revengerat | ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe
Size

67KB
MD5

8f5d2e6c2fa3d1e8e10060524ff1d085
SHA1

add5129da13dcfaf912dd81a908cd464509a38c7
SHA256

ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413
SHA512

2e8ece0ad58abc64bb9182843eaa5427f3303f33630823c43b3fd0bf3af096c0ebc81b746a2be410fd8ef7152dd1b903680536cfd77a5e21a774dc10b5c9abea
SSDEEP

768:MeGmGNASzgONow+FdYvIbj4TBA9wM+LzapzgGD23SrzY2h2TiZVFcrFK:xJoAirQ2cj4TBA9wM+H4kGD23SoKCo

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0009000000023499-23.dat	revengerat

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.exe	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.exe	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.vbs	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.lnk	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSWebHandler.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
2016	VSWebHandler.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSWebHandler = "C:\\Users\\Admin\\AppData\\Roaming\\VSWebHandler.exe"	aspnet_compiler.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 1008 set thread context of 5072	1008	aspnet_compiler.exe	96
PID 2016 set thread context of 528	2016	VSWebHandler.exe	102
PID 528 set thread context of 5040	528	aspnet_compiler.exe	103

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe
Token: SeDebugPrivilege	1008	aspnet_compiler.exe
Token: SeDebugPrivilege	2016	VSWebHandler.exe
Token: SeDebugPrivilege	528	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 2936 wrote to memory of 1008	2936	8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe	94
PID 1008 wrote to memory of 5072	1008	aspnet_compiler.exe	96
PID 1008 wrote to memory of 5072	1008	aspnet_compiler.exe	96
PID 1008 wrote to memory of 5072	1008	aspnet_compiler.exe	96
PID 1008 wrote to memory of 5072	1008	aspnet_compiler.exe	96
PID 1008 wrote to memory of 5072	1008	aspnet_compiler.exe	96
PID 1008 wrote to memory of 5072	1008	aspnet_compiler.exe	96
PID 1008 wrote to memory of 5072	1008	aspnet_compiler.exe	96
PID 1008 wrote to memory of 5072	1008	aspnet_compiler.exe	96
PID 1008 wrote to memory of 2016	1008	aspnet_compiler.exe	100
PID 1008 wrote to memory of 2016	1008	aspnet_compiler.exe	100
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 2016 wrote to memory of 528	2016	VSWebHandler.exe	102
PID 528 wrote to memory of 5040	528	aspnet_compiler.exe	103
PID 528 wrote to memory of 5040	528	aspnet_compiler.exe	103
PID 528 wrote to memory of 5040	528	aspnet_compiler.exe	103
PID 528 wrote to memory of 5040	528	aspnet_compiler.exe	103
PID 528 wrote to memory of 5040	528	aspnet_compiler.exe	103
PID 528 wrote to memory of 5040	528	aspnet_compiler.exe	103
PID 528 wrote to memory of 5040	528	aspnet_compiler.exe	103
PID 528 wrote to memory of 5040	528	aspnet_compiler.exe	103
PID 528 wrote to memory of 3200	528	aspnet_compiler.exe	112
PID 528 wrote to memory of 3200	528	aspnet_compiler.exe	112
PID 528 wrote to memory of 3200	528	aspnet_compiler.exe	112
PID 3200 wrote to memory of 4412	3200	vbc.exe	114
PID 3200 wrote to memory of 4412	3200	vbc.exe	114
PID 3200 wrote to memory of 4412	3200	vbc.exe	114
PID 528 wrote to memory of 2760	528	aspnet_compiler.exe	115
PID 528 wrote to memory of 2760	528	aspnet_compiler.exe	115
PID 528 wrote to memory of 2760	528	aspnet_compiler.exe	115
PID 528 wrote to memory of 2796	528	aspnet_compiler.exe	117
PID 528 wrote to memory of 2796	528	aspnet_compiler.exe	117
PID 528 wrote to memory of 2796	528	aspnet_compiler.exe	117
PID 2796 wrote to memory of 2188	2796	vbc.exe	119
PID 2796 wrote to memory of 2188	2796	vbc.exe	119
PID 2796 wrote to memory of 2188	2796	vbc.exe	119
PID 528 wrote to memory of 2376	528	aspnet_compiler.exe	120
PID 528 wrote to memory of 2376	528	aspnet_compiler.exe	120
PID 528 wrote to memory of 2376	528	aspnet_compiler.exe	120
PID 2376 wrote to memory of 3040	2376	vbc.exe	122
PID 2376 wrote to memory of 3040	2376	vbc.exe	122
PID 2376 wrote to memory of 3040	2376	vbc.exe	122
PID 528 wrote to memory of 4968	528	aspnet_compiler.exe	123
PID 528 wrote to memory of 4968	528	aspnet_compiler.exe	123
PID 528 wrote to memory of 4968	528	aspnet_compiler.exe	123
PID 4968 wrote to memory of 2304	4968	vbc.exe	125
PID 4968 wrote to memory of 2304	4968	vbc.exe	125
PID 4968 wrote to memory of 2304	4968	vbc.exe	125
PID 528 wrote to memory of 1316	528	aspnet_compiler.exe	126

C:\Users\Admin\AppData\Local\Temp\8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8f5d2e6c2fa3d1e8e10060524ff1d085_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
- - C:\Users\Admin\AppData\Roaming\VSWebHandler.exe
    "C:\Users\Admin\AppData\Roaming\VSWebHandler.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\esdcyps4.cmdline"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8728.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6ABEA8810F040F190E15AFD3DA5BA0.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn "VSWebHandler.exe" /tr "C:\Users\Admin\AppData\Roaming\VSWebHandler.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u4tr0xy2.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8795.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CEDC2F2544C4E9A8851CD5C347BC1F2.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uq1eajai.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8831.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE372D6FAA7B48CEAE30F94F20F6360.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zbxmfuh_.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8EF82DB8E8354EC3AE06030989A4EB.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xpicgopa.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES891C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE677EDE7A2C4A6D8D422A8B2AC0FCF1.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\idyhld44.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8979.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FB18AFB15F4E26ADA19EA2DB69717E.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aujidq6y.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:872
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94D0D200220F48A3B72B2427984E04.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\euohg5br.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3463DE15E674914AB802E9845698A3F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wjuo7ei3.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3CFB629CF45B4D9AAF8F89259861A2A4.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tclxpgrg.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc909B3B31EC9A42ECB8835CC94FF89722.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pygny6mm.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D52F6D5F94842DB8346BCF391AC31D4.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
213B

MD5
542799505971e4b49beff1e58bfa61cb

SHA1
7a3939442a6a4f209fa8f5a6246eeb6d29621596

SHA256
af4e0cd2feb1b66da325e63c2b0f6245996c056b3707b8dd6b35b9f20b92c78c

SHA512
c07e2e000dd30566a394b171e0cf0927bc65c07b90825c688804f2b73ae1af70c30ed255a1ccc679a979dc4bd96bcb537ff69723aada4549fa81fe8657bc6a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8728.tmp

Filesize
1KB

MD5
882a17839503848a04b54ffd0be0d3e4

SHA1
8e5e7fd7ca9db35f3bc0d603ddd54721e1309767

SHA256
f0ee0530eb4a42a56b08e896eac40d22b468953bd8b1647c576559b5ae3e0e2c

SHA512
c29c819f05f72a8168514e5702eaf097dd8ef9dba5e4c614647130b9065cef450246c9b644df5b4c420f2cfe1788f628af85f1a653275e4fcf0dc6b958e5c40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8795.tmp

Filesize
1KB

MD5
0856e49af9bbe402b767bc5c5d503092

SHA1
320b0a06a0b236e4dbdfec826fa4065f711a2a8f

SHA256
971e75ae92b9a25359de77310fb841a113c12e5e93632c3d158ccad3610675b6

SHA512
7d67665de0a3ebca887aece0236ba277aa15781882ee4db11e3cbbf5069953c8a88d75c825d3578de68b99309feb400e72129852ddac4564aaa3056a25f01679

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8831.tmp

Filesize
1KB

MD5
c8210cd30daccae1b03e29bd0ee896dd

SHA1
7a1f47851b4b848ccafe4b6549609e7252037274

SHA256
d87c4fd8a6033205fa0aa769b6aab32aec5de77891fdfa19aab6aff2beca042b

SHA512
a598e8b76601d2c1dc15bdf7014819af8ece5aaec3ca1b7e48df7121fb2ed0c3c64874feacf7baf8fb8f6a066062a231a71792b85495fdc609c4c61badc1661a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88AE.tmp

Filesize
1KB

MD5
f3c64422a18c4c1dece2c92b7b99675d

SHA1
d1228fed801da6f11d2851ebf9a19a2c7a32d250

SHA256
d61e8a79d5244d0cf988998662f1e5f97f6aaf559d07cee210b2c52acced6d39

SHA512
b48a107a7b6bd2b09f9aa3244b88875c382b5d50b3fd02ee24c854b878b7c7e41a0249abd09e3d8f99ae925cdfcf04996a3334f62a7dc3b2d2715bc7a8b93a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES891C.tmp

Filesize
1KB

MD5
2d21d97d323d6c3057f9ef171b375d41

SHA1
9afc0df66142c110563041f19c5a6d9745ad3217

SHA256
ca466fdd51b79c5cc435d00fc99946d093b768dad5fd9e81458748de47d4d305

SHA512
d0fb0d1bc44580d115d48b82688863e46eabf6193255f0b3aece2e49187c9c6b12241146f1741a97c97324a81232e50f277f9ac84dc7c25561f251287ea7b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8979.tmp

Filesize
1KB

MD5
1e5e363e3fb5fc20d306096347375906

SHA1
3cffc85498cb499500b4b2c56c51930b2aef96e1

SHA256
16e649ecb1e5474f42febf2938d5c3ca9c36472b578ff61d9fbea3c54e20d49a

SHA512
a0949f7b8a78daa12f0af043e6ddcbbef555e27e888cd488c3de4cd9443d65222e8ebbbf462f178635054e867790bf4d10b4e8c6e2dec3710516636846fe9465

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A16.tmp

Filesize
1KB

MD5
10294861a0d83ce3b9b33c10ded3e209

SHA1
d1642bc41c910d88251a871ee1a5b2d7b2afe838

SHA256
5dcfa7e72e5ba11129c72a40b95ce0129c9b4d9f91383089fd071fee55b7a71e

SHA512
aa1c9591c7462c6b69cbb8ef9400362ac4b339e4f6489dc7b0b6268e7e9e6a8d03780a0467aa8f650314b690907bf8bc97f9540f685d7750096cbc9217613e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A83.tmp

Filesize
1KB

MD5
f16eca72c2bc3d5484244b574bb0469d

SHA1
9f2f11d8c5eb8600b116b5c184965cc6315bc3b6

SHA256
a9dec8f90d35314122c33d0cc02891977d5950eceefbfdc023f17ef9044c9dc9

SHA512
a1df306633f4ad5080efc87cec924b1f27f0d92ad1a96369199ef876ecefd590589f78b511ffa1f09360da42d634fed4ea134bf52bb325e4f08ba30b5a5cc6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B00.tmp

Filesize
1KB

MD5
0910154aa9287247414662279659f998

SHA1
16fad4df3b74b29f4559ba6e8682d2c4eb31360d

SHA256
204a6ded73f7ea106924f00de1e0f9becee5575e13211d9752b43eb4f4046a97

SHA512
ddaa7fef209531dfe77991a1f34b5239b15e5432a4944d5049192a0d0acd0628dcc051cfc9eebb68c52b577c566d3dfcf9c17215f7305e7193596d65901f7b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B6D.tmp

Filesize
1KB

MD5
3f32f5645da3e3cb8034718c6f771ff6

SHA1
e80eb415bd270353bd0dc0750416046b33d155ba

SHA256
4c9915aede5a0150211af1c5d62bbef6b0a68925b54a5352c28824d02c468d4a

SHA512
d298ab2f35d472125ba52862f689094de7ab5061cb7bb0437710a3491bf42181b210d9eb88befd564381cc1f32e045f2dfed2afbdfcac203dfbb7abd322049a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8BDB.tmp

Filesize
1KB

MD5
fe5ffdb14e0d49584ff3e921049b7022

SHA1
2b219af087cb4b472982af8eb2b1f355f78b0324

SHA256
682b15acd9aad0ef03010acbd4525df949e6c17382272a5218d4cbf3b796f4d4

SHA512
704077cffb6ef2d4739dcc2ce640bcaee27fb9da300825e743696b61bd1ce077446c696f2298335b5414ab82ce5f3e45621276c5a256a4f5f599087a4efd3aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aujidq6y.0.vb

Filesize
286B

MD5
750be3a336b188813cbf14002c1622ab

SHA1
bdbb7850be167682f7adf766a19add704aa5c18d

SHA256
72a018f7e0a78398a24435723d70dc18d2ef7ac70ebe7b300cd591450eea774b

SHA512
ecc7dbc9a98b6a14310849e1d42b5343659f4a1eef3170e5ee367bff41eef1fcd33ec718fac256e478241c531d81188ec7e255c5e5ff8791f11a1b7305b479f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aujidq6y.cmdline

Filesize
172B

MD5
a5e3f5eafdb7d86e612184646d77fd87

SHA1
d45f8fb5ecad2b90b62fe24c97e53758371b78e6

SHA256
836426a1701f6cfb930fdcd5026e7600bd21429e6ef797a467363fe79de0bb68

SHA512
081022b1c26d50e40e057dcb64f08aa89e635532a4b4ca197dfc8b166c010515148d3a2f6957316a0e87ab97202ad115d679eda9e2b82a1a8a8456629caca0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdcyps4.0.vb

Filesize
156B

MD5
9e1dee95f0ac712137f952b89ec8a7b5

SHA1
f6b4b4ccff484b555f68ff04665d1008825200d6

SHA256
f3aad84d65de05390fae4231537e224084dc55c2db29f14f12e1daa9986fcfb8

SHA512
4b447b3a0842e4d207d6908179182d3c8d87082637bd643186dbdc066415c437af78286ed772386bd9fe661f6da3992e32cfff8c7c106cf7919a8b98c65776f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdcyps4.cmdline

Filesize
196B

MD5
4c94235d115fc4cf7096c673f744433b

SHA1
17d2c978fe379b9b8711825b3f3c500fea27d65f

SHA256
09769c9810f3d6cb1b4cf92418d13acf93f25cf51120dca4bc586ce1298c0088

SHA512
8be062e94db3cafd3f5ead6668a39c4eb456d3cdee4676e95b99bfa71d9f1f6f6af50e823ebc818392c3c72ca075f0f4497779fafd83a8d472039c692f474950

Download Submit
C:\Users\Admin\AppData\Local\Temp\euohg5br.0.vb

Filesize
289B

MD5
9b3135d599024aaacfa3f6b86a1c7315

SHA1
866ecb39b9932774edb530ad728b22fb1170ef08

SHA256
6fac2b378bc7c4f4396eb1d7df96c0b44654ccd28f2b14efcd6680c34afbe3e4

SHA512
d4851edcce3f47dcaed7f0528162dd6cd850e02ef50df4085628ac5df6eb7a5eedbe0254c66938b09af889486c406092ca438a38d614a3d1285a480d0bdb6fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\euohg5br.cmdline

Filesize
175B

MD5
0d361a312b0c58a4e1cced7691e963ba

SHA1
7ca516e847eee632c8f7acb30ceba742cb885ead

SHA256
ba1845868da73c3dafa28fdea472702d66c85393ce0ef13bf566322d22cd52f0

SHA512
e88048b05b995ea6f9938d0e2950d6a1b731e592d54eb19d6da8f01ed75b1169c0476aabca5623747ff5cc6cb5e52535aadc0f7fd1f04a751e5e79284e1f00b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\idyhld44.0.vb

Filesize
286B

MD5
e9bfe7a484d2903a7761e28503467237

SHA1
87e36965da83acdc88b016ecb98bff2e137abd2e

SHA256
b3fadb6d9f97efa96ee01d6eb64ebc55736f020e5824971b8b7c23cef270c9a1

SHA512
17a2a7e25d6c2052b364fdf996c9c3a76d18d5c52f2023e95582b358a2ad29e5a6d9aeb278374550253272d439bd2c75499fe20298de1b105b1efb8252d62278

Download Submit
C:\Users\Admin\AppData\Local\Temp\idyhld44.cmdline

Filesize
172B

MD5
3baa8657bf20b993fd78263af2ff8dd2

SHA1
e260debb466ab59dc96e64f3c9fdf2a5ccf4538f

SHA256
25cc2b73b47af4c2ebc4920ba85c033b58378c0171480e2d1fdce83a82bc7262

SHA512
f96c76fef4c953c484be2b1e9ff1dde055a33e5ac27fad11cfb143f5d1b6ed36b9dca140035437a444cb8439450d98b0b2da439a608da3003dc020ad94b28e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGGjjtn.txt

Filesize
84B

MD5
bab3fa27c63a09c2856abe2859215619

SHA1
9f762e5ff708bb3e52980357a7f23368fe306271

SHA256
608f72b2484ad3d265ebc1206383935c6f900f01f8fd91f4c16787d49b98b6c1

SHA512
016a2d2e765e1cfe7d5922d2710ed3b640cc5eeeecc70c7398bb349a6e92778c4c58abc122459903336a46c5f818c2817e82c2c97b75e8901a426c2792e3f27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGGjjtn.txt

Filesize
47B

MD5
a371f2a72d2015157d4be46815d2d905

SHA1
c6f235339ddc10b4ac535a901758956c68c5b1ad

SHA256
fa4c32cef82b5b7b15cd4d371b58244eb7ed0971731d9fe92172638a3da19295

SHA512
f66f9b456a7daa2925c91b45f991c051e737e1f546db94d8e9b90e2c02a94e1a482a079508dbce2b3abd60fa6c3a5a30c8e552b96fba5709aae472994e600ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pygny6mm.0.vb

Filesize
288B

MD5
fc87d05a45ad7000e8e9f4349f7ffa03

SHA1
f878b4aeab6443b4aaac20b6a10864298e55b109

SHA256
5317a92c2d87e0ecae45b0076559a00ef9c0502bed77297e2bc95504f8582dd1

SHA512
74b92ea9fa4bb165bfd3feef206039a03a2e2c31b895b3af3ac0afdd6f1977a26d2e3c2f863a93be4af5c538d05a4d1eadc8e612dc4e79fc716e63ebdc7e3797

Download Submit
C:\Users\Admin\AppData\Local\Temp\pygny6mm.cmdline

Filesize
174B

MD5
341cf97318a7dc29dc22d46178dcaebb

SHA1
6c619acbefe3e72b5b0b390d8b7482054093c0af

SHA256
356f3425d5db79d18c86c333e798c00f75306958e9cebc5cba505417a6d25181

SHA512
8fe9d31a51204c34ab5e5c4de4297b46486a2b92372e7ef64f2946a16ff09d0abcbcdd20e1e012ca8887bdc9222fd295be6c7a4893ae7fa96f97f1d7f8a127ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tclxpgrg.0.vb

Filesize
285B

MD5
3a97c8afb1f8bfb2f8f029ddee205ddd

SHA1
b78653f3f482a3d982ade9cb09e756aa290aab9f

SHA256
c1411bca9748fda20d93e2b5b3d81c29c3705c222a08d69b41973585e87939bf

SHA512
be58356d24a6052596495ba8badb01b1ac9f357fc85f38f1f64e69994a15531c5268c9515d3d2d70fc096cf7ed448623c478151e1f68d1a1a7a4e29810d464a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tclxpgrg.cmdline

Filesize
171B

MD5
6c004143b07e22722fd27d1231d98454

SHA1
bef2fa63f3a02707da9d1387cffadfd579fc07a3

SHA256
568056a078d6a8839c1ab9d98f635316b77b7be2ae730880c9b5f6b57fb3b2c1

SHA512
a310fa3c9025852a8ed95d922a50c1ca2cc5585d22f439df1ddc4cd334672e55c80cb12f798f09408c4668440d6272b1b0f203c9c67c2ae4221ace16d08922aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4tr0xy2.0.vb

Filesize
270B

MD5
391dc14c11f69215aef1ff59bf393aac

SHA1
7bf96b6065f5a702242f522c6989cb487a04015e

SHA256
52406f2594bb6d40337319f2fc4e5f40c80c5bdebce58a86c1d57ac0464cc49e

SHA512
c7f62a663706d3b0d339c04b0d53a9d454bf78549656039795986bd45a00dd5c718d9f9dc56a9b0a2aca3ad9325c9505b2053afa2ce09c906b43a5b25dd36215

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4tr0xy2.cmdline

Filesize
156B

MD5
fb235055344b1831d9fd0a686783ddaf

SHA1
516b00a9a6fb42828da9942771ca4a559f99a91e

SHA256
b8f459321c235fdf93c27a580c5d72698cea7879599f82d8333cf4b7b9746485

SHA512
277b1e4a36aea79bd1efe9b3df36018f5b539c432c0ec2a44ca1378ec49d18a1a1111b0cd9d27fc9e540c658fbbd94a66b711abdd4fd9329db1b0ad8bf1503ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq1eajai.0.vb

Filesize
276B

MD5
efb881fc548bd56aa3b2cc69101adf40

SHA1
7839548475657ea9bc93b7e100d91afe1722ec40

SHA256
5a19e40fb1787f9630472e8287e1f4e6a32435c29181d262d28ea8bf97b2a893

SHA512
339baed1f5bdf6d63b9200ae933e82bfdcf845c9520f6bd373a3e419607108f9d54208ec9698449ea1ebf773384c6221928a04fe156849c0c40b01f11293fac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq1eajai.cmdline

Filesize
162B

MD5
2698ce29f1f4b34467f00c2ac5ef9afe

SHA1
f07ecb76e89b227740c6006f270a71d08bdfdb72

SHA256
47a66828b6ff5912c233d02e63270a2a33eb913ee57976f120749cf594bc16f0

SHA512
802f19eacf5cdd29cf524b7d324c822754468c950173e023889e09c8562186292a8650a4fbd31a9d3c4d267b750e495de2150093ce6bcf10d1828806b806c8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2D52F6D5F94842DB8346BCF391AC31D4.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3463DE15E674914AB802E9845698A3F.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5CEDC2F2544C4E9A8851CD5C347BC1F2.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8EF82DB8E8354EC3AE06030989A4EB.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC6ABEA8810F040F190E15AFD3DA5BA0.TMP

Filesize
668B

MD5
77aedfc8205b506572ec90bcf77c23a2

SHA1
ef0aa7e6181a365311524f9375d0d472624693ff

SHA256
08eb8f2a897c9e6cd7092806d7fa07a81d491e13ade826a0a4d429ddf0deb9e7

SHA512
b27e6dfbfaf275f64cf9a49c10c6e0768743027e9ba04ef46717a96a9cdf024e709d35df959d7ebcd66e2ed2a7253d02edc33aa1ef402a431d1fab87bcc8de82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE372D6FAA7B48CEAE30F94F20F6360.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjuo7ei3.0.vb

Filesize
279B

MD5
32ae120259d39688abca0b8779fa6f81

SHA1
1597cfb1b8533dae50befa9a965ed02abe974042

SHA256
19426267a4a5697af00c0ad53a2ff9916c24af648870f9cba11f5106bed9ca5b

SHA512
c20926574494678bc5c857e41f9513f4ca60953a61c14e6ca0c251c5810f8a0aac5f3238eb9a374fb2d7d72880a515938443a434dcf2ea4b077a397875e561b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjuo7ei3.cmdline

Filesize
165B

MD5
92c90d167f632dc94f4b394e044de6e7

SHA1
4b68632596f08e86d7d6faf22b1e4a59a6781d31

SHA256
582c2c6af423f54338211b8b4a50881b9d6cc5ba11ed94bb57bf1d815f845ab7

SHA512
dff54ac1b3d39bd52df328243b0d422a9fd565567fc8ff2948fb5bffec404a3ecf6444351cddaef78f8a40c068620d74f1da457c894097cbcbef19514aec5626

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpicgopa.0.vb

Filesize
285B

MD5
2d0ea4aea378d5b5c0b1c58eb7d21693

SHA1
31b1ba78de62288582f529ebed4601a376f01549

SHA256
012c712c2e6559ff7156cd784e8503d4068932ec2769d05ea4b6055b6e3f6127

SHA512
4f613052d4cc8b763cacc601b7b2386dbc6dc53e56fadb57208a9812db499979187e9f000a84ab303e8f19677a78cb88dbbbce29c8e6bec5c89cd2fe5e1afc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpicgopa.cmdline

Filesize
171B

MD5
65f50eb0b3675bc339beab9508ac7f6f

SHA1
391f657693db6012b9ad3aa44f05e217c1116575

SHA256
cdd20ea02b75bd6390312472b2442e7ec04df539936983467eb3aed6362cbbb0

SHA512
3bcb67fc964239c7401f3229f47e4287deb74f718d389deb7f133f7e403891e960c856fb79ac15c3666990c2ab26d91b0bdb47870ced40552128f56328c63e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbxmfuh_.0.vb

Filesize
277B

MD5
4d238ffb340b583f44c76a53b878315f

SHA1
7356271bba8803a94c4cda22c8385086cfd21548

SHA256
612b7fd222d9c18eef6bdf5c0966a091047ba254fb98331f7f4222b169e79b3c

SHA512
b3b6b7a570ab61b64aac1a148dd2bf65e99866903ba7761f1c7186c668f86d6426921706c95499cc37eee38f9ba343272630008c94fa8a697fba50f739615466

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbxmfuh_.cmdline

Filesize
163B

MD5
48fb1357acf2ab483650eb46960c8ad2

SHA1
4747b3b647627b41e9e8b8d849f8eba95ec5d2a0

SHA256
2aa9c1f17bc267634ef3b5b8c447f303b796d83a7d8b23031e88441a1f43fe3f

SHA512
dd068fa46a9f2223065a45c950233a50244337a89b9bb614bb1ba4f3d06f713adb6fd0412aa6394af119d04e56518dd79c38cdaaf0a95bd1fa7190061cba8d17

Download Submit
C:\Users\Admin\AppData\Roaming\VSWebHandler.exe

Filesize
67KB

MD5
8f5d2e6c2fa3d1e8e10060524ff1d085

SHA1
add5129da13dcfaf912dd81a908cd464509a38c7

SHA256
ecb0abf95e2873b7ac0f8bf8548e9dcc23e83d808c44594f65057d6ffa73e413

SHA512
2e8ece0ad58abc64bb9182843eaa5427f3303f33630823c43b3fd0bf3af096c0ebc81b746a2be410fd8ef7152dd1b903680536cfd77a5e21a774dc10b5c9abea

Download Submit
memory/1008-18-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/1008-17-0x0000000074D72000-0x0000000074D73000-memory.dmp

Filesize
4KB

Download
memory/1008-9-0x0000000074D72000-0x0000000074D73000-memory.dmp

Filesize
4KB

Download
memory/1008-11-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/1008-29-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/1008-10-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/2016-28-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2936-4-0x00007FFACEE30000-0x00007FFACF7D1000-memory.dmp

Filesize
9.6MB

Download
memory/2936-0-0x00007FFACF0E5000-0x00007FFACF0E6000-memory.dmp

Filesize
4KB

Download
memory/2936-8-0x00007FFACEE30000-0x00007FFACF7D1000-memory.dmp

Filesize
9.6MB

Download
memory/2936-5-0x000000001C3E0000-0x000000001C442000-memory.dmp

Filesize
392KB

Download
memory/2936-3-0x000000001C2C0000-0x000000001C366000-memory.dmp

Filesize
664KB

Download
memory/2936-1-0x00007FFACEE30000-0x00007FFACF7D1000-memory.dmp

Filesize
9.6MB

Download
memory/2936-2-0x000000001BD40000-0x000000001C20E000-memory.dmp

Filesize
4.8MB

Download
memory/5072-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5072-15-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/5072-16-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads