16469e40c1feaee679cc3d4615cf087a5047639c03e4554d77c3bc794c0d388ea4db4ae7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4p0vojjo\4p0vojjo.0.vb

Filesize
290B

MD5
80ab6c592ef5a7d914082beb04afaf79

SHA1
1fd3f79448784eaebfc653ead21b773e3f9d28e9

SHA256
89f1ff73fd1198aec014f23b7b92dbdb65fd9d2a572452b4dfae05938666c2c8

SHA512
9bfa9a84f7517cb1df518692f030315bcfb868181cd8dc507eac77a01aca45623af746f839df581866bc2ffdbe3eb48bd0b3e9392f60b99e0b9bd6fcb9a5d4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4p0vojjo\4p0vojjo.cmdline

Filesize
189B

MD5
f7d1cb50e63bf48f9881373224a7dae1

SHA1
54bc8cac22dba05a7b4437a345fdbb9bf5c73c49

SHA256
c443c3b30f29963a7958600982f8be5a5a4028e29780b4dfe008ab9081301e9e

SHA512
a52e7ea371ca3ba0a6efe8d9350da510e34bf67ad8058f9739b6a71f491f6abb6f47549971793fbbb7125eccd2567ad42c260609db5c209c4ae6bbb8383ddb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F48.tmp

Filesize
1KB

MD5
df063191bfbae0cd730454612027f209

SHA1
95c8822706690e37160f094b3ab394c89a510683

SHA256
8c9f7da17e21827a9a3a27c1b7478b3757ed26ea6af34786471738c2d5f80747

SHA512
c3d85301afb62c626187cba1d3982366ef33b033a566342ad093fc2e42f99055941cf7663c62aa1b037771bc5509eb6093e55497192702067d93cc0db02c771a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA004.tmp

Filesize
1KB

MD5
db1bdf180659cc8b96df8820f01d1463

SHA1
b0743e8675071a01c9f636a0006e7d51aa3e3157

SHA256
c32d33490977f9314e2534a538079b9b4b5d71a500758a4f8a87dc250ad48525

SHA512
82bf6ccbdf7c8307a82c318b622eb96ad173c192577d1782db0a9f95613581a27a8fe172f930a70e1279a84f2f7318080b3c1c5fc1f05ca739b193ad4215b2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA0B0.tmp

Filesize
1KB

MD5
6a5270ca6d028d416d807354180ec3de

SHA1
30f367e1b99acb6336d7cb93d22140df11547967

SHA256
8e7f29393eca265519764ea148a700112dce0a970a9f3d79bcdb1f70b68ba177

SHA512
37f364b4eecaf01c4f03f6ff8e0136bec50dd6af1ea0c5c81398ccd12e383e4ad9a1b0ac6379471e163fb5c8a486c393d9a66f0c44c00782c1c43b82a2143ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA14C.tmp

Filesize
1KB

MD5
b7b16e06ec91836ef991385e80ec811e

SHA1
89571a84abfe122b92a57196fc392349f4ecc1bc

SHA256
151a4459a72cc9314232df61fc53353f3738b6f6928dbcb57a5bf193a33594cb

SHA512
46848118019c85ced2e5b2f51ef7d4f0b528a908f52b736c49fa99b71fc3c9bc83b02fec8b9680549098332d8a66c75a48a570cb7060811cd7f9a38f508036fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1E8.tmp

Filesize
1KB

MD5
fd3ecb5b568c7eab87bb04792b1de7b1

SHA1
c25325488d2f25c8c528143ab11e6f482a3cd531

SHA256
bbb750d0605abc53efec0e4af77d9ba25e523296141a5fa5d392bbebc2efb94c

SHA512
e37f9ae0211b1268336de5ecedec1d0998313b1a4550134de9edae35d05e929283375a65d1131ab29c83ea7747b86a586a813823f8807cb71d6c19eb92e8525d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA294.tmp

Filesize
1KB

MD5
e0a650aee617c296a9515f6afebee482

SHA1
152339b70801cbda26c5341c7f66dccfc655fcb6

SHA256
0f63a2df6b6b625d12ec4a0d6dab65b3767f98b51330167f67dce22b3db53e5b

SHA512
4e5c138dc3086f70d7d72d21b716000e30666e69abcbef36989519ad212d9b305c02330ef0a9b17557de27c4eed9ed31a9927beb8e894969c77955badeb66fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA36F.tmp

Filesize
1KB

MD5
4becb021b53b926972d118611e18d309

SHA1
71f0a5e34585f63b54f6d8f0ba69e524d0f0a498

SHA256
760940584624bce0d18260431505a481adfacc6cd281d23dff36a8974ae39eaf

SHA512
ca7cb4b713a45566837ad329ba3408b54ae64d8147a12c4dfa6849c13500f1b36695d09a618d68ced8a87daa9e865070a5c81c9c8622373bd8e438d630fb6473

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA41B.tmp

Filesize
1KB

MD5
4c178fdcb10a49f722481c9c0bec1925

SHA1
d6ba4f06333330a4ed2ddce1778f1cdc388066ad

SHA256
4c1efcfa48d1bf76abdca6b93d452848670929850fec2acfe1047c9224dea0fe

SHA512
94f1db8f138e7d5a5df5c90a08eba5803c5dca2e17ca09b20b1159873181e81994d3dd83608341943b0380dc3905bc55458ec9dde1554b53162b1f664868016f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA4C7.tmp

Filesize
1KB

MD5
6c3559726c8043b55e5963594f538b02

SHA1
4028af003765ef16aaa15b7921f8016255fb8f20

SHA256
41496f9ec45d8f16e2eb3ed0ea547b8d2d39fc888f5733e9e7fd6adac7d09591

SHA512
1a58d3aecd2abff248314f9153ec78da382dd7d536b62f7e72417af5c90b147bfccaddd57014badb34823dbdb24fb2cb9dc4bc31d1b623bcba0113f8cb4cb269

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA572.tmp

Filesize
1KB

MD5
b6297b277088761f1dbe5fb31646b873

SHA1
e27d75c9599bf9ff89859f3b27f5bd600aeca10f

SHA256
576b0d3baa8258c2b904d4a6e81af1443237e4425aa48888619526e41714dd55

SHA512
1bd740efa876117586c41da07e9843268ad82d69917a885b5d03ffd5e98b812bb124d5908d6016cadbaee737ec50b7bf18e6476a2fa4e7e26a43c9872f0a7ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA60F.tmp

Filesize
1KB

MD5
33930ca69934f97a6dd1ae9e6086e661

SHA1
309369da780b8a08834796d026441e2d78d8e89a

SHA256
58114e8171f41164f7e8cb12661aa1527072a570ed25cc5c61f5c6047a22a48e

SHA512
5494cfe7ccd8d9aed3ab357c57dfc4b997dc9db086da329b50b4a7bc01c436b3af0e90ce96189c7067352157410fab7ac5ba60e0fb6e4ea05a4e0e3fca5a2999

Download Submit
C:\Users\Admin\AppData\Local\Temp\cib3fmww\cib3fmww.0.vb

Filesize
287B

MD5
446000b2d5b86c061cb7dd858aa26170

SHA1
f70791509faca9cac2b4054f9e2202e46625e036

SHA256
eeba28ce662bc9eeb7e36be3e678548efc188bf6c9f9ab1e7cb0471767fe7482

SHA512
696395b13955cb2b67d067c5b966bbf3d80337e6e7ef2db43b3ad9b63036e03c08240b72701753685c3a1dafc888be472ffcd552c52ea95ece0591ea8dda8025

Download Submit
C:\Users\Admin\AppData\Local\Temp\cib3fmww\cib3fmww.cmdline

Filesize
186B

MD5
82f3d51923911887c27b64ce156a5455

SHA1
f37a2a5b63ded7f2dfbc66aa9397694cf6a0b4a8

SHA256
2dc10045dcac89a70632f891046bc4ff6fbff5b1e5283e2ac0e837a3f42a9aae

SHA512
13fb1ba3cdc8e5a968bb171650b286f4687c5b8bee8ce346f4654d1cc6a177ba1da6a99f0efb720ea104679991b9325e579d8f0fcce5bc4fe41b7a3e8bdf8147

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebvr5w4y\ebvr5w4y.0.vb

Filesize
288B

MD5
61ba4aefeee838d2b3a8ef0921c69e5c

SHA1
f85d7d5b8c2ffc0c456305faf17691ada8b29940

SHA256
eded585391461033f4f6b73b037a7e042cd07db6e4f504fb8da36161cc926a09

SHA512
86f738c53cdba2d6dec2c64e6384de71108ba5e8cade8e28861286798190c7870d55b93ef69c29ad1a2c6d6e57e1b6c65ff4f3f40fec1a6203e4956114e7506d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebvr5w4y\ebvr5w4y.cmdline

Filesize
187B

MD5
8db5640d8d2587e8d37eaa748a918e14

SHA1
c65da78836a6c63109ef57d43fffc47094ce600d

SHA256
a0e54ab24d424e61ac3157585c885ef76bd9198413154c563270ad35179d16a6

SHA512
70801fca7044761f0b189863b2f186adda20fb07c7179481be48d50c61366ffb98fcaa86ad6871f66baf0437b4e246fe4e5962ecb8f85f02228b000ec9b4463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2pqraqv\n2pqraqv.0.vb

Filesize
280B

MD5
59be267593d27f2e4e00c2d89787861f

SHA1
356eaa2e28a2b894bd3bb785240e86e70b487707

SHA256
82a97001375fa8b450bd47c915112533061345c113d96e34f08edc2d83192d5a

SHA512
9019ab34b8636fdf4ccc0ef007d02870337bf45ade511885b9f2edb06d382241e8e974c9aeaf206b8b6a56bc032b680bcd727d61994c86bb8dea7ada6cc83e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2pqraqv\n2pqraqv.cmdline

Filesize
179B

MD5
3c63afaef139b19b66cc2c39fbee9507

SHA1
7b5c3fd9644fb31889b06839706d0ecc12da0638

SHA256
ffa346a147c50e16ab9e6d3ada1aa0a591e5933eba23bf4f6fe1f3889f636599

SHA512
b38615aafbfb19f7f96dfc5715e70156ef4064b21253bf281cf992430647adc5e7a299104c6e41d14acd583efac35e5cc9d5bc94d9ff57a0d5e8fa04d8af92f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2pb4chf\r2pb4chf.0.vb

Filesize
279B

MD5
68593e3a9b1420cf3e7b993b3ab48fe2

SHA1
71f6c5c43d93a34e2a5e5e33d3030d65b761d1f4

SHA256
93dae1810e08062ef835295c012e925faf1a192eaf9ea98eab35b140fc4c87ae

SHA512
28ec7524d4f85f99ff2df16864f49589e6b7945a922aa0c0a92a38c3d00876ec596e9a594d47e4dc4865d63ded2c1dffe26ab5452164d4586532a720cad04b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2pb4chf\r2pb4chf.cmdline

Filesize
178B

MD5
daddc53b345c9347e96c4b9c9cc460df

SHA1
2a3c929b0f7f1cbf70cd19efd1363a98add74a40

SHA256
2530b9c3aa9f9eb950c0de80bf13f3309ba6606dc97f418e252b7285d6739794

SHA512
56bd87565a79e948beefbfd63b543b4c4a051828334050a3e7b07e4ba6afda7811c42db6cf853a0b8c8b352c41bf16ac236e451ac73625f30f57c6962c7280ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\s0sjudwi\s0sjudwi.0.vb

Filesize
145B

MD5
2efc398081e9dac508a418b532fdf22d

SHA1
8ff7bf728efc7926a18bc6d6068ab6a8320d9ed5

SHA256
22e5770a963de78edc5fb2d895266195264d1d5cf73c470fd5d292617cae68d9

SHA512
593b580814861ec94dd314871a6f3f13d31f972042c744b49ca21597ff726e6ccd3070fd6faa01a4bd374317b24e784a08c990793989e9e07531d8f598a8d8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\s0sjudwi\s0sjudwi.cmdline

Filesize
203B

MD5
93580fc392e7cbe1799e9087ef95a38a

SHA1
effd42831d17e527869e3cd112bf150c02007fdc

SHA256
7883c1b5ef61f06817a2f30f9dc124ec5c2ae8c94192d5e5761e5e335066acaa

SHA512
ed7742d3c2794a68abc1ef8a5f4136d8778d0a8e886e6e961d6200c02874a2d9dc87acc3f09f5e8cb9898f0c3894fa9b0e827f9f0a811fc1ffcace9dc7115cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ua0rszzd\ua0rszzd.0.vb

Filesize
278B

MD5
c877cde41a92786f7c4f5e5b0e812969

SHA1
25f7fc4679ee062c2b25ac39d0354eedf1e264df

SHA256
e77ca275b6f68230d86e9abcb2c22d926aa6d41a288b6047dd47e63d8e0d06f8

SHA512
59d2bd08f128fd724f15f1bfa459c12c51f9074e07cb9da7ee2a7aa417db9fb45c2e78c616b77584e327aa5770a50fb76ef1f82b7df278acda6a32528636998d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ua0rszzd\ua0rszzd.cmdline

Filesize
177B

MD5
fd8f4cfed988eb05cfcbade498aa3594

SHA1
544e406f6b9f783c8fad2e219d0771320c819516

SHA256
588fbb44109b54509cbff6960a355e06119c50ff8e622c2eb46189c1341129d1

SHA512
ee859af091c60c8d835645f958d3e85432de290b32c3500344344ee8e8e2cd6978b8c72bcd2ea0475699c27057f0d6d4581460206804df254b3e14c6ad5aafdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E41E2C2764748ADB7C127E82D8B8EB8.TMP

Filesize
1KB

MD5
f79d4f009ed12db358d8ac93f0804345

SHA1
163b7cfe02be73d9602f5a9387dc7dbe7e9000eb

SHA256
0b353fcca887a01a42a8d5348301f6fbce2519850676b8e8cbbd5a710975848b

SHA512
beda88dc76f7fe331e5a6d0b10a8dbf1c389300e405f6bd6ccef81067d2bb260b9ba993675562a7ea1d274960ffb9cbf26aa695576524eff07143c828ae2edac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2185DC84BA4C4CF8809330AB63784FE4.TMP

Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5EE226FC52544A5B912B0E1649219E1.TMP

Filesize
1KB

MD5
24218d2d116d5c470e34a5da0f5ee7c3

SHA1
b6546a2bdb8ce0b664100214b63371cc75187132

SHA256
0604323dfcee505a3199d0029fbbd0ae4768a59dc14ca8fc75b6ea3b3c850063

SHA512
7c08cd603e78c633c8e9eba12094d92d32238b565caa15b96f7d554eae67e4556aba9aaad544e0eb5803519428c8987a404b4a680917be4e00ae82a9d8e7cc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E6D35E236D840FB9DB4A22AD8B4B3EE.TMP

Filesize
1KB

MD5
369b17d06cfd628bfe04b3f677d21526

SHA1
b9d23c0dc5467f73fe2331eb584bd0c40b129d0e

SHA256
e95b4b80f5fad8e923641d423ecb96b591a208f2f898846cd9ef107e2cd7c2e7

SHA512
00826786585653c66a434589d0e231c9f37f055b642867faa2ca8cd735a138b5d38eeddf985d268b822cbdc29916f5993fde5bb1b7ef9395710d75f1d49230bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC756AE3E254833842AE4BF2AD3E577.TMP

Filesize
1KB

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3D7D56A69F84C04A5166F0DDE8C8F5.TMP

Filesize
1KB

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxbuwjif\yxbuwjif.0.vb

Filesize
287B

MD5
8a2dac246dd9e9093ee68aaf51c9c3f7

SHA1
27d2bfc9c43f476cb6c29da331b13856ed7245d0

SHA256
0bfc4fb2ac8b9be3783367f93f1cd0cf81d85187139e1baf7d155c6c313e12b3

SHA512
f5b8d32caf9cd783489700b970634b494b123ace0a6e79341f05c4b5ee3c866b1990514604b7d1b486316424a083cc92209699265bf30bf555560ae0846742a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxbuwjif\yxbuwjif.cmdline

Filesize
186B

MD5
4374b112ae94dfdc7bd3ca7aba0dbb60

SHA1
b2bca539e56b410cfbd0f0d1da1e6452ad043ec3

SHA256
b3d41f911925213c40cf45b2c46551083e300406491a24879033821a88dfea91

SHA512
1993b28383221d6159f3425350df03ecade7cc54d9fb0b26cc1fa2419b358381f14f82b6442df2e538956ff710be3af3b77ce0e6dbfe57583e87d19c33bbdeca

Download Submit
C:\Users\Admin\Documents\Client.exe

Filesize
338KB

MD5
277ada55027e622cb40e0073f3bf1455

SHA1
6afe2ecf96f343a309ae3862666a348008f64767

SHA256
cadf2258eea6660cb234b885df194018c793f274264e40ef95b233eb0933600e

SHA512
ab67089fed2cce855b5b4f4cd7a2315966568fb5a1e6607f3d09173c04e685c0a3cbe8d7e3245aa484b73368c5d66826dc52e51eea81f39b1048a23a9b323a3a

Download Submit
memory/1844-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/1844-8-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-7-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/1844-6-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/1844-5-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/1844-4-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-3-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/1844-2-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/1844-21-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1844-1-0x00000000008D0000-0x0000000000924000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads