revengerat | e19811007358c2fea5eba596d6a63a70e11b0accd479ce63afd9be273422a3e6

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/08/2024, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe
Size

601KB
MD5

c558f1a93fbb271ba8b0b50b822fe584
SHA1

b96b0203cf05d1864fd6013c563935407421e5ec
SHA256

e19811007358c2fea5eba596d6a63a70e11b0accd479ce63afd9be273422a3e6
SHA512

1a6cc8754156a4be60f269d516d32611065ea0e91ed0fa1d528ca2e874af3c73d778ecb5beb0655a630b4e30d528fdbb216c699eb0ce2df1793dcc5055ff1a84
SSDEEP

12288:qQhhmhhzhhZhhFhhihhMhhkhhxhhqhh0hh/hhvhAhhdhh8hhthhUhhRhhXhh1hhF:qQhhmhhzhhZhhFhhihhMhhkhhxhhqhhb

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1856-2-0x00000000009F0000-0x0000000000A18000-memory.dmp	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skype.exe	Chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skype.exe	Chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
1752	Chrome.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe"	Chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
12	pastebin.com
4	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe
Token: SeDebugPrivilege	1752	Chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2800	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	31
PID 1856 wrote to memory of 2800	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	31
PID 1856 wrote to memory of 2800	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2988	2800	vbc.exe	33
PID 2800 wrote to memory of 2988	2800	vbc.exe	33
PID 2800 wrote to memory of 2988	2800	vbc.exe	33
PID 1856 wrote to memory of 2656	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	34
PID 1856 wrote to memory of 2656	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	34
PID 1856 wrote to memory of 2656	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	34
PID 2656 wrote to memory of 2660	2656	vbc.exe	36
PID 2656 wrote to memory of 2660	2656	vbc.exe	36
PID 2656 wrote to memory of 2660	2656	vbc.exe	36
PID 1856 wrote to memory of 2508	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	37
PID 1856 wrote to memory of 2508	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	37
PID 1856 wrote to memory of 2508	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	37
PID 2508 wrote to memory of 1208	2508	vbc.exe	39
PID 2508 wrote to memory of 1208	2508	vbc.exe	39
PID 2508 wrote to memory of 1208	2508	vbc.exe	39
PID 1856 wrote to memory of 2012	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	40
PID 1856 wrote to memory of 2012	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	40
PID 1856 wrote to memory of 2012	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	40
PID 2012 wrote to memory of 2040	2012	vbc.exe	42
PID 2012 wrote to memory of 2040	2012	vbc.exe	42
PID 2012 wrote to memory of 2040	2012	vbc.exe	42
PID 1856 wrote to memory of 2832	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	43
PID 1856 wrote to memory of 2832	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	43
PID 1856 wrote to memory of 2832	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	43
PID 2832 wrote to memory of 1892	2832	vbc.exe	45
PID 2832 wrote to memory of 1892	2832	vbc.exe	45
PID 2832 wrote to memory of 1892	2832	vbc.exe	45
PID 1856 wrote to memory of 1192	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1192	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1192	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	46
PID 1192 wrote to memory of 1204	1192	vbc.exe	48
PID 1192 wrote to memory of 1204	1192	vbc.exe	48
PID 1192 wrote to memory of 1204	1192	vbc.exe	48
PID 1856 wrote to memory of 2484	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	49
PID 1856 wrote to memory of 2484	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	49
PID 1856 wrote to memory of 2484	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	49
PID 2484 wrote to memory of 556	2484	vbc.exe	51
PID 2484 wrote to memory of 556	2484	vbc.exe	51
PID 2484 wrote to memory of 556	2484	vbc.exe	51
PID 1856 wrote to memory of 1396	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	52
PID 1856 wrote to memory of 1396	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	52
PID 1856 wrote to memory of 1396	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	52
PID 1396 wrote to memory of 900	1396	vbc.exe	54
PID 1396 wrote to memory of 900	1396	vbc.exe	54
PID 1396 wrote to memory of 900	1396	vbc.exe	54
PID 1856 wrote to memory of 2036	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	55
PID 1856 wrote to memory of 2036	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	55
PID 1856 wrote to memory of 2036	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	55
PID 2036 wrote to memory of 2080	2036	vbc.exe	57
PID 2036 wrote to memory of 2080	2036	vbc.exe	57
PID 2036 wrote to memory of 2080	2036	vbc.exe	57
PID 1856 wrote to memory of 1532	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	58
PID 1856 wrote to memory of 1532	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	58
PID 1856 wrote to memory of 1532	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	58
PID 1532 wrote to memory of 1964	1532	vbc.exe	60
PID 1532 wrote to memory of 1964	1532	vbc.exe	60
PID 1532 wrote to memory of 1964	1532	vbc.exe	60
PID 1856 wrote to memory of 1432	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	61
PID 1856 wrote to memory of 1432	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	61
PID 1856 wrote to memory of 1432	1856	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	61
PID 1432 wrote to memory of 1512	1432	vbc.exe	63

C:\Users\Admin\AppData\Local\Temp\c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vw5pfsed.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA28.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA27.tmp"
    3⤵
    PID:2988
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5--izofd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAC3.tmp"
    3⤵
    PID:2660
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akkozluo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB50.tmp"
    3⤵
    PID:1208
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0_cf0knx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB9E.tmp"
    3⤵
    PID:2040
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pjfzu_ij.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp"
    3⤵
    PID:1892
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gx0j891t.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC49.tmp"
    3⤵
    PID:1204
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gvk9yqcu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCA7.tmp"
    3⤵
    PID:556
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\weazvz0e.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCE5.tmp"
    3⤵
    PID:900
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y0pofyag.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD33.tmp"
    3⤵
    PID:2080
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n19obvm5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD72.tmp"
    3⤵
    PID:1964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wlapzbiq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDC0.tmp"
    3⤵
    PID:1512
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\unyneozk.cmdline"
  2⤵
  PID:2196
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE0F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE0E.tmp"
    3⤵
    PID:1952
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b8dh5zi-.cmdline"
  2⤵
  PID:976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE4C.tmp"
    3⤵
    PID:856
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\epzddpn9.cmdline"
  2⤵
  PID:1664
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE8A.tmp"
    3⤵
    PID:2276
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\em6zvkay.cmdline"
  2⤵
  PID:1600
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEE8.tmp"
    3⤵
    PID:2940
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wcoszqbz.cmdline"
  2⤵
  PID:2280
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF26.tmp"
    3⤵
    PID:2768
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\boctomvt.cmdline"
  2⤵
  PID:2212
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF75.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF74.tmp"
    3⤵
    PID:1000
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l0zbobvr.cmdline"
  2⤵
  PID:3020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFFD2.tmp"
    3⤵
    PID:2604
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-el6yunw.cmdline"
  2⤵
  PID:1576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20.tmp"
    3⤵
    PID:2652
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\anz5fm_j.cmdline"
  2⤵
  PID:1976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E.tmp"
    3⤵
    PID:2040
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rqqulalb.cmdline"
  2⤵
  PID:2012
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC.tmp"
    3⤵
    PID:1888
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r_o3lya-.cmdline"
  2⤵
  PID:1880
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB.tmp"
    3⤵
    PID:1484
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eqim_sxr.cmdline"
  2⤵
  PID:1900
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc139.tmp"
    3⤵
    PID:1156
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvm0clo1.cmdline"
  2⤵
  PID:1008
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES178.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc177.tmp"
    3⤵
    PID:556
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uta8hw7c.cmdline"
  2⤵
  PID:2136
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C5.tmp"
    3⤵
    PID:2052
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  "C:\Users\Admin\AppData\Roaming\Chrome.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hello\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
ce45fbf7c5fe46598627f56ab4b6c99c

SHA1
e0f344ec6aaaed70ecb1f40e74876316233c06b6

SHA256
68792990a84b5c3448ff99c952444ee0d02c1877cc3245e5ae7aa4023c2f2440

SHA512
f6929b1af23f4f960340cd0bc8158a861fa752f7acaeec47c2dc3829bce2367f5afc901f1ae358a1ccda02d8acb529487d36eedfeac1c793bfd49d6b4aad407a

Download Submit
C:\ProgramData\Hello\vcredist2010_x64.log.ico

Filesize
4KB

MD5
e69bd49fffc2d6799ce66c2ae6db27bd

SHA1
6975a39f2ebfdab8ed2697d1708bc5d3e5353c0c

SHA256
33437d4fc42ab9380d430969c2d194e6737217ec838223392eb9690f0a79637a

SHA512
b9a931802f9adfefa61d15381873556afc8a605dacfe2703505394c24f1d6214183029c6d28c67b6cfdc79fac7961afe26e4cccdddd9c4d0461deee7a090f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0_cf0knx.0.vb

Filesize
350B

MD5
9bfd3f70ffc33ea1d6c18d3f8b2e1d8d

SHA1
6b8d8bde6af0427cb620189a5bb40dfb17c76e21

SHA256
eab6eb97916296b8e37f7e462781d446f11f42b65954a33e3a373c26fe1bd296

SHA512
f9f77905f0d545adb3d3213274b5c1833c03d3085e0b4396752f8d29e452a42fbddbf9c5c3dda56a1864050beec6b54fa28d77629e3b2f6944b500a5f6a40835

Download Submit
C:\Users\Admin\AppData\Local\Temp\0_cf0knx.cmdline

Filesize
222B

MD5
baf49eb907610111b1685b05d7e83c1b

SHA1
6fa29b3843b26ec5a12a71a9036af2d3e4a507bb

SHA256
1757fa1c8b7d49de87a9bbc3f4db8dbad10e4244c3bfdda1e34ccbea1f1e61f8

SHA512
3f8a833b008a4890ff55a3cf10b1c1fd378cfcec1b11b10bd19b53566ba35e0310687a752326a3feb4f754e6bc2d80b65d81afe9efd029a832687808a736829e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5--izofd.0.vb

Filesize
350B

MD5
d218f9a92f7efb8352e4379529dfcf53

SHA1
be4cfdd2c4b4e38bc0efb194ba82e1ed51ab2747

SHA256
049db6eb92be2d9e346d46136631a9cbc0b5631f97a9c983cd0ad1d57b4545b3

SHA512
bd27e08697d495b1f09a0adc597582c322d8f4497182aa714c741b8fd3a246aecca86f7d89c7e482439852560f7b1daa066e9c2890c33ddfc3c219cc0e8e1e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\5--izofd.cmdline

Filesize
222B

MD5
5a6e4def88d0ede11de1d89dd08284bd

SHA1
d4d625504d269d47aea3fbd7fe3b27cbf9ce057d

SHA256
ed41c3a3a93b89f78107446978d680192aefa70d3d8147533fed2fbb2b27521b

SHA512
bca2da9bd2751c7a231168fd6eb5b08748921a88f74ffb8ac1fb196cf35d85b2a1eb406be1b5ac719c2b0d09a803832ed5d77b8ff81b8a8019281a72a7c88af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA28.tmp

Filesize
5KB

MD5
9075fb4f5b144d5a8324e1abc417607a

SHA1
3fd5e969f370f38f288727d2936f34f15ec2ebcc

SHA256
2253d73255b26c15d561a1d3a6351d263fe098fb94d6012f5c564434172a0dd3

SHA512
7729388fbda7f32a347e30a3b28d3114ad02f004ff63edb6a6b4172843920079244dab77afe22af7e36aa4715efb047ab900dff9fa924cc149c8a7725f58e417

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFAD4.tmp

Filesize
5KB

MD5
670cd3de46ed92a138c5d141d0f4c46a

SHA1
2785dae01594d47c648108037d1cac86862b9fe0

SHA256
4ea2d2bc7c98ee885a38dbfbd9ebf4ad29a5201b35464e4762d1c5c4bd99b0cc

SHA512
03ebf03aa8d935aa2dc7cccef0e6c2e3f1ea603ff84c248c3897a56985c9e4b85170049a8071d01eeed1700e491bd3b0f3721882921eef718145ae50195059c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB51.tmp

Filesize
5KB

MD5
6134663a4f6cbf163f2109a18691e432

SHA1
bf203bc17857f5fc86b39e559ca203dc96f1bc1d

SHA256
c453855e9b6654f5345d043054ae78a794e82b15f90ca349756a6e2fadd0ccc2

SHA512
0587e5aa0786e1014e1761872c80f0aa06ea72ce0a8ae569308952e5271d15dc1d949ac99794b2d2f8d7dce04eefb4673aed0fef5da4a8b192cdfe0cf05e189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB9F.tmp

Filesize
5KB

MD5
6f50de065b4171bd792678b02fdb50b3

SHA1
ddd4a09c5c7f3f5c9aca9968d322f830bebd440d

SHA256
dd8dcd276b781f2dc60c74f9b46ec0c324f774848e6719331ec3fe82b083e193

SHA512
aa9fd347cba7f7de3542b6cc0c51f34e47df7feb622aca08975cc674de588bfd1e88b15576bf254f8f63f9e99a761d11242b8bfa9bffd6fdf424da26952213f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC0C.tmp

Filesize
5KB

MD5
18f3fc6cda8b5132cf023587993fb11a

SHA1
69bece4b9b73bcf4c37f6845042204cf2f877cb0

SHA256
000c760a0a3321f178082e6e1b7941122cd14562308deff853b3e427568d80a3

SHA512
f59db550861b329f89387c51c3d9fd9f6db7ef55412a7bcf85f64290f2e3a57259066e6235e86535bce812f980ac273da91ab5e69a1bb9c8d51b46898b9324f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC4A.tmp

Filesize
5KB

MD5
f130b1244d9bc21faaab6f3518bfb031

SHA1
ea29096d1db80a38ed0339d4a5f52d3490ac1d99

SHA256
bab07bfa944523207eb600d1d55ac33dcdf231a9960bf9127c557278cb5aaf0d

SHA512
399ced80921f1e62eacdcc12be22debb0987dbe72958ab7ecbbc1e3db5561d6fa542f49b0a167eaa48c6cfb53907357db3b42489f8636885c350cc117a0d5b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFCA8.tmp

Filesize
5KB

MD5
ef58a480ce2c56143ee680a632f4c50c

SHA1
dbb6dacc6da50c9f69465b634c0ec8c13e35e793

SHA256
11ac64ce90e450fcae38d5cb909caa160317cf6b17a95807d7c95de1fc36daef

SHA512
f57c9436ec20f0f682f080410891060cf235fc808bfbe23dc96868ddbbb8d5e0026ae8124b61fb4aabe9d290ab04ffcba6dc7ebccbcbc0264e0f16ce75904076

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFCE6.tmp

Filesize
5KB

MD5
60c8be00277769a483a8b5016b2893fb

SHA1
1b95243969ebf6fa61e742623c5bf0e702ac1481

SHA256
28065f5970969a46b028bc908057b4242911d9762c55a2bb57f32a7b159ed1ba

SHA512
1c054ec0946d606ce4afc5a258f409d3e8a022ff8b8a1aa4bf675e1e17faa0cc24f95f2f46a312545404aa4d0c54b2090dbc628bb2c1fb8df2a5c22b0c93f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD34.tmp

Filesize
5KB

MD5
c0a2464596b5e6bf34b0205c648bd54b

SHA1
032e2c34579f29e3c95387bc3bf6ea2c501229ae

SHA256
12e348a677a081fc6b61aecf14721bd5939749a1cb4b669469f828c6e4cdb1f4

SHA512
40b87b5b3b287951db1e8988b09753244e8613840bede15beab2ac435309221824a502f5657ce05588bd0842d6c945bb84a4441ff99d5cb93f5bf44abfbb3cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD82.tmp

Filesize
5KB

MD5
deb9bf97197a28a6d405ff2e060fb57e

SHA1
5766719cf80d8e8cf7a89a240cce52250287b52c

SHA256
73f6c1369451354e2470fa2a6e2ee67419155eeb2baf78e48a77fb77a1b561cd

SHA512
8e67259244ed52bd6796d06178adee2b4b6d6dcbf1c122588f8390e70db3ea9cd82631b5ec14a4fe0a09fd3dc380cebc2d440a581e0482d81c193b293c96e64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFDC1.tmp

Filesize
5KB

MD5
c1c1a84ded4bdc77cad92d2f9e28dd72

SHA1
c453739468193e50fe430fdf203860f9885f898e

SHA256
701a88a11152ee2fcee1b6c28f277c1427986d4ac47c7e8ef7fb950e7a639063

SHA512
3a1b9d78b8cfc63c2f8a9a27a19bd948f5c1ed541a6222f622c6adc2bdf5569b07e0afc445f2a76c86c3bea606cce7e4abe2e2c591d122545d28c15f12a9e2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE0F.tmp

Filesize
5KB

MD5
6ba6786d9025b0f0ea9c228928abcfa0

SHA1
cd6bcfb4d46b48fedee47705ef611dbe3aee85e6

SHA256
60506313fb78ba49572c550416fce2b116c3bef78a8f71d88ac1a61a3e2ef9a0

SHA512
0178173bf034f816bd480652f2073e70ded984af654772393ca4568cff6a25557622af98597630b4951343aa5dc4d73f36f9017838b56b24bf38e347bab813d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkozluo.0.vb

Filesize
364B

MD5
a805663cdeb9e9f6fe89453e0929e69c

SHA1
c47e036fc5f9b6645b9df46bb45c31882e16359b

SHA256
5ce9fc68b157fbad93b7e5382c2c6700338c6cf0fbda4ab35973af9e12ba7976

SHA512
f9461261003da237a521634d21d9093f2c7587d00adfc4a24322dd6651c65729cfbfcb1e1cabf9764795c6ae035e93787f72b58b9fbba91802ba4aee708d0800

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkozluo.cmdline

Filesize
251B

MD5
96d8f0aff97fa3777b113cb0bcde4acd

SHA1
bbf363903a9c6740486d4eca24287bf8b38cc7e6

SHA256
fa048fec7d4404ae0565e9efca28b238951b1afded040e76911ff85bf396c755

SHA512
d06d12e9a06dd7795b20bbe3c238c76df972514afece841815edb6dc768f54f84a94a5194d0ae88358215e41a38bcbc75a4384bb7ade3a7630c26bd452f019cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8dh5zi-.0.vb

Filesize
373B

MD5
092725c63a4826e3b70627fe94e8520a

SHA1
d52b6e6128ad22c947603c8b0ce8d0ddb24e2602

SHA256
b8da19b332ac934f9a7f6d178284e57c2b8c8da9fc52d52753ddfcf7fb5e2090

SHA512
6ba356f0935dba7a816bac203344d456ced77df64bd8151a1450e3d859defe9ced709aa6696e5032da837fca7a853c77422e9a685f3099758613d26e0a115a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8dh5zi-.cmdline

Filesize
269B

MD5
ca11e1905406ea522e5d43aa2e1761d9

SHA1
be47b671c5e8673abcc09ac728ec62484204d825

SHA256
cbfa362af4303250145787f6bf2cd1b51266d1bd8ced44565c8e514b8862d6ce

SHA512
209f41f9567f3b6af3a2358b446f724552689cccccf1b1f8bacdc440623f74c08bada328931a4e9fd91f4b9625db8354103e77693f96c6aaf99fe8c9bab00606

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvk9yqcu.0.vb

Filesize
368B

MD5
7c23d3162b53d19bd75ce4bac650296f

SHA1
e99b70fcf76d679536050ec41a4b542ebbe9be53

SHA256
c95ff0c03c6d2b670e874bed895433af0202bf81c63159a327745e907f05b22c

SHA512
bdf2c45a390386bb669e8165a6c05e7028cea302546a4a418ef50e850328726911492f267c9d76b2c1abe3cd24e3f84b96d5d5191b4e39ea2e11ffdbc0056d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvk9yqcu.cmdline

Filesize
259B

MD5
69316b610a19aba8e6f9f8736a795dfd

SHA1
79cf8e908e6bd5fbec9f1102f603d39e340a3ca8

SHA256
4ba94a55a829c84e34d2ee72dcb96bad173d350f855aa75f490073f5ffe58917

SHA512
7448837e5e9695b94b04adeb2f824a518412c6c4f85b869df57f07ede3b52dad6a8f7024832ef4f09af1963722ad40404ea65ef046c451a7fc1bea551b89d465

Download Submit
C:\Users\Admin\AppData\Local\Temp\gx0j891t.0.vb

Filesize
371B

MD5
0cbe1eebc3d9d1ee2dbc5c7d68480119

SHA1
4464a048b510a148a3593a05f443352fb47b3c31

SHA256
c7933b08416fbe1589d7779199476060d7a0695661bc7b1b4cbce3620ac2cab8

SHA512
0d01f66d2d70673ede4f7bd45abbee7b52d8be2709b7bc35361a9bed2dd044169d0fbe7455ff9d8a52f41d3afbd6ce768a98e5b5c4a1e675a08d40a7f8ec533e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gx0j891t.cmdline

Filesize
265B

MD5
a31a6c2fe141975e1df31306f176f5b5

SHA1
41e00ec6f80bee295b519ba887a33be66812406e

SHA256
0080071063ff5d0af8b10a948819d90b09af89faabb50caf123774310bc5c96d

SHA512
e0bab73bc41f8887f4386ffd0437d7c9c1599e367164abe941584812f396cc277da4f40bdd56a64d4a4075ac3fe42d28db29204f9b9b1be9f62e6f8d662f524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n19obvm5.0.vb

Filesize
373B

MD5
fa7e4466b90ba25058de76b30262f0e5

SHA1
3a9d8bee1a114480f4970acca214fdd28498eb0e

SHA256
c964605b192f8705f0cff7ea09f9ba8aa711d2da75ff70e757f209d6b73e79f6

SHA512
8c585991733cc02560ad8cbf4c8c94cba9e0226ee200005c9ecd348e6e72fee1cdf9b16467d5061b32c95a51d9664c77ee31ab1f50532bbba0db288da70ca1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\n19obvm5.cmdline

Filesize
269B

MD5
05ed6c3eb822301512347c85a9d5ba63

SHA1
d85101fc5696c950a6ab6b95ba8f4e34d382bee3

SHA256
00698d161184ed6d55350d4df2199a3b36f7c2da00b6727777d3066aa8bbdccd

SHA512
43d4d5be72733a5bff7db0c746b5ffed2a8481b0d503087b6a881b292e436d414a92d0421b0c6cbc809d2db1a5c09417435544809d52c5d830e4b3b4fba2b1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjfzu_ij.0.vb

Filesize
368B

MD5
301aeb81144d04563cc208ce44618fd9

SHA1
c6855cb8ff33826ef90c45c3e4c18bb88a598899

SHA256
ab4199785e8e2c566b040e9cdd3f6b000a9d3bef126c0efeed3cc42dbd3a558f

SHA512
bf911ab97e8154d3ea59b3f3701eecbb8bab9ebaf84fd8b7e2f6a3b97bea265f0b80fbdc07333addbcf6ff216789c842a35d653a7a0c52a877499ad31d8336ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjfzu_ij.cmdline

Filesize
259B

MD5
ab199151b4f28bd3ae07d1ab9c259640

SHA1
8ed3416c79341d3807b107e5ff5efdbc93bfe7c0

SHA256
9730ad52f95de136cfb32bfc11d6b6d2ea607f79261686489724338153c5e06d

SHA512
ca968dbcf29a81538f09c64e53852e95590a47dc6db09023cdbcab095bd25ed554d8f70cb9994ae2d588bcca24a347e772610f076a61b08c3c14af0f39dc4f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\unyneozk.0.vb

Filesize
370B

MD5
a28f759b56747dfa8af30fc20a56b25c

SHA1
280c659d3894ee7e9bd358d8f34917989a41cac5

SHA256
5c2ea2dbd122f95e85ed48d0337aa4e4dee8491b403b5d059dd8ffd955f3240e

SHA512
279633924303dc214d8cf8b1d3b8bf73064d4fe4f7b10a70e428df3f06d598022e093ca326b30bc0bae203f2905bdd8e71586a4b3b1651c39c5c16c9be9e8ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\unyneozk.cmdline

Filesize
263B

MD5
041913cf304c392d84cf1c5957e943ac

SHA1
dad8f00a1313a15e8d5483fa85f42ed2dab9d150

SHA256
d369f90026e9d7b86b087933b7be66f35440a7b4dcb2c05c405a140343eed48f

SHA512
ac8ebf04e0fffa61640ebb66387e1ff9f2a71819a43de84b13e63d582fb818267622a22adda123de8f10c5182aaca83cb8a617b479f449dd7b1eba49185497de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFA27.tmp

Filesize
5KB

MD5
bfcfbf95f5d543e63fd35e054332c5d1

SHA1
77cafbf397bee230b90cc9dcccbf50c4365de612

SHA256
cb1b13383f6138ae11855fee94168730cddbca5ce0f6be8395ce0aa424d37b2b

SHA512
08e74e7a5051452af24e905b3095760af640e7d446f5813018aeaae03dc25077cafb952948267d714252a272e8f9c8c7076cf4be2b8bb76e7f9bb5a5f9e3ba0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAC3.tmp

Filesize
4KB

MD5
a1dc79631e3c0e58255b12082ef8c0b7

SHA1
c3ca2c089367668b744b9b09d1bb8a08fbe0547b

SHA256
bb66118ccc212597ab144011246bb7506dfa7da4ed1f8422e6c7f83aca06580e

SHA512
43a8faaeec4347fca540e9d752cbbfc2f0e24f8d5cbf7f0db04b6908969fec865233fbbf4b2e9422a3168d3f088ff85424e8026b6e7d193484f495f218ac39ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB50.tmp

Filesize
5KB

MD5
351256e100367ed9b9f2387744b07f6e

SHA1
be7136771d6058d9034b55e892b34c665349b408

SHA256
a325d5c9779d0e36acd42cb6aa970f53bfb410da34cd1adb310449c2ffb95ccc

SHA512
8de96b0c748c9c7e152fd49a00827fe4d5f39fdfc4c6a68119712d1ed877f2178d13db7daa1020671ab0ec5c46f7332baf918367fe04ff37f2963e23dac8a554

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB9E.tmp

Filesize
4KB

MD5
1d7ea4555f2e6d1c8aee38761ec3130b

SHA1
640b0dee962267f67f87dc7756215b09b2329b78

SHA256
ad4c1efb4928002ecf4a6f473a67dc9856fa262be4145feb566584a14ee4fbae

SHA512
fb927cfacc452aade17c9ddea7c8400cc291a350f528f13fb2db40e19cd5896641f75830d280b1e7f8c6ca2ce800a8216503d7c3554d62384003942a0f4dd400

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp

Filesize
5KB

MD5
d06dff179710a9351acf1af2294a3a12

SHA1
cd4df302174eab7b99981701fa30bb2510a46195

SHA256
69e8b7bd1948b45a731375e0c9a4528639cd8b4a537bf0713a0dda205cddff27

SHA512
a74c6b99f46f10274cf97e5fbaa0ce2468ef775d11592b54ab734187a6ae2d18a38cb35a5676eb27278fc8320b55fb176f813c4eff4cc53a7679506ffb1e0ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC49.tmp

Filesize
5KB

MD5
7ca34ac238419234c6eba0cbc76ab62d

SHA1
694c2fb9fba81654b74d1ac8a457983dbd9a522f

SHA256
df735da047ec2bfa88a0ba535ea601bc463b5c6f94ec27373c2d695a265647ef

SHA512
daccbdcf1184d138cf0788749d2d9836504d80807e62f22941be39ddc31edd284e76385714a26caf0cf8d5bc11bf37bb8f16205956f8deb62d16521cc9abd3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFCA7.tmp

Filesize
5KB

MD5
806b84b211064c365db124c25f2e7046

SHA1
830f2aefcdb2963cd404b837fde5100459987a51

SHA256
737e87dec009a5baf2d55dd9925a36d030a32d36aeb8b45b9534d8e339a43215

SHA512
2f9274086e5a58fab80933819bfd44c5de89af708dedf108330c7fe49312698a21550894af10499a87b412fc4f9448f16a59f7f17f5f2bf59b4e9c75038a8fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFCE5.tmp

Filesize
5KB

MD5
0863892bdd93956f0b4e8e9c22515792

SHA1
a50681e5ec0d2dcdea01e8db94a7af0bab24c0f3

SHA256
ea568e11866706ea0ca082102ddc8f55ca1ea526e405d19e263eeae941402d7a

SHA512
6342db4c414b560a8179e3dbff949e30c00230b03f52af02c4a7a9f0cc844b3599df45c6832d2de7e62f5270d7b13fb48ab7b2a354aba8c775cab76ade9db916

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD33.tmp

Filesize
5KB

MD5
8b0ea9c4057064e2f3167c079bd12d4c

SHA1
f0260825fb1861dc95f33ba0226cb07be54843ad

SHA256
d7e814a6d425e87467894e5b3f29632f9c2a7f417aa015823983fd9b9ca706dc

SHA512
4833eb6f2a422fc327edc85ab0cfc554c7638183c6985bea2f74925ab3c57edce45c4c9fd2ec2deefdcc0a130a6c7f76c3b584e4f0ac9cbad94802e4e60be1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD72.tmp

Filesize
5KB

MD5
a7257f1dd1cc13069b6faa7ae8073615

SHA1
a3157af1922500c71e1bd65ec712499ae20cc7e6

SHA256
caab8798b12e9781dabdceb14c3a9b0876243a5d1a7e9fcf05626393be9987bd

SHA512
ff8651cc5a524ced02bed548507a7d79fc64fc3b4adbbb064cdcf8271e1f7bab6d2096eaf1e352cd8cbcd29a0e2ddb58e8b4eb0817d8652ee29b88dd7167dcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFDC0.tmp

Filesize
4KB

MD5
8348ad74b50568b48016d1ed9a3b99ed

SHA1
b1e85a77d8fd1a3dde8ff5ff5a5203fbdfab6816

SHA256
f347ba1e8df9062b37b665049e99a15e3a0585736724114527f9bba1753a48e6

SHA512
0c67def697895427a190feb14c4aa1b33ec6249d04014d782bee6a44a5978a8c8a9509ade10e7055c3e4dbd572725cc266deb9beb9b9cc6bc73f42577b40c80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFE0E.tmp

Filesize
5KB

MD5
0e5682d367f84383d710844b79221940

SHA1
43448ea86dcbd4b3acb19a170ee456623cd77fa5

SHA256
4c1ac6e9897b54a2ef61b55474f20afcae0c4419a8e196ced59e1ff04aad8f54

SHA512
309dfd5bbc519408bd1e031d9d60e526b3b5479ff3baf77c3968f65456ed534f779b16b37ef11e2eadce72a05aea8041cc0e29293c8022e307cfd1ea3fb86228

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFE4C.tmp

Filesize
5KB

MD5
7849714ee10c81add5c8c9844831afc0

SHA1
e44d66d1ff9fd64742a6755c207dbaeb900c5d0d

SHA256
e2a540f34c1472ecffeaaa6d2112fe3c1ef595a9466d4e50b3ac11f0bee9fdf8

SHA512
d51adeacece7d45b516e697f3c71a7378a8f9ab61dc1ba655efecb199290db3aa193c7c7e65f8fa920fba340642fc87d121e543c00e8a7ac9f563522842d1a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vw5pfsed.0.vb

Filesize
364B

MD5
71d7346797abae107b1d3f4f6cdc71cc

SHA1
da1c9d302f666c47548c5ab9b900bb22fa1349c6

SHA256
a3f1a0d1e72bb9bd4ffeaadf8d869e9c9d6844abbc1292d67a7a8b2ccca84062

SHA512
af7ef9d7938b0a5c71fcf32f83900ca88540342935b81d6837cc1a2cce3b7f573e6a1e40159e1a7d6f8fdf36def8e60b26ef093b2f8a91a87e4963f3794bd268

Download Submit
C:\Users\Admin\AppData\Local\Temp\vw5pfsed.cmdline

Filesize
251B

MD5
7f92c07852ab6b593a6ebfdbc8f51155

SHA1
944df55af390019136b8a807d67050e85a5e2dee

SHA256
9b91d0835d40e2b3b96dc1a3437f8a051f75e2b6879b4cfb790ee417922c50b7

SHA512
30b2dd2265ae014556ce5180711377d4b476e9999b9b3a2970268d19cec417efae39a70b378400636bb22657041444d7b468eea3873229b61bb65e59b3cd4f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\weazvz0e.0.vb

Filesize
371B

MD5
88fa186278224682109ea49fc37c26a4

SHA1
f71c0b748bf14b3a1735e3fffb74c6d8aef7be9a

SHA256
ac052cad47458d05f65db545636bd6ada6114e04a61a7d0c736340972aab397a

SHA512
dfbe4f0c23a63679a6eee192dbd90e68ea6400861a0259820e231b7f13a619aea397d25abb6879bbe19c1054b4e5e267e12a49736eb93bb12d43ee9fd1c5a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\weazvz0e.cmdline

Filesize
265B

MD5
e165127b3bbe7c84bb5cb7c1c7246544

SHA1
0812ec8a172ed0bd7118efa032f3334772fd90f7

SHA256
9d4653c855b93f57152818e6ac6f3fc9b17a2dd8299731d9cdb83b14f30ea01e

SHA512
ad228c6b06d187ff210c5b05cfaa2bb7b739c367b22dddb2ee2f743345e4c8264631370f75131326d8c647cbf88511de34b58c54b583597f1270168743d025d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlapzbiq.0.vb

Filesize
345B

MD5
87cf8d484c5aee41e56e7f26f8f1475d

SHA1
c1336f81d5c1e4ba8ac3e2f2e81302e1764b2007

SHA256
8bae621d8d4d9d6d66c6d5e769ef5e489f8bf46a58949654e098feb46d2e173e

SHA512
6406df6c32b22affc439bfed43fd0d9389270f260f8f6f2e1b0851abc01b23f67fcc225263eb520791486e88d6ab3fb2112f5a036d404f8c068226321b108c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlapzbiq.cmdline

Filesize
213B

MD5
9ec5cf51ff67b977d307ed6d9d9352f4

SHA1
5a1b81734c658d954bab78fa255bc3a8a0d901ae

SHA256
8b61ce6c7ebe82840da387996fb33053bd36a68194bab25939a28a6b240cdede

SHA512
9d92eb152ede8dbf5db3f6da768e1026f37197ac1a197cd52575ccbccca4525b326df7e9d0c01a8b08503d56a1987f6e57404226b04cff489f1a5370b7f6bdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0pofyag.0.vb

Filesize
370B

MD5
7acaa9f580e1192f71d1ba97256e3433

SHA1
97fb9f84089b3fd1421b46cd7ab574449ebc4f79

SHA256
26335ac76903cd1bd1cc14e9992c68d232fcdd8459c36c06347fc59eba4b4dd4

SHA512
d8ecd96f397926d439ebcc4084273140ec7999d8c24e2220589ce2c9b8c98802c69bb4158d6e36b288f540d97f73e549a0b3193ac05f270d94893c2d5a8b8d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0pofyag.cmdline

Filesize
263B

MD5
db50a41d378f2ef246a766ac8ca08e2f

SHA1
fa206503194e0323717dcb72102de71e990f0c47

SHA256
92f56c145fcb484aa8be9fe035d2ec7ae8f59d572dcbca8caff7b7ab671acf9b

SHA512
f10148d72cc71281cbe2cb5550bf87e1f351f906c9af25a6275a21b04bd652bd1b8b8ed0737be8aef6d9d9a707b4d3fcbbb387fecb752312165722e65fceb1b5

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome.exe

Filesize
601KB

MD5
c558f1a93fbb271ba8b0b50b822fe584

SHA1
b96b0203cf05d1864fd6013c563935407421e5ec

SHA256
e19811007358c2fea5eba596d6a63a70e11b0accd479ce63afd9be273422a3e6

SHA512
1a6cc8754156a4be60f269d516d32611065ea0e91ed0fa1d528ca2e874af3c73d778ecb5beb0655a630b4e30d528fdbb216c699eb0ce2df1793dcc5055ff1a84

Download Submit
memory/1856-3-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1856-2-0x00000000009F0000-0x0000000000A18000-memory.dmp

Filesize
160KB

Download
memory/1856-1-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1856-0-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

Filesize
4KB

Download
memory/1856-318-0x000007FEF9B70000-0x000007FEFA1E1000-memory.dmp

Filesize
6.4MB

Download
memory/1856-319-0x000007FEF9760000-0x000007FEF9B6F000-memory.dmp

Filesize
4.1MB

Download
memory/1856-320-0x000007FEF8EF0000-0x000007FEF9754000-memory.dmp

Filesize
8.4MB

Download
memory/1856-324-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads